" class="nav-category">Software & Hardware
This widget could not be displayed.
  • Security & Networks
  • Best Practices
  • Repo
  • This widget could not be displayed.
  • MSPs
  • This widget could not be displayed.
  • Community News
  • cancel
    Showing results for 
    Search instead for 
    Did you mean: 

    Okta Device Trust with JumpCloud via SCEP

    shawnsong
    Rising Star III
    Rising Star III

    Hi Folks,

    I hope you all had a fantastic summer holiday—recharged, refreshed, and ready to take on September!

    Last time I shared a solution which leverages JumpCloud’s device trust cert for Okta device trust, and almost immediately, I got the feedback: “What about using Okta’s SCEP for device trust?”

    The answer is a resounding YES, especially now that we’ve launched SCEP policy support for Windows!

    Let’s dive in. 

     

    Setting up on JumpCloud

    Deploy the Okta Verify App

    1. You might need a staging device ideally running Windows and not used by an actual user:
      • Enroll it with JumpCloud.
      • Bind a JumpCloud managed admin account. 
    2. Create a command to deploy Okta Verify app for Windows, you may take reference to the Powershell code below: 
      # Define the URL and the output path
      $url = "https://<your-okta-domain>.okta.com/api/v1/artifacts/WINDOWS_OKTA_VERIFY/download?releaseChannel=GA&packageType=EXE"
      $outputPath = "C:\Temp\okta_verify.exe"  # Change this path as needed
      
      # Create the directory if it does not exist
      $dir = [System.IO.Path]::GetDirectoryName($outputPath)
      if (-not (Test-Path -Path $dir)) {
          New-Item -ItemType Directory -Path $dir
      }
      
      # Download the EXE file
      Invoke-WebRequest -Uri $url -OutFile $outputPath
      
      # Install the EXE for all users silently
      Start-Process -FilePath $outputPath -ArgumentList "/silent /install /norestart /verysilent /quiet" -NoNewWindow -Wait
      • You can find the download URL and replace it in line 2 here:shawnsong_1-1724838204605.png

         

        shawnsong_0-1724839017506.png
    3. Deploy Okta Verify as a VPP for MacOS devices.
    4. Enable the conditional access policy and distribute the device trust cert to all devices. 

    Extract the "JumpCloud Production Device Identification Root CA"

    On A JumpCloud Managed Windows Device

    1. Login as the managed JumpCloud user with admin permissions. 
    2. Hit the Windows start - “MMC”.
    3. Add certificates snap-in -> Current user.shawnsong_1-1725270756010.png
    4. Navigate to “Intermediate certificate authorities” -> Certificates. Locate “JumpCloud Production Device Identification Issuer CA”.shawnsong_2-1725270782309.png 
    5. Export the certificate as Base-64 or Binary encoded format:shawnsong_3-1725270782292.png   
    6. Choose a name and a file location and save.
    7. Keep the certificates in a safe place. 

     

     

    Configure Okta

    1. Login as Okta admin, navigate to Security->Device Integrations.
    2. Select the “Certificate Authority” tab and click “Add certificate authority:shawnsong_4-1725270825195.png
    3. Upload your “JumpCloud Production Device Identification Issuer CA” and keep “endpoint management” selected.
    4. Once it’s done, it looks like this:shawnsong_5-1725270825158.png
    5. On the same page, go to “Endpoint management” tab and “Add platform” -> Select Desktops:shawnsong_2-1724838279514.png
    6. On the next screen, select “Use Okta as certificate authority” -> “Static SCEP URL” -> Hit “Generate”, copy the SCEP URL & Secret Key for later. (Make sure there are no special characters like: (!@#$%^&*_) 
      • you can reset the secret multiple times if the condition is not met.shawnsong_3-1724838344729.png
         
        shawnsong_1-1724839032486.png
    7. Save the settings, done. 
    8. Now, all we need is to apply the Device Trust policies to an application in Okta. Here’s an example:shawnsong_4-1724838396887.pngshawnsong_5-1724838415540.png

       

       

    9. Done!

    Configure the SCEP Policy on JumpCloud

    First, Download the Okta Root CA

    • Go to Okta admin console -> Security -> Device Integration:shawnsong_6-1724838463266.png
    • Rename the cert to cert.cer

    For Windows

    • Create a SCEP policy on the JumpCloud admin console and name it. 
    • Thumbprint: On a Windows machine, double click the downloaded cert.cer -> Details -> extract the value.shawnsong_7-1724838562043.png 
    • Challenge: It’s the SCEP secret on Okta when you created the SCEP endpoint above.shawnsong_9-1724838600464.png
    • Key Length: 2048
    • Subject Name: CN=Organization Intermediate Authority
    • The rest of the settings:shawnsong_10-1724838638372.png

       

    • Save the policy and bind to a Windows device group. 
    • You will be able to get a successful outcome looks like this:shawnsong_11-1724838680180.png

     

    For MacOS

    • Same deal -  create a SCEP policy on the JumpCloud admin console and name it. 
    • Fingerprint: leave blank.
    • Challenge: use the same as above.
    • Key Size: 2048
    • Subject: CN=cert
    • The rest of the setting looks like this:shawnsong_12-1724838717181.png

       

    • The success looks like this on MacOS:shawnsong_14-1724838751494.png
    • Done!

       

       

    Testing The User Experience

    It looks like this on MacOS (Windows is very similar)

    oktaFassPass Mac

    And last but not least - on Okta admin console -> Directory -> Devices, these devices will show up as “Managed” here:

    shawnsong_15-1724838816787.png

    That’s it, hope you enjoyed it and see you again on the next post! 😀

     

    3 REPLIES 3

    BrightRodger
    JumpCloud Employee
    JumpCloud Employee

    This is excellent!

    jayPoh
    Novitiate I

    Followed this guide - I see the Okta cert in under the Local Machine > Personal store yet it's still showing as Not Managed in Okta. I removed and re-added a new policy and nada. What could I be missing 😞

    jayPoh
    Novitiate I

    May have found solution - giving the logged in users perms to the private key of the cert. Worked on test machines. Let's see with prod 🤞