mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00

Preview of v4.77.0 doc changes (#35924 )

This PR will remain in draft as a preview of upcoming documentation
changes for 4.77.0

---------

Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Carlo <1778532+cdcme@users.noreply.github.com>

2025-12-02 17:24:15 -06:00

6.3 KiB

Raw Blame History

Enable Okta Verify on macOS using configuration profile

Introduction

This guide will show you how to install Okta Verify on your macOS hosts and set them as managed by issuing a SCEP certificate via a configuration profile managed through Fleet.

By following these steps, you can automate the deployment of Okta Verify across your devices. This will allow you to enforce multifactor authentication policies, improve device security, and manage user access seamlessly.

Prerequisites

MDM enabled and configured

Step-by-step instructions

Step 1: Install Okta Verify on your hosts

Okta Verify can be installed:

As a Volume Purchasing Program (VPP) application, follow these steps to install VPP apps.
As a *.pkg *file download the installer from Okta and deploy the installer using Fleet.

After installing Okta Verify on the host, the device will be registered in Okta.

Step 2: Issue a SCEP certificate for management attestation

The next step to ensure Okta detects the device as managed is to issue a SCEP certificate.

Follow the instructions on the Okta documentation to configure a certificate authority using a static SCEP challenge.
In your text editor, copy and paste the following configuration profile and edit the relevant values:
- [REPLACE_WITH_CHALLENGE] with the SCEP challenge you generated in the previous step.
- [REPLACE_WITH_URL]with the URL to your SCEP server.
- Adjust the CN value according to your organization's needs. You can use any of the profile variables to uniquely identify your device. In the example %ComputerName% managementAttestation %HardwareUUID%, the certificate Common Name (CN) will contain both the computer name and the hardware UUID.


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadIdentifier</key>
	<string>Ignored</string>
	<key>PayloadUUID</key>
	<string>Ignored</string>
	<key>PayloadDisplayName</key>
	<string>SCEP device attestation</string>
	<key>PayloadContent</key>
	<array>
  	<dict>
    	<key>PayloadContent</key>
    	<dict>
      	<key>Key Type</key>
      	<string>RSA</string>
      	<key>Challenge</key>
      	<string>[REPLACE_WITH_CHALLENGE]</string>
      	<key>Key Usage</key>
      	<integer>1</integer>
      	<key>Keysize</key>
      	<integer>2048</integer>
      	<key>URL</key>
  	<string>[REPLACE_WITH_URL]</string>
  	<key>AllowAllAppsAccess</key>
  	<true />
  	<key>KeyIsExtractable</key>
  	<false />
      	<key>Subject</key>
      	<array>
        	<array>
          	<array>
            	<string>O</string>
            	<string>Fleet</string>
          	</array>
        	</array>
        	<array>
          	<array>
            	<string>CN</string>
            	<string>%ComputerName% managementAttestation %HardwareUUID%</string>
          	</array>
        	</array>
      	</array>
    	</dict>
    	<key>PayloadIdentifier</key>
    	<string>com.apple.security.scep.C2D94E67-4F1A-4A3C-8142-7523A8D35713</string>
    	<key>PayloadType</key>
    	<string>com.apple.security.scep</string>
    	<key>PayloadUUID</key>
    	<string>632289FA-C3E0-481A-A417-BF40012FB729</string>
    	<key>PayloadVersion</key>
    	<integer>1</integer>
  	</dict>
	</array>
  </dict>
</plist>

Make sure to use .mobileconfig as the file extension

Enforce the configuration profile on your hosts. You can follow this guide on enforcing custom OS settings in Fleet.
You can optionally verify the issued certificate by opening Keychain Access on the device or by running a live query:

SELECT * FROM certificates where common_name like '%managementAttestation%';

Step 3: Configure device management in Okta

With Okta Verify installed and an attestation certificate in place, all left is to configure Okta and the device for device management, useful links from the Okta documentation are:

Make sure the device is properly set up in Okta and that the user has used Okta FastPass at least once to see it as managed on the Okta dashboard.

Conclusion

This guide covered how to install Okta Verify on your macOS hosts, issue a SCEP certificate for management attestation, and configure device management in Okta. By automating this process through Fleet, you can enforce multi-factor authentication, improve device security, and ensure that devices accessing your organization’s resources are properly managed.

For more detailed information on managing devices and using Okta Verify, explore the Okta documentation and Fleet’s guides to optimize your device management strategy further.

See Fleet's documentation and additional guides for more details on advanced setups, software features, and vulnerability detection.

6.3 KiB Raw Blame History Unescape Escape