Hi Folks,
It's been a while since my last post, but here I am again! Massive kudos to our wonderful teammates Charlie and Rosham, who did most of the heavy lifting for this solution.
Let’s dive in.
Setting up on JumpCloud
- You might need a staging device ideally running Windows and not used by an actual user:
- Enroll it with JumpCloud.
- Bind a JumpCloud managed admin account.
- Enable the conditional access policy and distribute the device trust cert to all devices.
- Create a command to deploy Okta Verify app on Windows, you may take reference to the Powershell code below:
# Modify the URL to your okta domain $url = "https://<your-okta-domain>.okta.com/api/v1/artifacts/WINDOWS_OKTA_VERIFY/download?releaseChannel=GA&packageType=EXE" $outputPath = "C:\Temp\okta_verify.exe" # Change this path as needed # Create the directory if it does not exist $dir = [System.IO.Path]::GetDirectoryName($outputPath) if (-not (Test-Path -Path $dir)) { New-Item -ItemType Directory -Path $dir } # Download the EXE file Invoke-WebRequest -Uri $url -OutFile $outputPath # Install the EXE for all users silently Start-Process -FilePath $outputPath -ArgumentList "/silent /install /norestart /verysilent /quiet" -NoNewWindow -Wait- You can find the download URL and replace it in line 2 here:
- You can find the download URL and replace it in line 2 here:
- Deploy Okta Verify as a VPP on MacOS devices.
On To The Staging Windows Device
- Login as the managed JumpCloud user with admin permissions.
- Hit the Windows start - “MMC”.
- Add certificates snap-in -> Current user.
- Navigate to “Intermediate certificate authorities” -> Certificates. Locate “JumpCloud Production Device Identification Issuer CA”.
- Export the certificate as Base-64 or Binary encoded format:
- Choose a name and a file location and save.
- Keep the certificates in a safe place.
Configuration On Okta
- Login as Okta admin, navigate to Security->Device Integrations.
- Select the “Certificate Authority” tab and click “Add certificate authority:
- Upload your “JumpCloud Production Device Identification Issuer CA” and keep “endpoint management” selected.
- Once it’s done, it looks like this:
- On the same page, go to “Endpoint management” tab and “Add platform” -> Select Desktops:
- On the next screen, select ‘Use my own certificate authority’ and save.
- Now, all we need is to apply the Device Trust policies to an application in Okta. Here’s an example
- Done!
Testing The User Experience
It looks like this on MacOS (Windows is very similar)
Note: There might be a prompt for allowing Okta Verify accessing JumpCloud Device Trust Key on MacOS, you can:
- Add "Okta Verify" as the keychain trusted app.
- Or if you somehow still getting the prompt, refer to the steps here to input the password. (less recommended)
And last but not least - on Okta admin console -> Directory -> Devices, these devices will show up as “Managed” here:
That’s it, hope you enjoyed it and stay tuned for my next post 😀
