The SCEP profile for NDES certificate authority requires the
$FLEET_VAR_SCEP_RENEWAL_ID variable in the Subject OU field. Without
this, GitOps runs fail with an error about missing variables.
https://claude.ai/code/session_01DW2rrUmrxsTaD3t5J66Xz4
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Co-authored-by: Claude <noreply@anthropic.com>
## Summary
- Adds Fleet's dynamic SCEP challenge (Okta CA with a dynamic challenge,
available since Fleet 4.81.0) as the recommended path for Device Access
certificates on macOS 14+
- Preserves static SCEP as a documented legacy option, each with its own
downloadable example profile
- Adds `okta-device-access-scep-dynamic-example.mobileconfig` using
`$FLEET_VAR_NDES_SCEP_PROXY_URL` and `$FLEET_VAR_NDES_SCEP_CHALLENGE`;
existing static example profile unchanged
- Corrects renewal claim: neither static nor dynamic SCEP supports
automatic certificate renewal per Okta's own documentation — both
require profile redeployment before expiration
- Adds Okta documentation links throughout for proper SEO and
cross-reference:
- [Use Okta as a CA for Device
Access](https://help.okta.com/oie/en-us/content/topics/oda/oda-as-scep-okta-ca.htm)
- [Configure Okta as a CA with a dynamic SCEP
challenge](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-dynamic-scep-macos-jamf.htm)
- [Configure Okta as a CA with a static SCEP
challenge](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-static-scep-macos-jamf.htm)
- Uses correct Fleet UI path and CA type name verified against
`helpers.tsx` and the 4.81.0 release article
- Uses Okta's exact field names (SCEP URL, Challenge URL, Username,
Password) verified from Okta's documentation
- Updates `publishedOn` to reflect the revision date
## Files changed
- `articles/deploying-okta-platform-sso-with-fleet.md` — article update
-
`docs/solutions/macos/configuration-profiles/okta-device-access-scep-dynamic-example.mobileconfig`
— new dynamic SCEP example profile
-
`docs/solutions/macos/configuration-profiles/okta-device-access-scep-example.mobileconfig`
— unchanged (static example)
## Test plan
- [ ] Article renders correctly on fleetdm.com preview
- [ ] Dynamic example profile link resolves:
`okta-device-access-scep-dynamic-example.mobileconfig`
- [ ] Static example profile link resolves:
`okta-device-access-scep-example.mobileconfig`
- [ ] All Okta documentation links resolve
- [ ] Fleet UI path verified: **Settings → Integrations → Certificate
authorities → Add CA → Okta CA or Microsoft Device Enrollment service
(NDES)**
- [ ] Fleet variables `$FLEET_VAR_NDES_SCEP_PROXY_URL` and
`$FLEET_VAR_NDES_SCEP_CHALLENGE` confirmed in Fleet docs
- [ ] Meta tags present with updated `publishedOn` date
- [ ] Style guide compliance verified (active voice, bold UI elements,
no marketing fluff)
Fixing broken links in the article to point to absolute paths.
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
