Okta Device Trust for Jamf Deployment

Okta is an identity management service designed for enterprise-level companies. It allows IT departments to manage employee access to devices or applications. As a cloud-based service, Okta operates on an audited and secure platform. It also integrates with other identity and device management systems, such as Jamf, and on-premises applications.

If your organization uses Jamf Pro to manage its macOS devices, you can use Okta Device Trust to keep unmanaged devices from getting access to WS-Federation or Security Assertion Markup Language (SAML) cloud apps. With Okta Device Trust, only secured and known devices can access Okta-managed apps.

What You Need Before You Begin Deployment

Before you begin to use Okta Device Trust, you need to ensure you have the right platforms and devices. Okta Device Trust works with Apple computers that run macOS and supported platforms. It also works with Jamf Pro MDM solution.

Only certain browsers and apps can access Okta Keychain when performing authentication flow to Okta. Those apps and browsers include:

• Chrome browsers
• Safari browsers
• Google Drive
• MS Office
• Slack
• Skype for Business
• Box

Since Okta Device Registration is a Python script, it’s essential to have the correct version of the script. You can complete a registration to ensure you have the script version, following these guidelines:

• On a device with macOS 10.15.xx or 11.xx, use registration version 1.3.1 or later.
• On a device with macOS 10.14.xx, it’s best to upgrade to 10.15.xx or 11.xx. You can also continue to use registration script 1.2.1 or earlier.

Once you’ve verified the prerequisites, there are other steps to take before you begin:

• If you use Microsoft Office, you need to enable Modern Authentication.
• You also need to prevent iCloud from sending Okta Keychain to other devices. Creating a Jamf Pro Configuration Profile to disable keychain syncing is one way to do that.
• Webview needs to have access to the device keychain.
• Ask end-users to clear their browser cache.
• Verify clients can complete a certificate exchange with Okta.

The Process for Deploying Okta Device Trust

Once you’re ready to deploy Okta Device Trust, follow these steps:

1. Turn on your organization’s global Device Trust setting: From the Admin Console, find Security, then Device Trust. Click Edit, then enable macOS Device Trust in the wizard. Choose Jamf Pro in the “Trust is established by” section, then put in API information. Click Test, then Next if you get a success message. On the next screen, download the Python script. Copy and paste the Secret Key Value and Org URL.
2. Modify the Device Registration task: Open the Python script. Modify it using the Secret Key Value and Org URL, then enable the global setting.
3. Install Python 3: If you don’t have Python 3 installed yet, do it now. If it’s already installed, move on to the next step.
4. Add the Task to Jamf Pro: Add the Okta Device Registration Task to Jamf Pro so it registers with Okta and gets the necessary trust certificate. It will also configure browsers and native apps during secure app access. Device Trust certificates are valid for a year and will auto-renew 30 days before expiration.
5. Configure sign-on rules in Okta: If necessary, you can create Allow rules to provide access to the app. For example, a Deny rule can apply to users who don’t match the permissions you established early on.

How to Do Essential Tasks With Okta Device Trust

Once you set up Okta Device Trust, you may need to perform several essential tasks from time to time:

• Revoke and remove Device Trust: If an end user’s device gets lost or stolen or the user no longer works for your company, you need to revoke their Device Trust Certificate. To do that, select the end-user from the directory. Click “Revoke Trust Certificate” under the “More Actions” pull-down window. A message will pop up with options. Choose “Revoke Trust Certificate.”
• View Certificate Enrollment logs: You can view certificate enrollment logs on Jamf or computers with macOS. To use Jamf Pro to view logs, open the Scripts tab, then input “verbose” under Parameter Value. How you view logs on a macOS device depends on the operating system. On macOS 10.11.6, open Utilities, then Console. Choose “All Messages,” type Okta into the search box and tap return for a list of Okta messages. In macOS 10.12.6 or higher, open Utilities, then Console, then choose your device from the options on the left. Put Okta into the search box and press return for a list of Okta messages.
• Modify App Allowlist: You can modify the Device Registration task so it allows certain apps by default. When users try to access an allowed app, they don’t have to provide a Keychain password. Whenever you push a new registration task to targeted devices, the modified list gets overwritten, so it’s good to keep a copy of the allowed apps.

Tips for Troubleshooting

If all goes well, once you deploy Okta Device Registration, the task will register with Okta to get a Device Trust certificate. Okta will verify the device is managed with Jamf Pro. The task will then configure the browser and approved apps to automatically present the certificate.

Device Registration also sets up a lightweight task, which runs whenever a user logs in and once a day. The task checks for expiration and renews the certificate if it’s 30 days from expiring.

There might come a time when the task doesn’t work as it should. Usually, issues come about when a trusted device can’t access secured apps or when an untrusted device can access the apps.

If that happens, you can try to troubleshoot:

• Confirm the global Device Trust setting is enabled.
• Verify Jamf Pro is properly configured.
• Verify the apps have been added to the Python 3 script before deployment.
• Make sure Python 3 is properly installed.
• Ensure the maximum certificate enrollment limit hasn’t been exceeded.
• Confirm your sign-on policy denies access to untrusted devices and applies to the correct groups.
• Check that the Secret Key Value and Org URL populate the registration task.

Orchard Can Help You Streamline Mac Deployment

Orchard’s device enrollment program helps you stay connected to every system your company uses and ensures organization-wide consistency.

Our deployment program allows you to manage your entire company’s services from one location. You can set up all the required system settings with just a few clicks. A zero-touch configuration process streamlines deployment without requiring you to give up consistency.

Orchard’s enrollment program is cost-effective, efficient and scalable. To learn more about it and how it can help your organization, request a quote today.