From 9c3ad8b533af05b106041521757298027b2ec471 Mon Sep 17 00:00:00 2001 From: JD Date: Mon, 23 Sep 2024 17:48:39 -0600 Subject: [PATCH] Article: Guide Enable Okta Verify on macOS (#22328) Article: Guide: Enable Okta Verify on macOS using configuration profile https://github.com/fleetdm/fleet/issues/22108 --- ...ify-on-macOS-with-configuration-profile.md | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 articles/enable-okta-verify-on-macOS-with-configuration-profile.md diff --git a/articles/enable-okta-verify-on-macOS-with-configuration-profile.md b/articles/enable-okta-verify-on-macOS-with-configuration-profile.md new file mode 100644 index 0000000000..19bd9c5c9e --- /dev/null +++ b/articles/enable-okta-verify-on-macOS-with-configuration-profile.md @@ -0,0 +1,130 @@ +# Enable Okta Verify on macOS using configuration profile + +## Introduction + +This guide will show you how to install [Okta Verify](https://help.okta.com/en-us/content/topics/mobile/okta-verify-overview.htm) on your macOS hosts and set them as managed by issuing a SCEP certificate via a configuration profile [managed through Fleet](https://fleetdm.com/guides/custom-os-settings). + +By following these steps, you can automate the deployment of Okta Verify across your devices. This will allow you to enforce multifactor authentication policies, improve device security, and manage user access seamlessly. + +## Prerequisites + +* MDM enabled and configured + +## Step-by-Step Instructions + +### **Step 1: Install Okta Verify on your hosts** + +Okta Verify can be installed: + +* As a Volume Purchasing Program (VPP) application, follow [these steps to install VPP apps](https://fleetdm.com/guides/install-vpp-apps-on-macos-using-fleet). +* As a *.pkg *file download the [installer from Okta](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/ov-install-options-macos.htm) and [deploy the installer using Fleet](https://fleetdm.com/guides/deploy-security-agents). + +After installing Okta Verify on the host, the device will be registered in Okta. + +### **Step 2: Issue a SCEP certificate for management attestation** + +The next step to ensure Okta detects the device as managed is to issue a SCEP certificate. + +* Follow the instructions on the Okta documentation to [configure a certificate authority](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/configure-ca-main.htm) using a **static** SCEP challenge. +* In your text editor, copy and paste the following configuration profile and edit the relevant values: + * `[REPLACE_WITH_CHALLENGE] `with the SCEP challenge you generated in the previous step. + * `[REPLACE_WITH_URL]`with the URL to your SCEP server. + * Adjust the `CN `value according to your organization's needs. You can use any of the [profile variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0) to uniquely identify your device. In the example `%ComputerName%` `managementAttestation` `%HardwareUUID%,` the certificate Common Name (CN) will contain both the computer name and the hardware UUID. + +```xml + + + + + + PayloadVersion + 1 + PayloadType + Configuration + PayloadIdentifier + Ignored + PayloadUUID + Ignored + PayloadDisplayName + SCEP device attestation + PayloadContent + + + PayloadContent + + Key Type + RSA + Challenge + [REPLACE_WITH_CHALLENGE] + Key Usage + 1 + Keysize + 2048 + URL + [REPLACE_WITH_URL] + AllowAllAppsAccess + + KeyIsExtractable + + Subject + + + + O + Fleet + + + + + CN + %ComputerName% managementAttestation %HardwareUUID% + + + + + PayloadIdentifier + com.apple.security.scep.C2D94E67-4F1A-4A3C-8142-7523A8D35713 + PayloadType + com.apple.security.scep + PayloadUUID + 632289FA-C3E0-481A-A417-BF40012FB729 + PayloadVersion + 1 + + + + + +``` + +* Enforce the configuration profile on your hosts. You can follow [this guide on enforcing custom OS settings in Fleet](https://fleetdm.com/guides/custom-os-settings). +* You can optionally verify the issued certificate by opening Keychain Access on the device or by running a [live query](https://fleetdm.com/guides/get-current-telemetry-from-your-devices-with-live-queries): + +```sql +SELECT * FROM certificates where common_name like '%managementAttestation%'; +``` + +### **Step 3: Configure device management in Okta** + +With Okta Verify installed and an attestation certificate in place, all left is to configure Okta and the device for device management, useful links from the Okta documentation are: + +* [Managed devices](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/managed-main.htm) +* [Enable and configure Okta Verify](https://help.okta.com/en-us/content/topics/mobile/okta-verify-overview.htm) + +Make sure the device is properly set up in Okta and that the user has used Okta FastPass at least once to see it as managed on the Okta dashboard. + +## Conclusion + +This guide covered how to install Okta Verify on your macOS hosts, issue a SCEP certificate for management attestation, and configure device management in Okta. By automating this process through Fleet, you can enforce multi-factor authentication, improve device security, and ensure that devices accessing your organization’s resources are properly managed. + +For more detailed information on managing devices and using Okta Verify, explore the Okta documentation and Fleet’s guides to optimize your device management strategy further. + +See Fleet's [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides) for more details on advanced setups, software features, and vulnerability detection. + + + + + + + +