Static SCEP for macOS with Jamf Pro

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted devices through your Mobile Device Management (MDM) software. These certificates grant access to specific API endpoints that Okta Verify uses to establish device identity.

Purpose

Okta Device Access certificate

Platform

macOS

MDM

Jamf Pro

SCEP URL

Static

Before you begin

Make sure that you have access to the following:

  • Certificates that are deployed for digital signature, but not for other purposes (for example, encryption)

  • Okta Admin Console

  • Jamf Pro dashboard

Start this task

  1. Generate a SCEP URL and secret key

  2. Create a static SCEP profile

Generate a SCEP URL and secret key

  1. In the Admin Console, go to SecurityDevice integrations.

  2. On the Device Access tab, click Add SCEP configuration.

  3. On the Add SCEP configuration page, select the following option:

    • SCEP URL challenge type: Static SCEP URL

  4. Click Generate.

  5. Copy and save the SCEP URL and the Secret key in a secure location.

    This is the only time that the Secret key appears in the Okta Admin Console.

    If you need to reset it, click Reset secret key in the Actions menu on the Device Access page.

  6. Click Save.

Create a static SCEP profile in Jamf Pro

The profile specifies the settings that allow a device to get certificates from your CA using SCEP.

Okta as a CA doesn't support renewal requests. Instead, to replace an expiring certificate, redistribute the profile before the certificate expires.

Configure all MDM SCEP policies to allow for profile redistribution.

  1. In Jamf Pro, go to ComputersConfiguration Profiles.

  2. Click New.

  3. On the General page, enter the following information:

    • Name: Enter a name for the profile.

    • Description: Optional. Enter a description of the profile.

    • Level: Select Computer Level for the certificate.

      • Name: Enter a name for the profile.

      • Description: Optional. Enter a description of the profile.

      • Level: Select Computer Level.

        Okta Verify uses this certificate to identify managed devices and users for Device Access.

        Computer-level certificates ensure that every user of the device is treated as managed.

  4. Click SCEP, then click Configure.

  5. For the SCEP profile, enter the following information:

    • URL: Paste the SCEP URL that you saved in Task 1.

    • Name: Enter a name for the SCEP profile.

    • Redistribute Profile: Choose a time frame for the profile to be redistributed when its SCEP-issued certificate is the specified number of days from expiring.

      Okta doesn't support automatic certificate renewal. Redistribute the profile to replace an expiring certificate.

    • Subject: Enter a name to identify the certificate.

      This field has a 64-character limit.

      Jamf Pro automatically adds a $PROFILE_IDENTIFIER when redistributing profiles, which counts towards the 64-character limit. Exceeding this limit causes profile redistribution and certificate renewal to fail.

      Okta has no specific format requirements for the Subject field. You can use this field to indicate the certificate's purpose as a device management signal for Okta, optionally including Jamf Pro variables like $UDID or $EMAIL. For example:

      • Computer Level: CN=$COMPUTERNAME ma $UDID

      • User Level: CN=$EMAIL ma $UDID

      (ma signifies management attestation)

      Always test your SCEP configurations in a non-production environment to ensure certificates are issued and renewed successfully.

    • Challenge Type: Select Static.

    • Challenge: Paste the Secret Key that you saved in Task 1.

    • Verify Challenge: Paste the Secret Key again.

    • Key Size: Select 2048.

    • Use as digital signature: Select this option.

    • Allow export from keychain: Clear this option. It's a good security practice to mark the certificate as non-exportable.

    • Allow all apps access: Select this option.

  6. Click Save.