There are several ways to enhance the security level of Okta SSO access. This article presents enabling Device Trust (devices must be managed) as an additional authentication factor within Okta FastPass.
Follow the step below to implement a device trust policy for Okta SSO access on JumpCloud-managed devices.
Name: Define the name of the profile
Subject: Okta does not require the subject name to be in any particular format. Choose a name that indicates
that the certificate is used as the device management signal to Okta. The default can be set to CN=cert
Retry Delay: 10
Challenge: paste the Secret Key you generated when configuring the CA with SCEP (step #1). The secret
can be reset
Key Size: 2048
Key Type: RSA
Key Usage: Signing
The SCEP profile in the iMazing Profile Editor should look like this:
3. Save the profile and deploy it by a Mac MDM Custom Configuration Profile Policy
The profile on the device side should look like this
💡Once the devices obtain Okta certificates, they're recognized as "managed", which allows Okta to
restrict SSO access for JumpCloud-managed devices
4. Distribute Okta Verify app to the macOS endpoints by JumpCloud Software Management for Mac (or install
6. Enable Okta FastPass as an eligible authenticator
❗Note: for initial testing, Okta Verify authenticator can be set as Optional in the Default Policy
Create a rule that requires Device State is Registered AND Device Management is Managed
❗Note: once the rule is defined, devices can’t access apps by SSO if they haven’t obtained the certificate
JumpCloud MDM or installed the Okta Verify agent. We recommended assigning the rule to test Application
and verifying the functionality before wide rollout.
Important: Set Access: Denied in the default catch-all rule
The initial testing can be performed with Catch-all Rule in the "Allow" state so the following log fragment can
predict that access would be denied on unmanaged devices with catch-all rule in the "Deny" state.
8. Try Connecting the desired Web App by SSO
Okta Verify will require registration according to the policy
9. Check the Authentication Log
Okta Admin Console > Reports > System Log
For example, search successful events by eventType eq "user.authentication.sso"
SUCCESS log with managed devices
For example, search “Access Denied” events by outcome.result eq "FAILURE"
FAILURE log with unmanaged devices
Authentication FAILURE on an endpoint