Static SCEP for macOS with Workspace ONE

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted devices through your Mobile Device Management (MDM) software. These certificates grant access to specific API endpoints that Okta Verify uses to establish device identity.

Purpose

Okta Device Access certificate

Platform

macOS

MDM

Omnissa Workspace ONE

SCEP URL

Static

Before you begin

Make sure that you have access to the following:

  • Okta Admin Console

  • Workspace ONE UEM admin console

Okta as a CA doesn't support certificate renewal requests.

Configure your MDM SCEP policies to allow for profile redistribution. Then, before your certificate expires, redistribute the profile to replace expired certificates.

Start this task

  1. Generate a SCEP URL and secret key

  2. Download the x509 certificate

  3. Create a static SCEP Certificate Authority in Workspace ONE

  4. Add a certificate template

  5. Define a device profile to deploy the intermediate CA certificate

  6. Define a device profile to deploy the client certificate

  7. Verify the certificate installation

Generate a SCEP URL and secret key

  1. In the Admin Console, go to SecurityDevice integrations.

  2. On the Device Access tab, click Add SCEP configuration.

  3. On the Add SCEP configuration page, select the following option:

    • SCEP URL challenge type: Static SCEP URL

  4. Click Generate.

  5. Copy and save the SCEP URL and the Secret key in a secure location.

    This is the only time that the Secret key appears in the Okta Admin Console. If you need to generate a new secret key, open the Actions menu on the Device Access page and select Reset secret key.

  6. Click Save.

Download the x509 certificate

  1. In the Admin Console, go to SecurityDevice integrations.

  2. Select the Certificate authority tab.

  3. For the Okta CA Certificate Authority, click the Download x509 certificate icon in the Actions column.

  4. Save the downloaded certificate file. Rename the file with a .cer extension if needed.

This downloaded certificate from Okta is the Organization Intermediate certificate. You need this certificate when you define the device profile in Workspace ONE.

Create a static SCEP Certificate Authority in Workspace ONE

  1. Sign in to the Workspace ONE UEM admin console.

  2. Go to DEVICESCertificatesCertificate Authorities.

  3. Click + ADD.

  4. On the Certificate Authority - Add/Edit page, enter the following:

    • Name: Enter a name for the CA.

    • Description: Optional. Enter a description for the CA.

    • Authority type: Select Generic SCEP.

    • SCEP Provider: Basic is entered automatically and can't be changed.

    • SCEP URL: Enter the SCEP URL that you generated earlier.

    • Challenge Type: Click STATIC.

    • Static Challenge: Enter the Secret Key that you generated earlier.

    • Confirm Challenge Phrase: Enter the Secret Key again.

    • Retry Timeout: Accept the default value of 30.

    • Max Retries When Pending: This value specifies the number of retries that the system allows while the authority is pending. Accept the default value of 5, or provide a custom number.

    • Enable Proxy: Accept the default value of DISABLED or select ENABLED if your environment requires a proxy.

  5. Click TEST CONNECTION to test the connection before saving.

    If you select SAVE before you click TEST CONNECTION, the error Test is unsuccessful appears.

  6. When the Test is successful message appears, click SAVE AND ADD TEMPLATE.

    If the test fails, make sure that you can access the SCEP URL that you generated earlier.

Add a certificate template

  1. In Workspace ONE, select the Request Templates tab.

  2. Click + ADD.

  3. On the Certificate Template - Add/Edit page, enter the following:

    • Name: Enter a name for the template.

    • Description: Optional. Enter a description for the template.

    • Certificate Authority: Select the CA that you created in the previous step.

    • Issuing Template: Leave blank or configure as appropriate for your implementation.

    • Subject Name: Enter a subject name. For example, CN = ODA-{DeviceSerialNumber} {DeviceUid}.

      Okta has no specific format requirements for this field. Choose a descriptive format that helps you to identify the certificate purpose and the associated device.

      For a list of supported variables, see the Workspace ONE Lookup Values.

    • Private Key Length: Select 2048.

    • Private Key Type: Select Signing.

    • SAN Type: Optional. Configure if required by your environment.

    • Automatic Certificate Renewal: Click ENABLED.

    • Publish Private Key: Click DISABLED.

  4. Click SAVE.

Define a device profile to deploy the intermediate CA certificate

This profile deploys the Okta intermediate CA certificate to your devices so that the client certificates issued by the Okta Certificate Authority are trusted.

  1. In Workspace ONE, go to RESOURCESProfiles & BaselinesProfiles.

  2. Click ADD, and then select Add Profile.

  3. Select macOSDevice Profile.

  4. On the General page, enter the following:

    • Name: Enter a name for the device profile.

    • Description: Optional. Enter a description for the device profile.

    • Deployment: Select Managed.

    • Assignment Type: Accept the default or configure as appropriate for your implementation.

    • Smart Groups: Select the groups that contain the devices you want to target. Begin typing the name of the group and then select it from the list.

  5. Click Credentials in the left pane.

  6. Click CONFIGURE.

  7. On the Credentials page, enter the following:

    • Credential Source: Select Upload.

    • Certificate: Click Upload and browse to the x509 certificate you previously downloaded.

  8. Click SAVE AND PUBLISH.

Define a device profile to deploy the client certificate

This profile deploys the client certificate issued by the Okta CA. The Okta Verify app on macOS uses this certificate to establish the device identity.

  1. In Workspace ONE, go to RESOURCESProfiles & BaselinesProfiles.

  2. Click ADD, and then select Add Profile.

  3. Select macOSDevice Profile.

  4. On the General page, enter the following:

    • Name: Enter a name for the profile, for example, Okta Device Access Client Certificate.

    • Description: Optional. Enter a description for the profile.

    • Deployment: Select Managed.

    • Assignment Type: Accept the default or configure as appropriate for your implementation.

    • Smart Groups: Enter the same groups that you specified in the previous task.

  5. Click Credentials in the left pane.

  6. Click CONFIGURE.

  7. On the Credentials page, enter the following:

  8. Click SAVE AND PUBLISH.

Verify the certificate installation

After you deploy the profiles, verify that the certificates are installed on the macOS device:

  1. Open Keychain Access. You can search for it using Spotlight or go to ApplicationsUtilitiesKeychain Access.

  2. In the Default Keychains section, select System.

  3. Filter by Certificates in the category list.

  4. Verify that the following certificates are present:

    • Client certificate: A certificate that matches the subject name format you defined in Add a certificate template.

      The client certificate must have an Extension value of 1.3.6.1.4.1.51150.13.1 and a Data value of 02 01 01.

    • Intermediate CA certificate: The Issued By field of the Organization Intermediate Authority certificate is Organization Root Authority.

You can also verify the profile deployment from the Workspace ONE UEM Admin Console.

Go to DEVICESList View, select the device, and check the Profiles tab to confirm that both profiles have a status of Installed.