Kandji, Okta Device Attestation, and Okta FastPass

By Rick Metzner

In this article, learn how to deploy an Okta SCEP certificate from Kandji for use with macOS Device Attestation and Okta FastPass to enable passwordless authentication when users are accessing Okta resources.

About

Okta device attestation is the process of proving that a device is managed by an MDM solution, and this in part, enables Okta FastPass for a password-less authentication experience for end-users, enabling them to sign in to Okta and their Okta resources without the need for a password. For iOS and macOS devices specifically, FastPass enables users to leverage Face ID and Touch ID to access resources. Okta FastPass is a feature of Okta Identity Engine.


Before You Begin

Configure a Desktop SCEP Certificate Authority in Okta

  1. Log in to your Okta admin portal.

  2. In the left-hand navigation, select Security.

  3. In the expanded menu, select Device Integrations.

  4. In the Device Integration pane, select Add Platform.

  5. For platform type, select Desktop (Windows and macOS only).

  6. Click Next.

  7. For Certificate authority, select Use Okta as a certificate authority.

  8. For the SCEP URL challenge type, select Static SCEP URL.

  9. To create the SCEP URL, click Generate.

  10. Copy the SCEP URL.

  11. Copy the Secret key. 

    Important -- Make a note of the secret key, as it will be the only time you will be able to view it. After this, it will be stored as a hash for your protection. If needed this key can be rotated.

  12. Click Save.

    If you need to Reset the secret key, you can do so from the Actions menu to the right of the integration.

Add the SCEP Payload to Your Kandji Library

  1. Log in to the Kandji web app.

  2. In the left-hand navigation, click Library. Near the top-right, click Add New.

  3. In the search box, type SCEP.

  4. Click on the SCEP card.

  5. Click Add & Configure.


Configure the SCEP Certificate Profile

  1. Give the profile a name.

  2. Assign it to a test Blueprint.

  3. In the URL field, paste the SCEP server URL you copied earlier.

  4. Enter a Name (optional).

  5. In the Challenge field, paste the secret key you copied earlier.

  6. In the Subject field, enter CN=$SERIAL_NUMBER.
    • Note on Subject - Upon saving the SCEP Library item, Kandji will append the PROFILE_UUID to the end of the CN used.

  7. Ensure that Subject Alternative Name Type is set to None.

  8. For Key Size, select 2048.

  9. For Key Usage, select Signing.

  10. Select Retries and enter 5 for the number of retries. This number can be adjusted to a value that's appropriate for your environment.

  11. Select Retry delay and enter 30 for the number of seconds. This number can be adjusted to a value that's appropriate for your environment.

  12. Select Don’t allow key to be extracted.

  13. Select Allow access to all apps.

  14. Select Automatic profile redistribution and enter 30 for the days before the certificate expires. This number can be adjusted to a value that's appropriate for your environment.

  15. Click Save.

Once a device is assigned to the test Blueprint, the profile will be deployed, and a certificate will be requested from Okta and installed on the Mac.

For more information about the Kandji SCEP Library item, please refer to this support article.


Verify the SCEP Profile Deployment on a Test Mac

If the certificate payload deploys successfully on the test Mac, you should see the profile in System Preferences > Profiles.

Verify the Cert Deployment in Okta

  1. In Okta, navigate to Reports > System Log.

  2. Search for client certificate.

  3. In the log, look at the Event > Outcome for a SUCCESS message.

  4. Looking at the Target details, you should see the subject common name defined in the Kandji SCEP profile.

Configure and Deploy the Okta Verify App Library Item

NOTE: Make sure to log in to ABM and purchase Okta Verify app licenses and assign them to your Kandji tenant. You can use this Kandji support article to get started.

NOTE: Before end-users register their devices with Okta Verify, make sure that the SCEP profile payload is scoped to their device and installed.

  1. Log in to the Kandji web app.

  2. Click on Library.

  3. Search for Okta Verify.

  4. Click on the Okta Verify App Store app card.

  5. Assign it to a test Blueprint.

  6. Select Install and Continuously Enforce as the installation type.

  7. Click Save.

Managed Device Status in Okta

Once the certificate is deployed to the Mac and the user completes the Okta Verify registration process, the user will need to sign in to either an Okta security app or to their Okta user console via FastPass. Once this process is completed by the end user, you will see the user's device as Managed in the Okta console. From there, you will be able to account for managed devices in your Okta authentication policies. For example, you can define an authentication policy where one of the requirements is that the device must be registered as Managed in Okta before being able to get to Okta resources.

Process overview

  1. Kandji deploys the Library item containing the Okta SCEP certificate to the Mac.
  2. User opens the Okta Verify app to register the Mac with Okta.
  3. User opens a web browser and authenticates to Okta via FastPass.
  4. Device shows as registered and managed in the Okta Unified Directory.
If the above process is not follow on the Mac, the device will fail to register as managed in Okta. If this happens, a new Okta SCEP certificate will need to be deployed to the device, the device record will need to be deleted from the Okta Unified Directory and the end user will need to reregister with Okta Verify and re-authenticate to Okta FastPass.


What’s next

  • Learn how to get started with Okta Verify on macOS by following this Okta guide.

  • Learn how to use Okta Verify with FastPass on macOS by following this Okta guide.

  • Learn how to disable FastPass by following this Okta guide.

  • Learn how to set up sign-on policies with this Okta guide.