Okta Device Trust with JumpCloud via SCEP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2024 05:54 AM - edited 09-02-2024 05:54 AM
Hi Folks,
I hope you all had a fantastic summer holiday—recharged, refreshed, and ready to take on September!
Last time I shared a solution which leverages JumpCloud’s device trust cert for Okta device trust, and almost immediately, I got the feedback: “What about using Okta’s SCEP for device trust?”
The answer is a resounding YES, especially now that we’ve launched SCEP policy support for Windows!
Let’s dive in.
Setting up on JumpCloud
Deploy the Okta Verify App
- You might need a staging device ideally running Windows and not used by an actual user:
- Enroll it with JumpCloud.
- Bind a JumpCloud managed admin account.
- Create a command to deploy Okta Verify app for Windows, you may take reference to the Powershell code below:
# Define the URL and the output path $url = "https://<your-okta-domain>.okta.com/api/v1/artifacts/WINDOWS_OKTA_VERIFY/download?releaseChannel=GA&packageType=EXE" $outputPath = "C:\Temp\okta_verify.exe" # Change this path as needed # Create the directory if it does not exist $dir = [System.IO.Path]::GetDirectoryName($outputPath) if (-not (Test-Path -Path $dir)) { New-Item -ItemType Directory -Path $dir } # Download the EXE file Invoke-WebRequest -Uri $url -OutFile $outputPath # Install the EXE for all users silently Start-Process -FilePath $outputPath -ArgumentList "/silent /install /norestart /verysilent /quiet" -NoNewWindow -Wait
- You can find the download URL and replace it in line 2 here:
- You can find the download URL and replace it in line 2 here:
- Deploy Okta Verify as a VPP for MacOS devices.
- Enable the conditional access policy and distribute the device trust cert to all devices.
Extract the "JumpCloud Production Device Identification Root CA"
On A JumpCloud Managed Windows Device
- Login as the managed JumpCloud user with admin permissions.
- Hit the Windows start - “MMC”.
- Add certificates snap-in -> Current user.
- Navigate to “Intermediate certificate authorities” -> Certificates. Locate “JumpCloud Production Device Identification Issuer CA”.
- Export the certificate as Base-64 or Binary encoded format:
- Choose a name and a file location and save.
- Keep the certificates in a safe place.
Configure Okta
- Login as Okta admin, navigate to Security->Device Integrations.
- Select the “Certificate Authority” tab and click “Add certificate authority:
- Upload your “JumpCloud Production Device Identification Issuer CA” and keep “endpoint management” selected.
- Once it’s done, it looks like this:
- On the same page, go to “Endpoint management” tab and “Add platform” -> Select Desktops:
- On the next screen, select “Use Okta as certificate authority” -> “Static SCEP URL” -> Hit “Generate”, copy the SCEP URL & Secret Key for later. (Make sure there are no special characters like: (!@#$%^&*_)
- you can reset the secret multiple times if the condition is not met.
- you can reset the secret multiple times if the condition is not met.
- Save the settings, done.
- Now, all we need is to apply the Device Trust policies to an application in Okta. Here’s an example:
- Done!
Configure the SCEP Policy on JumpCloud
First, Download the Okta Root CA
- Go to Okta admin console -> Security -> Device Integration:
- Rename the cert to cert.cer.
For Windows
- Create a SCEP policy on the JumpCloud admin console and name it.
- Thumbprint: On a Windows machine, double click the downloaded cert.cer -> Details -> extract the value.
- Challenge: It’s the SCEP secret on Okta when you created the SCEP endpoint above.
- Key Length: 2048
- Subject Name: CN=Organization Intermediate Authority
- The rest of the settings:
- Save the policy and bind to a Windows device group.
- You will be able to get a successful outcome looks like this:
For MacOS
- Same deal - create a SCEP policy on the JumpCloud admin console and name it.
- Fingerprint: leave blank.
- Challenge: use the same as above.
- Key Size: 2048
- Subject: CN=cert
- The rest of the setting looks like this:
- The success looks like this on MacOS:
-
Done!
Testing The User Experience
It looks like this on MacOS (Windows is very similar)
And last but not least - on Okta admin console -> Directory -> Devices, these devices will show up as “Managed” here:
That’s it, hope you enjoyed it and see you again on the next post! 😀
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2024 11:40 AM
This is excellent!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2024 04:45 PM
Followed this guide - I see the Okta cert in under the Local Machine > Personal store yet it's still showing as Not Managed in Okta. I removed and re-added a new policy and nada. What could I be missing 😞
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2024 04:48 PM - edited 10-21-2024 05:37 PM
May have found solution - giving the logged in users perms to the private key of the cert. Worked on test machines. Let's see with prod 🤞
![](/skins/images/C210B62239BAF37B0AB0FAEB086BB5F1/responsive_peak/images/icon_anonymous_message.png)
![](/skins/images/C210B62239BAF37B0AB0FAEB086BB5F1/responsive_peak/images/icon_anonymous_message.png)