Configure Device-Bound SSO for macOS

Early Access release. See Enable self-service features.

The Device-Bound Single Sign-On feature protects users against session hijacking, and provides a streamlined sign-in experience. Users can access Okta-protected apps with fewer authentication prompts.

Before you begin

  • Configure Desktop Password Sync for your org. See Desktop Password Sync for macOS.
  • Devices are running macOS 14 Sonoma or later and have Secure Enclave hardware.
  • Devices have Okta Verify for macOS 9.56.0 or later installed and running.
  • Using the Simple Certificate Enrollment Protocol, install a Device Access certificate on the device. See Device Access certificates.
  • Users are enrolled in Okta FastPass.

Deploy Device-Bound SSO to user devices

To enable the Okta-joined state on macOS, you must push a specific configuration key to the appropriate domain.

  1. Identify the devices to be enrolled in Device-Bound SSO.

  2. Add the following URL to your single sign-on extension profile, under the URLs parameter: https://customerorg.okta.com/v1/auth/device-sign.

    See Create an SSO extension profile.

  3. Add the OktaJoinEnabled key to your configuration plist file for the com.okta.deviceaccess.servicedaemon domain:

    Copy 
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>OktaJoinEnabled</key>
        <true/>
    </dict>
    </plist>

  4. For the identified devices, use your device management solution (MDM) to update the configuration profiles.

Configure authentication policy rules

You don't have to create authentication policies for Device-Bound SSO. However, if you add or edit your existing rules to include Device-Bound SSO, you can control how Okta-joined devices interact with your apps.

You can, for example, grant a longer duration between authentication requests on Okta-joined devices because these cryptographically-bound devices have a greater guarantee of session security.

To enforce Device-Bound SSO in your app sign-on policies, follow this procedure.

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Open the App sign-in policies.

  3. If you have an existing policy for the apps you want to enable with Device-Bound SSO, click Edit in the Actions menu for that policy. Otherwise, click Create policy.

  4. Create a rule for devices that are Okta-joined. Under this rule, Okta permits the use of the device session for resource authentication:

    1. Click Add rule.

    2. Give the rule an appropriate name, for example, Devices that are Okta-joined.

    3. Set Device State to Registered.

    4. For the custom expression field, enter the following Okta Expression Language statement device.provider.deviceAccess.joined == true.

      This captures all devices that are Okta-joined and eligible for Device-Bound SSO.

    5. Set the Prompt for authentication to either:

      • When it's been over a specified length of time since the user accessed any resource protected by the active Okta global session. Select this option to allow users to access the apps silently during the specified time period.

      • When an Okta global session doesn't exist. Select this option to allow users to access the apps silently for the entire device session.

Check the device state

During Okta FastPass enrollment, the device is registered as a unique object in the Okta Universal Directory.

  1. In the Admin Console, go to DirectoryDevices.

  2. Check the status of the device.

    • If you suspend or deactivate a device, users can't authenticate with Device-Bound SSO. However, after you reactivate the device (using Activate or Unsuspend), Device-Bound SSO can be used again.

    • If you delete a deactivated device, you have to redeploy the Device Access certificates. Users must enroll in Okta FastPass before they can authenticate with Device-Bound SSO again.

  3. Verify that the device status shows as Active.