This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Okta Device Trust with JumpCloud via SCEP

shawnsong
Rising Star III
Rising Star III

‎08-28-2024 05:54 AM - edited ‎09-02-2024 05:54 AM

Hi Folks,

I hope you all had a fantastic summer holiday—recharged, refreshed, and ready to take on September!

Last time I shared a solution which leverages JumpCloud’s device trust cert for Okta device trust, and almost immediately, I got the feedback: “What about using Okta’s SCEP for device trust?”

The answer is a resounding YES, especially now that we’ve launched SCEP policy support for Windows!

Let’s dive in. 

 

Setting up on JumpCloud

Deploy the Okta Verify App

  1. You might need a staging device ideally running Windows and not used by an actual user:
    • Enroll it with JumpCloud.
    • Bind a JumpCloud managed admin account. 
  2. Create a command to deploy Okta Verify app for Windows, you may take reference to the Powershell code below: 
    # Define the URL and the output path
$url = "https://<your-okta-domain>.okta.com/api/v1/artifacts/WINDOWS_OKTA_VERIFY/download?releaseChannel=GA&packageType=EXE"
$outputPath = "C:\Temp\okta_verify.exe"  # Change this path as needed

# Create the directory if it does not exist
$dir = [System.IO.Path]::GetDirectoryName($outputPath)
if (-not (Test-Path -Path $dir)) {
    New-Item -ItemType Directory -Path $dir
}

# Download the EXE file
Invoke-WebRequest -Uri $url -OutFile $outputPath

# Install the EXE for all users silently
Start-Process -FilePath $outputPath -ArgumentList "/silent /install /norestart /verysilent /quiet" -NoNewWindow -Wait
    • You can find the download URL and replace it in line 2 here:shawnsong_1-1724838204605.png

       

      shawnsong_0-1724839017506.png
  3. Deploy Okta Verify as a VPP for MacOS devices.
  4. Enable the conditional access policy and distribute the device trust cert to all devices. 

Extract the "JumpCloud Production Device Identification Root CA"

On A JumpCloud Managed Windows Device

  1. Login as the managed JumpCloud user with admin permissions. 
  2. Hit the Windows start - “MMC”.
  3. Add certificates snap-in -> Current user.shawnsong_1-1725270756010.png
  4. Navigate to “Intermediate certificate authorities” -> Certificates. Locate “JumpCloud Production Device Identification Issuer CA”.shawnsong_2-1725270782309.png 
  5. Export the certificate as Base-64 or Binary encoded format:shawnsong_3-1725270782292.png   
  6. Choose a name and a file location and save.
  7. Keep the certificates in a safe place. 

 

 

Configure Okta

  1. Login as Okta admin, navigate to Security->Device Integrations.
  2. Select the “Certificate Authority” tab and click “Add certificate authority:shawnsong_4-1725270825195.png
  3. Upload your “JumpCloud Production Device Identification Issuer CA” and keep “endpoint management” selected.
  4. Once it’s done, it looks like this:shawnsong_5-1725270825158.png
  5. On the same page, go to “Endpoint management” tab and “Add platform” -> Select Desktops:shawnsong_2-1724838279514.png
  6. On the next screen, select “Use Okta as certificate authority” -> “Static SCEP URL” -> Hit “Generate”, copy the SCEP URL & Secret Key for later. (Make sure there are no special characters like: (!@#$%^&*_) 
    • you can reset the secret multiple times if the condition is not met.shawnsong_3-1724838344729.png
       
      shawnsong_1-1724839032486.png
  7. Save the settings, done. 
  8. Now, all we need is to apply the Device Trust policies to an application in Okta. Here’s an example:shawnsong_4-1724838396887.pngshawnsong_5-1724838415540.png

     

     

  9. Done!

Configure the SCEP Policy on JumpCloud

First, Download the Okta Root CA

  • Go to Okta admin console -> Security -> Device Integration:shawnsong_6-1724838463266.png
  • Rename the cert to cert.cer

For Windows

  • Create a SCEP policy on the JumpCloud admin console and name it. 
  • Thumbprint: On a Windows machine, double click the downloaded cert.cer -> Details -> extract the value.shawnsong_7-1724838562043.png 
  • Challenge: It’s the SCEP secret on Okta when you created the SCEP endpoint above.shawnsong_9-1724838600464.png
  • Key Length: 2048
  • Subject Name: CN=Organization Intermediate Authority
  • The rest of the settings:shawnsong_10-1724838638372.png

     

  • Save the policy and bind to a Windows device group. 
  • You will be able to get a successful outcome looks like this:shawnsong_11-1724838680180.png

 

For MacOS

  • Same deal -  create a SCEP policy on the JumpCloud admin console and name it. 
  • Fingerprint: leave blank.
  • Challenge: use the same as above.
  • Key Size: 2048
  • Subject: CN=cert
  • The rest of the setting looks like this:shawnsong_12-1724838717181.png

     

  • The success looks like this on MacOS:shawnsong_14-1724838751494.png

  • Done!

     

     

Testing The User Experience

It looks like this on MacOS (Windows is very similar)

oktaFassPass Mac

And last but not least - on Okta admin console -> Directory -> Devices, these devices will show up as “Managed” here:

shawnsong_15-1724838816787.png

That’s it, hope you enjoyed it and see you again on the next post! 😀

 

1 REPLY 1

BrightRodger
JumpCloud Employee
JumpCloud Employee

‎08-28-2024 11:40 AM

This is excellent!

0 Kudos
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.