JumpCloud Community

shawnsong · ‎08-28-2024

Hi Folks,

I hope you all had a fantastic summer holiday—recharged, refreshed, and ready to take on September!

Last time I shared a solution which leverages JumpCloud’s device trust cert for Okta device trust, and almost immediately, I got the feedback: “What about using Okta’s SCEP for device trust?”

The answer is a resounding YES, especially now that we’ve launched SCEP policy support for Windows!

Let’s dive in.

Setting up on JumpCloud

Deploy the Okta Verify App

You might need a staging device ideally running Windows and not used by an actual user:
- Enroll it with JumpCloud.
- Bind a JumpCloud managed admin account.

Create a command to deploy Okta Verify app for Windows, you may take reference to the Powershell code below:

# Define the URL and the output path
$url = "https://<your-okta-domain>.okta.com/api/v1/artifacts/WINDOWS_OKTA_VERIFY/download?releaseChannel=GA&packageType=EXE"
$outputPath = "C:\Temp\okta_verify.exe"  # Change this path as needed

# Create the directory if it does not exist
$dir = [System.IO.Path]::GetDirectoryName($outputPath)
if (-not (Test-Path -Path $dir)) {
    New-Item -ItemType Directory -Path $dir
}

# Download the EXE file
Invoke-WebRequest -Uri $url -OutFile $outputPath

# Install the EXE for all users silently
Start-Process -FilePath $outputPath -ArgumentList "/silent /install /norestart /verysilent /quiet" -NoNewWindow -Wait

You can find the download URL and replace it in line 2 here:

Deploy Okta Verify as a VPP for MacOS devices.
Enable the conditional access policy and distribute the device trust cert to all devices.

Extract the "JumpCloud Production Device Identification Root CA"

On A JumpCloud Managed Windows Device

Login as the managed JumpCloud user with admin permissions.
Hit the Windows start - “MMC”.
Add certificates snap-in -> Current user.
Navigate to “Intermediate certificate authorities” -> Certificates. Locate “JumpCloud Production Device Identification Issuer CA”.
Export the certificate as Base-64 or Binary encoded format:
Choose a name and a file location and save.
Keep the certificates in a safe place.

Configure Okta

Login as Okta admin, navigate to Security->Device Integrations.
Select the “Certificate Authority” tab and click “Add certificate authority:
Upload your “JumpCloud Production Device Identification Issuer CA” and keep “endpoint management” selected.
Once it’s done, it looks like this:
On the same page, go to “Endpoint management” tab and “Add platform” -> Select Desktops:
On the next screen, select “Use Okta as certificate authority” -> “Static SCEP URL” -> Hit “Generate”, copy the SCEP URL & Secret Key for later. (Make sure there are no special characters like: (!@#$%^&*_)
- you can reset the secret multiple times if the condition is not met.
Save the settings, done.
Now, all we need is to apply the Device Trust policies to an application in Okta. Here’s an example:
Done!

Configure the SCEP Policy on JumpCloud

First, Download the Okta Root CA

Go to Okta admin console -> Security -> Device Integration:
Rename the cert to cert.cer.

For Windows

Create a SCEP policy on the JumpCloud admin console and name it.
Thumbprint: On a Windows machine, double click the downloaded cert.cer -> Details -> extract the value.
Challenge: It’s the SCEP secret on Okta when you created the SCEP endpoint above.
Key Length: 2048
Subject Name: CN=Organization Intermediate Authority
The rest of the settings:
Save the policy and bind to a Windows device group.
You will be able to get a successful outcome looks like this:

For MacOS

Same deal - create a SCEP policy on the JumpCloud admin console and name it.
Fingerprint: leave blank.
Challenge: use the same as above.
Key Size: 2048
Subject: CN=cert
The rest of the setting looks like this:
The success looks like this on MacOS:
Done!

Testing The User Experience

It looks like this on MacOS (Windows is very similar)

oktaFassPass Mac

And last but not least - on Okta admin console -> Directory -> Devices, these devices will show up as “Managed” here:

That’s it, hope you enjoyed it and see you again on the next post! 😀

BrightRodger · ‎08-28-2024

This is excellent!

jayPoh · ‎10-21-2024

Followed this guide - I see the Okta cert in under the Local Machine > Personal store yet it's still showing as Not Managed in Okta. I removed and re-added a new policy and nada. What could I be missing 😞

jayPoh · ‎10-21-2024

May have found solution - giving the logged in users perms to the private key of the cert. Worked on test machines. Let's see with prod 🤞

jeikobugo · ‎02-17-2025

@jayPoh can you elaborate please how you fixed it? I followed an article but still getting "not managed" status. Testing with Windows device 🙂

jeikobugo · ‎02-17-2025

@jayPoh Can you elaborate please on how did you fix it? I followed the whole article but no luck, still getting "Not Managed" status. I see Cert in Computer Personal Store. (testing with Windows)