Silently enroll the Okta Privileged Access client

Silent enrollment allows you to automate the enrollment process and add multiple clients to Okta Privileged Access at the same time. This process saves time when deploying a Okta Privileged Access client across an organization. Many Okta Privileged Access teams use device management software like JAMF or SCCM to automate the process of installing and enrolling the client. The specifics of this process depend on the organizational requirements for each team.

The Okta Privileged Access client should only be installed one way on a system either on a per user basis or for all users but not both.

Start the task

  1. Install the Okta Privileged Access client on all devices.
    See Install the Okta Privileged Access client
  2. For Windows, complete these steps when installing the client for all users:
    1. Download and run the installation MSI.
    2. On the ScaleFT Setup dialog, click Advanced.
    3. Select Install for all users of this machine.
    4. If you use SCCM, set ALLUSER=1 in the script. For example, msiexec.exe /i C:\<Package Location>\ScaleFT-1<version>.msi ALLUSERS=1 /qn.

      The default location for the installation of all users is C:\Program Files (x86)\ScaleFT. The logs for the client are still created and kept on a per user basis and will be at C:\Users\<user>\AppData\Local\ScaleFT\Logs\sft.

    5. Register the URL handler. Open Windows CMD, and then run sft register-url-handler.

      All users must run the sft register-url-handler command.

  3. Create an enrollment token.
    1. Sign in to the Okta Privileged Access dashboard.
    2. Go to Directory Clients.
    3. Select the Enrollment Policies tab, and then click Create Client Enrollment Policy.
    4. In the Enrollment Policy Type dropdown list, select Token.
    5. Enter a Description.
    6. Click Create Client Enrollment Policy.
    7. From the policy details window, click Create Token.
    8. In the token details modal, click the clipboard Clipboard icon to copy the token secret.

      This is the only time that you see this token secret. If you fail to store the secret in a safe location, it's lost forever.

  4. Save the enrollment token secret to a file on the devices being enrolled.
  5. Enroll the clients by running the following command on each device: sft fleet enroll --token-file <path\to\enrollment-token.txt>.

Upon success, the clients are enrolled with the team.

Related topics

Use the Okta Privileged Access client