Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers A small chevron
Stripe + Fleet

Stripe + Fleet

Stripe moved 10,000 Macs to Fleet, saving hundreds of thousands annually

Foursquare + Fleet

Foursquare + Fleet

Foursquare cut costs and gained 114% ROI with Fleet

Faire + Fleet

Faire + Fleet

Faire secures Macs with CIS benchmarks and Fleet

What people are saying

What people are saying

Stories from the Fleet community.

Pricing
More A small chevron
Try it yourself Get a demo
{{thisPage.meta.articleTitle}}
search

Conditional access: Okta

{{articleSubtitle}}

Last updated on |
The author's GitHub profile picture

Rachael Shaw

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Get a demoGet a demo

Conditional access: Okta

{{articleSubtitle}}

Last updated on | The author's GitHub profile picture

Rachael Shaw

Conditional access: Okta

With Fleet, you can integrate with Okta to enforce conditional access on macOS hosts.

When a host fails a policy in Fleet, IT and Security teams can block access to third-party apps until the issue is resolved.

Step 1: Deploy user scope profile

  1. In Fleet, go to Settings > Integrations > Conditional access > Okta and click Connect.
  2. In the modal, find the read-only User scope profile.
  3. Copy the profile to a new .mobileconfig file and save.
  4. Follow the instructions in the Custom OS settings guide to deploy the profile to the hosts where you want conditional access to apply.

Step 2: Download certificate for Okta

  1. In Fleet, go to Settings > Integrations > Conditional access > Okta and click Connect.
  2. In the modal, go to Identity provider (IdP) signature certificate. Click Download certificate.

Step 3: Create IdP in Okta

  1. In the Okta Admin Console, go to Security > Identity Providers.
  2. Click Add Identity Provider.
  3. Select SAML 2.0 IdP.
  4. Set Name to "Fleet".
  5. Set IdP Usage to Factor only
  6. Set IdP Issuer URI, IdP Single Sign-On URL, and Destination to [TODO]
  7. For IdP Signature Certificate, upload the IdP signature certificate downloaded from Fleet.
  8. After saving, you'll see the Fleet IdP listed in Security > Identity Providers.

Step 4: Configure Okta settings in Fleet

Once you've created the identity provider in Okta, you'll need to copy its values into your Fleet settings.

  1. In Fleet, go to Settings > Integrations > Conditional access > Okta and click Connect.
  2. Copy the IdP ID from Okta to the IdP ID field.
  3. Copy the Assertion Consumer Service URL from Okta to the Assertion consumer service URL field.
  4. Copy the Audience URI from Okta to the Audience URI field.

Step 5: Configure conditional access policies

Once Okta is configured in settings, head to Policies. Select the team that you want to enable conditional access for.

  1. Go to Manage automations > Conditional access and enable conditional acccess.
  2. Select the policies you want to block login via Okta.
  3. Save.

Disabling Okta conditional access

You can delete conditional access configuration on Fleet's side from Settings > Integrations > Conditional access > Okta and clicking the delete button.

To fully disable conditional access, you will also need to disable it on the Okta side.