Dynamic SCEP for macOS with Jamf Pro

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted devices through your Mobile Device Management (MDM) software. These certificates grant access to specific API endpoints that Okta Verify uses to establish device identity.

Purpose

Okta Device Access certificate

Platform

macOS

MDM

Jamf Pro

SCEP URL

Dynamic

Before you begin

Make sure that you have access to the following:

  • Certificates that are deployed for digital signature, but not for other purposes (for example, encryption)

  • Okta Admin Console

  • Jamf Pro dashboard

If you're using Airwatch, use static SCEP. Airwatch has known issues with dynamic SCEP.

Start this task

  1. Generate the SCEP configuration in Okta

  2. Create a dynamic SCEP profile in Jamf Pro

  3. Configure deployment targets for the SCEP profile in Jamf Pro

  4. Verify that the Okta CA was installed on your devices

Generate the SCEP configuration in Okta

  1. In the Admin Console, go to SecurityDevice integrations.

  2. On the Device Access tab, click Add SCEP configuration.

  3. On the Add SCEP configuration page, select the following option:

    • SCEP URL challenge type: Dynamic SCEP URL and Generic

  4. Click Generate.

  5. Copy and save the following values in a secure location:

    • SCEP URL

    • Challenge URL

    • Username

    • Password

      This is the only time that you can retrieve the password in the Admin Console. To see the password in plain text, click the show password icon Open eye icon that reveals the saved password when clicked..

      If you need to reset the password, click Reset password in the Actions menu on the Device Access page.

  6. Click Save.

Create a dynamic SCEP profile in Jamf Pro

The profile specifies the settings that allow a device to get certificates from your CA using SCEP.

Okta as a CA doesn't support renewal requests. Instead, to replace an expiring certificate, redistribute the profile before the certificate expires.

Configure all MDM SCEP policies to allow for profile redistribution.

To create the SCEP profile in Jamf Pro.

  1. In Jamf Pro, go to ComputersConfiguration Profiles.

  2. Click New.

  3. On the General page, enter the following information:

    • Name: Enter a name for the profile.

    • Description: Optional. Enter a description of the profile.

    • Level: Select Computer Level.

      Okta Verify uses this certificate to identify managed devices and users for Device Access.

      Computer-level certificates ensure that every user of the device is treated as managed.

  4. Click SCEP, and then click Configure.

  5. For the SCEP profile, enter the following information:

    • URL: Paste the SCEP URL that you saved in Task 1.

    • Name: Enter a name for the SCEP profile.

    • Redistribute Profile: Choose a time frame for the profile to be redistributed when its SCEP-issued certificate is the specified number of days from expiring.

      Okta doesn't support automatic certificate renewal. Redistribute the profile to replace an expiring certificate.

    • Subject: Enter a name to identify the certificate.

      This field has a 64-character limit.

      Jamf Pro automatically adds a $PROFILE_IDENTIFIER when redistributing profiles, which counts towards the 64-character limit. Exceeding this limit causes profile redistribution and certificate renewal to fail.

      Okta has no specific format requirements for the Subject field. You can use this field to indicate the certificate's purpose as a device management signal for Okta, optionally including Jamf Pro variables like $UDID or $EMAIL. For example:

      • Computer Level: CN=$COMPUTERNAME ma $UDID

      • User Level: CN=$EMAIL ma $UDID

      (ma signifies management attestation)

      Always test your SCEP configurations in a non-production environment to ensure certificates are issued and renewed successfully.

    • Challenge Type: Select Dynamic-Microsoft CA.

    • URL To SCEP Admin: Enter the Challenge URL that you saved in Task 1.

    • Username: Enter the Username that you saved in Task 1.

    • Password: Enter the Password that you saved in Task 1.

    • Verify Password:

    • Key Size: Select 2048.

    • Use as digital signature: Select this option.

    • Allow export from keychain: Clear this option. It's a good security practice to mark the certificate as non-exportable.

    • Allow all apps access: Select this option.

  6. Click Save.

Configure targets for the SCEP profile in Jamf Pro

If you're using Jamf Pro to manage the device, the next step is to configure the deployment targets for the SCEP profile.

  1. In Jamf Pro, go to ComputersConfiguration Profiles.

  2. Select the SCEP configuration profile that you created in Task 2.

  3. Click Scope.

  4. Click Edit.

  5. Click Add.

  6. Select a deployment target, and then click Add. Repeat this step for all required targets.

  7. Click Save.

Verify that the Okta CA was installed on your devices

  1. On a macOS device managed by Jamf Pro, go to System SettingsPrivacy and SecurityProfiles.

  2. Open KeychainLogin.

  3. Confirm that you have both the client certificate and the associated private key.