Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

Enable Okta Verify on macOS using configuration profile

{{articleSubtitle}}

| The author's GitHub profile picture

Roberto Dip

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

Enable Okta Verify on macOS using configuration profile

{{articleSubtitle}}

| The author's GitHub profile picture

Roberto Dip

Enable Okta Verify on macOS using configuration profile

Introduction

This guide will show you how to install Okta Verify on your macOS hosts and set them as managed by issuing a SCEP certificate via a configuration profile managed through Fleet.

By following these steps, you can automate the deployment of Okta Verify across your devices. This will allow you to enforce multifactor authentication policies, improve device security, and manage user access seamlessly.

Prerequisites

  • MDM enabled and configured

Step-by-step instructions

Step 1: Install Okta Verify on your hosts

Okta Verify can be installed:

After installing Okta Verify on the host, the device will be registered in Okta.

Step 2: Issue a SCEP certificate for management attestation

The next step to ensure Okta detects the device as managed is to issue a SCEP certificate.

  • Follow the instructions on the Okta documentation to configure a certificate authority using a static SCEP challenge.
  • In your text editor, copy and paste the following configuration profile and edit the relevant values:
    • [REPLACE_WITH_CHALLENGE] with the SCEP challenge you generated in the previous step.
    • [REPLACE_WITH_URL]with the URL to your SCEP server.
    • Adjust the CN value according to your organization's needs. You can use any of the profile variables to uniquely identify your device. In the example %ComputerName% managementAttestation %HardwareUUID%, the certificate Common Name (CN) will contain both the computer name and the hardware UUID.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadIdentifier</key>
    <string>Ignored</string>
    <key>PayloadUUID</key>
    <string>Ignored</string>
    <key>PayloadDisplayName</key>
    <string>SCEP device attestation</string>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadContent</key>
        <dict>
          <key>Key Type</key>
          <string>RSA</string>
          <key>Challenge</key>
          <string>[REPLACE_WITH_CHALLENGE]</string>
          <key>Key Usage</key>
          <integer>1</integer>
          <key>Keysize</key>
          <integer>2048</integer>
          <key>URL</key>
      <string>[REPLACE_WITH_URL]</string>
      <key>AllowAllAppsAccess</key>
      <true />
      <key>KeyIsExtractable</key>
      <false />
          <key>Subject</key>
          <array>
            <array>
              <array>
                <string>O</string>
                <string>Fleet</string>
              </array>
            </array>
            <array>
              <array>
                <string>CN</string>
                <string>%ComputerName% managementAttestation %HardwareUUID%</string>
              </array>
            </array>
          </array>
        </dict>
        <key>PayloadIdentifier</key>
        <string>com.apple.security.scep.C2D94E67-4F1A-4A3C-8142-7523A8D35713</string>
        <key>PayloadType</key>
        <string>com.apple.security.scep</string>
        <key>PayloadUUID</key>
        <string>632289FA-C3E0-481A-A417-BF40012FB729</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
      </dict>
    </array>
  </dict>
</plist>
An icon indicating that this section has important information

Make sure to use .mobileconfig as the file extension

SELECT * FROM certificates where common_name like '%managementAttestation%';

Step 3: Configure device management in Okta

With Okta Verify installed and an attestation certificate in place, all left is to configure Okta and the device for device management, useful links from the Okta documentation are:

Make sure the device is properly set up in Okta and that the user has used Okta FastPass at least once to see it as managed on the Okta dashboard.

Conclusion

This guide covered how to install Okta Verify on your macOS hosts, issue a SCEP certificate for management attestation, and configure device management in Okta. By automating this process through Fleet, you can enforce multi-factor authentication, improve device security, and ensure that devices accessing your organization’s resources are properly managed.

For more detailed information on managing devices and using Okta Verify, explore the Okta documentation and Fleet’s guides to optimize your device management strategy further.

See Fleet's documentation and additional guides for more details on advanced setups, software features, and vulnerability detection.