cancel
Showing results for 
Search instead for 
Did you mean: 

Okta Device Trust with JumpCloud via SCEP

shawnsong
Rising Star III
Rising Star III

Hi Folks,

I hope you all had a fantastic summer holiday—recharged, refreshed, and ready to take on September!

Last time I shared a solution which leverages JumpCloud’s device trust cert for Okta device trust, and almost immediately, I got the feedback: “What about using Okta’s SCEP for device trust?”

The answer is a resounding YES, especially now that we’ve launched SCEP policy support for Windows!

Let’s dive in. 

 

Setting up on JumpCloud

Deploy the Okta Verify App

  1. You might need a staging device ideally running Windows and not used by an actual user:
    • Enroll it with JumpCloud.
    • Bind a JumpCloud managed admin account. 
  2. Create a command to deploy Okta Verify app for Windows, you may take reference to the Powershell code below: 
    # Define the URL and the output path
    $url = "https://<your-okta-domain>.okta.com/api/v1/artifacts/WINDOWS_OKTA_VERIFY/download?releaseChannel=GA&packageType=EXE"
    $outputPath = "C:\Temp\okta_verify.exe"  # Change this path as needed
    
    # Create the directory if it does not exist
    $dir = [System.IO.Path]::GetDirectoryName($outputPath)
    if (-not (Test-Path -Path $dir)) {
        New-Item -ItemType Directory -Path $dir
    }
    
    # Download the EXE file
    Invoke-WebRequest -Uri $url -OutFile $outputPath
    
    # Install the EXE for all users silently
    Start-Process -FilePath $outputPath -ArgumentList "/silent /install /norestart /verysilent /quiet" -NoNewWindow -Wait
    • You can find the download URL and replace it in line 2 here:shawnsong_1-1724838204605.png

       

      shawnsong_0-1724839017506.png
  3. Deploy Okta Verify as a VPP for MacOS devices.
  4. Enable the conditional access policy and distribute the device trust cert to all devices. 

Extract the "JumpCloud Production Device Identification Root CA"

On A JumpCloud Managed Windows Device

  1. Login as the managed JumpCloud user with admin permissions. 
  2. Hit the Windows start - “MMC”.
  3. Add certificates snap-in -> Current user.shawnsong_1-1725270756010.png
  4. Navigate to “Intermediate certificate authorities” -> Certificates. Locate “JumpCloud Production Device Identification Issuer CA”.shawnsong_2-1725270782309.png 
  5. Export the certificate as Base-64 or Binary encoded format:shawnsong_3-1725270782292.png   
  6. Choose a name and a file location and save.
  7. Keep the certificates in a safe place. 

 

 

Configure Okta

  1. Login as Okta admin, navigate to Security->Device Integrations.
  2. Select the “Certificate Authority” tab and click “Add certificate authority:shawnsong_4-1725270825195.png
  3. Upload your “JumpCloud Production Device Identification Issuer CA” and keep “endpoint management” selected.
  4. Once it’s done, it looks like this:shawnsong_5-1725270825158.png
  5. On the same page, go to “Endpoint management” tab and “Add platform” -> Select Desktops:shawnsong_2-1724838279514.png
  6. On the next screen, select “Use Okta as certificate authority” -> “Static SCEP URL” -> Hit “Generate”, copy the SCEP URL & Secret Key for later. (Make sure there are no special characters like: (!@#$%^&*_) 
    • you can reset the secret multiple times if the condition is not met.shawnsong_3-1724838344729.png
       
      shawnsong_1-1724839032486.png
  7. Save the settings, done. 
  8. Now, all we need is to apply the Device Trust policies to an application in Okta. Here’s an example:shawnsong_4-1724838396887.pngshawnsong_5-1724838415540.png

     

     

  9. Done!

Configure the SCEP Policy on JumpCloud

First, Download the Okta Root CA

  • Go to Okta admin console -> Security -> Device Integration:shawnsong_6-1724838463266.png
  • Rename the cert to cert.cer

For Windows

  • Create a SCEP policy on the JumpCloud admin console and name it. 
  • Thumbprint: On a Windows machine, double click the downloaded cert.cer -> Details -> extract the value.shawnsong_7-1724838562043.png 
  • Challenge: It’s the SCEP secret on Okta when you created the SCEP endpoint above.shawnsong_9-1724838600464.png
  • Key Length: 2048
  • Subject Name: CN=Organization Intermediate Authority
  • The rest of the settings:shawnsong_10-1724838638372.png

     

  • Save the policy and bind to a Windows device group. 
  • You will be able to get a successful outcome looks like this:shawnsong_11-1724838680180.png

 

For MacOS

  • Same deal -  create a SCEP policy on the JumpCloud admin console and name it. 
  • Fingerprint: leave blank.
  • Challenge: use the same as above.
  • Key Size: 2048
  • Subject: CN=cert
  • The rest of the setting looks like this:shawnsong_12-1724838717181.png

     

  • The success looks like this on MacOS:shawnsong_14-1724838751494.png
  • Done!

     

     

Testing The User Experience

It looks like this on MacOS (Windows is very similar)

oktaFassPass Mac

And last but not least - on Okta admin console -> Directory -> Devices, these devices will show up as “Managed” here:

shawnsong_15-1724838816787.png

That’s it, hope you enjoyed it and see you again on the next post! 😀

 

3 REPLIES 3

BrightRodger
JumpCloud Employee
JumpCloud Employee

This is excellent!

jayPoh
Novitiate I

Followed this guide - I see the Okta cert in under the Local Machine > Personal store yet it's still showing as Not Managed in Okta. I removed and re-added a new policy and nada. What could I be missing 😞

jayPoh
Novitiate I

May have found solution - giving the logged in users perms to the private key of the cert. Worked on test machines. Let's see with prod 🤞