cancel
Showing results for 
Search instead for 
Did you mean: 

How to Leverage JumpCloud MDM for macOS Device Trust Policy in Okta

jehudamosh
JumpCloud Alumni
JumpCloud Alumni

Prerequisites

  • JumpCloud MDM
  • Okta MFA package
  • Okta identity Engine 

Motivation

There are several ways to enhance the security level of Okta SSO access. This article presents enabling Device Trust (devices must be managed) as an additional authentication factor within Okta FastPass.

Video tutorial

Follow the step below to implement a device trust policy for Okta SSO access on JumpCloud-managed devices. 

  1. Configure Okta as a CA with static SCEP
    Follow tasks #1 and #2 from this Okta Help article.
  2. Prepare a custom SCEP profile for macOS. In this article, we’re going to use iMazing.
    Open iMazing Profile Editor and set up a profile with the following parameters:
    URL: copy Okta Admin Console > Security > Device Integration
    jehudamosh_0-1685456066329.png

         Name: Define the name of the profile 

         Subject: Okta does not require the subject name to be in any particular format. Choose a name that indicates
         that the certificate is used as the device management signal to Okta. The default can be set to CN=cert

         Retries: 3

         Retry Delay: 10

         Challenge: paste the Secret Key you generated when configuring the CA with SCEP (step #1). The secret
         can be reset

         jehudamosh_1-1685456066331.png

         Key Size: 2048
         Key Type: RSA
         Key Usage: Signing
         Fingerprint: 
         jehudamosh_2-1685456066332.png

  • Download the root CA from Okta 
  • Retrieve the certificate fingerprint - for example by openssl in the terminal on macOS: openssl x509 -noout -fingerprint -sha256 -inform pem -in cert
    jehudamosh_3-1685456066333.png
    RFC 822 Name: this is a subjectAltName value which is not a mandatory component in this case - define a generic email address. 
    Certificate Expiration Notification: type a number (of days)
    Tick the Allow access to all apps box

   

          The SCEP profile in the iMazing Profile Editor should look like this:
          jehudamosh_4-1685456066336.png

          jehudamosh_5-1685456066339.png

          jehudamosh_6-1685456066342.png

     3. Save the profile and deploy it by a Mac MDM Custom Configuration Profile Policy

         The profile on the device side should look like this
         jehudamosh_7-1685456066344.png

           💡Once the devices obtain Okta certificates, they're recognized as "managed", which allows Okta to
               restrict SSO access for JumpCloud-managed devices
 

      4. Distribute Okta Verify app to the macOS endpoints by JumpCloud Software Management for Mac (or install
          manually)

      5. Configure a Global Session Policy for Okta FastPass
          jehudamosh_8-1685456066350.png

              

      6. Enable Okta FastPass as an eligible authenticator
          jehudamosh_9-1685456066357.png
              
           Note: for initial testing, Okta Verify authenticator can be set as Optional in the Default Policy
              (Security>Authenticators>Enrollment)
              jehudamosh_10-1685456066358.png
                    

      7. Configure an authentication policy for Okta FastPass

         Create a rule that requires Device State is Registered AND Device Management is Managed

        Note: once the rule is defined, devices can’t access apps by SSO if they haven’t obtained the certificate
           JumpCloud MDM or installed the Okta Verify agent. We recommended assigning the rule to test Application
           and verifying the functionality before wide rollout.

 

         jehudamosh_11-1685456066360.png
               

        Important: Set Access: Denied in the default catch-all rule
        jehudamosh_12-1685456066362.png

        💡Tip
         The initial testing can be performed with Catch-all Rule in the "Allow" state so the following log fragment can
         predict that access would be denied on unmanaged devices with catch-all rule in the "Deny" state. 

         jehudamosh_3-1685460146756.png 

 

         Assign Applications
         jehudamosh_13-1685456066364.png

                

        8. Try Connecting the desired Web App by SSO

            Okta Verify will require registration according to the policy

        9. Check the Authentication Log
            Okta Admin Console > Reports > System Log
            For example, search successful events by eventType eq "user.authentication.sso" 
           
            SUCCESS log with managed devices
            jehudamosh_14-1685456066365.png


           For example, search “Access Denied” events by outcome.result eq "FAILURE"  

           FAILURE log with unmanaged devices
           jehudamosh_15-1685456066366.png

          

          Authentication FAILURE on an endpoint
          jehudamosh_16-1685456066367.png

 

 

 

 

 

 

 

0 REPLIES 0