Kandji and Okta FastPass

By Rick Metzner

In this article, learn how to deploy an Okta SCEP certificate from Kandji for use with Okta FastPass to enable passwordless authentication when users are accessing Okta resources.

About FastPass

Okta FastPass enables passwordless authentication for end-users, so they can sign in to Okta and their Okta resources without the need for a password. For iOS and macOS devices specifically, FastPass enables users to leverage Face ID and Touch ID to access resources. Okta FastPass is a feature of Okta Identity Engine.

Before You Begin

Configure a SCEP Certificate Authority in Okta

  1. Log in to your Okta admin portal.

  2. In the left-hand navigation, select Security.

  3. In the expanded menu, select Device Integrations.

  4. In the Device Integration pane, select Add Platform.

  5. For platform type, select Desktop (Windows and macOS only).

  6. Click Next.

  7. For Certificate authority, select Use Okta as a certificate authority.

  8. For the SCEP URL challenge type, select Static SCEP URL.

  9. To create the SCEP URL, click Generate.

  10. Copy the SCEP URL.

  11. Copy the Secret key. Important: Make a note of this key, as this will be the only time you will be able to view it. Afterward, it will be stored as a hash for your protection.

  12. Click Save.

    If you need to Reset the secret key, you can do so from the Actions menu to the right of the integration.

Add the SCEP Payload to Your Kandji Library

  1. Log in to the Kandji web app.

  2. In the left-hand navigation, click Library. Near the top-right, click Add New.

  3. In the search box, type SCEP.

  4. Click on the SCEP card.

  5. Click Add & Configure.

Configure a SCEP Certificate Profile

  1. Give the profile a name.

  2. Assign it to a test Blueprint.

  3. In the URL field, paste the SCEP server URL you copied earlier.

  4. Enter a Name (optional).

  5. In the Challenge field, paste the secret key you copied earlier.

  6. In the Subject field, enter $SERIAL_NUMBER.

  7. Ensure that Subject Alternative Name Type is set to None.

  8. For Key Size, select 2048.

  9. For Key Usage, select Signing.

  10. Select Retries and enter 5 for the number of retries. This number can be adjusted to a value that's appropriate for your environment.

  11. Select Retry delay and enter 30 for the number of seconds. This number can be adjusted to a value that's appropriate for your environment.

  12. Select Don’t allow key to be extracted.

  13. Select Allow access to all apps.

  14. Select Automatic profile redistribution and enter 30 for the days before the certificate expires. This number can be adjusted to a value that's appropriate for your environment.

  15. Click Save.

Once a device is assigned to the test Blueprint, the profile will be installed and a certificate will be requested from Okta and installed on the Mac.

For more information about the Kandji SCEP profile, please refer to this support article.

Verify the SCEP Profile Deployment on a Test Mac

If the certificate payload deploys successfully on the test Mac, you should see the profile in System Preferences > Profiles.

Verify the Cert Deployment in Okta

  1. In Okta, navigate to Reports > System Log.

  2. Search for client certificate.

  3. In the log, look at the Event > Outcome for a SUCCESS message.

  4. Looking at the Target details, you should see the subject common name defined in the Kandji SCEP profile.

Configure and Deploy the Okta Verify App Library Item

NOTE: Make sure to log in to ABM and purchase Okta Verify licenses and assign them to your Kandji tenant. You can use this Kandji support article to get started.

NOTE: Before end-users register their devices with Okta Verify, make sure that the SCEP profile payload is scoped to their device and installed. Otherwise, Okta will not see the device as managed.

  1. Log in to the Kandji web app.

  2. Click on Library.

  3. Search for Okta Verify.

  4. Click on the Okta Verify App Store app card.

  5. Assign it to a test Blueprint.

  6. Select Install and Continuously Enforce as the installation type.

  7. Click Save.

Managed User Status in Okta

Once the certificate is deployed to the Mac and the user completes the Okta Verify registration process, you will see the user as Managed in the Okta console. From there, you will be able to account for managed devices in your Okta sign-on policies. For example, you can define a sign-on policy where one of the requirements is that the device must be registered as Managed in Okta before being able to get to Okta resources.

What’s next

  • Learn how to get started with Okta Verify on macOS by following this Okta guide.

  • Learn how to use Okta Verify with FastPass on macOS by following this Okta guide.

  • Learn how to disable FastPass by following this Okta guide.

  • Learn how to set up sign-on policies with this Okta guide.