Okta Device Trust

By Gwynn Clark

Learn how Kandji’s Okta Device Trust integration works


Kandji’s Okta Device Trust (ODT) integration combines the device management capabilities of Kandji with the app management capabilities of Okta. Kandji’s ODT integration is built on Okta Identity Engine (OIE). It streamlines the setup and configuration of ODT by validating that a customer’s Okta environment is ready for ODT on OIE and by automatically deploying ODT configurations to devices in the scope of Okta Device Trust in Kandji.

Okta Device Trust allows Okta admins to ensure that Kandji manages their Apple devices before end users can access Okta-protected apps from their devices. This, in part, enables Okta FastPass for a password-less authentication experience for end-users, enabling them to sign in to Okta and their Okta resources without needing a password. For iOS, iPadOS, and macOS devices specifically, FastPass allows users to leverage Face ID and Touch ID to access resources. Okta FastPass is a feature of Okta Identity Engine.

Before you begin

During the integration setup process, Kandji will check for the presence of the following items. These items must be configured in the Okta tenant before setting up the ODT integration with Kandji.

  • The Okta Verify Apple App Store app must be assigned to Kandji via Apps and Books in Apple Business Manager or Apple School Manager. This is the only supported deployment of Okta Verify for ODT.
  • The Okta tenant must be migrated from Okta Classic Engine to Okta Identity Engine.
    • The user setting up the ODT integration must have access to an Okta user account with the super admin role. The super admin credentials are only needed for the initial authentication and adding of the API Service Integration.
  • Okta FastPass must be enabled in the Okta tenant. Use this Okta guide to enable and configure FastPass for your organization.
  • Okta Adaptive MFA is required in order to add Device integrations in Okta.

Configuration steps

Below are high-level steps to set up and deploy ODT with Kandji.

  1. Set up the Okta Device Trust integration in Kandji.
  2. Add and configure device platforms in Okta
  3. Add and configure Okta device platforms in Kandji.
  4. Configure the Okta Verify Library item to deploy Okta Device Trust.

What settings are deployed to devices

Once the ODT setup, enabled, and scope to your blueprints, the following settings payloads are automatically configured and delivered to Apple devices in the scope of Okta Device Trust in Kandji.

Payload settingPlatformDescription
Dynamic SCEP certificatemacOSThis is a unique Okta SCEP certificate per device. The certificate is used in the device registration process.
OktaVerify.EnrollmentOptionsmacOSOkta Verify SilentEnrollmentEnabled configuration is sent to macOS devices. This will launch Okta Verify automatically if an unregistered device attempts to access Okta resources and prefill the Organization URL for the user.
Okta Verify Login itemmacOSThis payload adds Okta Verify as a login item on macOS and will start Okta Verify at user login.
Managed app configiOS and iPadOSThis App Config contains the OktaVerify.OrgUrl and device managementHint used to register the device as managed in Okta.
SSO Extension payloadmacOS, iOS, and iPadOSThe SSO extension forwards requests from the browser or app to Okta Verify, and users do not receive the Open Okta Verify browser prompt. Not supported on Chrome or Firefox.

The EDR Plugin setting is not deployed with the ODT integration, but can be delivered via a separate configuration profile if needed. Doing so will not impact any settings listed in the table above. (example EDR plugin profile)

End-user device registration with Okta

If you are already deploying a manual configuration of ODT (aka Okta device attestation) there should not be any impact to existing devices when switching over to the Kandji ODT Integration. Once the Kandji ODT integration is configured and deployed to devices, the Device attestation Library items can be set to inactive or removed.

After Okta Verify and the required settings are on the device, the end-user will go through the following steps to register their managed Apple devices with Okta.

For previously registered devices with Management status of "Not Managed"
If a device has already registered with Okta through Okta Verify but has not yet been configured for Okta Device Trust (i.e. has a Management status in Okta of "Not managed") via the ODT integration with Kandji or Okta Device Attestation (manual ODT configuration), the device record will need to be deleted from the Okta Universal directory, and the end-user will need to sign out of the Okta Verify app on the device before re-registering the device with Okta using the following the steps below.


  1. Open the Okta Verify app. (Okta verify should auto launch at login on macOS)
  2. Sign in with Okta credentials and set up Touch ID for passwordless authentication.
  3. Launch a web browser and sign in to their Okta dashboard (example: .okta.com), authenticating with Okta FastPass.
  4. Done.

iOS and iPadOS

  1. Open the Okta Verify app.
  2. Tap Add Account.
  3. Tap Organization.
  4. Choose No, Sign in Instead as the sign-in method. (the end-user can also use the QR code med if available)
  5. Tap the screen to tap the Next button. (The Organization’s Sign-in URL should be prepopulated)
  6. Sign in to Okta.
  7. Choose to allow or skip push notifications on the device.
  8. Enable Touch ID or Face ID.
  9. Done.

Once the above process is complete, the device record should show as managed in the Okta Universal Directory.

Up next

Set up the Okta Device Trust integration