Use Okta as a CA for Device Access

There are three ways to configure Okta as a Certificate Authority (CA) for Okta Device Access.

Okta as a CA with a static SCEP: A static SCEP uses a single, fixed shared secret configured on both the server and the client to authenticate enrollment requests.
Okta as a CA with a dynamic SCEP: Dynamic SCEP requires the client to retrieve a unique, one-time-use challenge password from an administrative API before every enrollment attempt.
Okta as a CA with a delegated SCEP: A delegated SCEP offloads the authentication process to an external identity provider or MDM. This external entity validates the device's identity before delegating the certificate request to the CA.

MDM platform support

The links in the following table contain SCEP configuration guides to help you set up Okta as a Certificate Authority using the most common MDM providers. Other compatible solutions may exist.

MDM Platform	macOS	Windows
Jamf Pro	Static SCEP for macOS with Jamf Pro Dynamic SCEP for macOS with Jamf Pro	Platform not supported by Jamf Pro
Microsoft Intune	Delegated SCEP for macOS with Microsoft Intune	Delegated SCEP for Windows with Microsoft Intune
Workspace ONE	Static SCEP for macOS with Workspace ONE	Static SCEP for Windows with Workspace ONE

MDM Platform

macOS

Windows

Jamf Pro

Static SCEP for macOS with Jamf Pro

Dynamic SCEP for macOS with Jamf Pro

Platform not supported by Jamf Pro

Microsoft Intune

Delegated SCEP for macOS with Microsoft Intune

Delegated SCEP for Windows with Microsoft Intune

Workspace ONE

Static SCEP for macOS with Workspace ONE

Static SCEP for Windows with Workspace ONE