Okta Device Trust: Configuring the Okta Verify Library Item

By Gwynn Clark

Learn how to configure the Okta Verify App Store app for Okta Device Trust

After configuring the Okta Device Trust (ODT) Integration in Kandji, the Okta Verify Library item (distributed from ABM or ASM) is used to deploy ODT to your Apple devices. After turning on ODT, required settings, configurations, and resources will be applied to this Library item and deployed automatically to devices in scope.

For macOS, the downloadable package of Okta Verify is not compatible with the ODT integration. Okta recommends deploying Okta Verify via Apple Business Manager or Apple School Mananger.


Configuring Okta Verify for ODT

  1. In Kandji, go to the Library.
  2. Find and click on the Okta Verify App Store app in the App Store Apps section. You can use the search option to narrow down the results if you have many apps in your Library.
  3. Assign the Library item to one or more Blueprints. If this is the first time deploying ODT, it is a good idea to deploy to a test blueprint scoped to a limited number of devices so that you can see how it functions when deployed.
  4. For the installation type, choose Install and continuously enforce. If Okta Verify is already installed on some devices, this process will not reinstall the app, but Kandji will take over the management of the app.
  5. In the Okta Device Trust section, click the drawing to turn on ODT.
  6. You will see a modal letting you know that Managed AppConfig for iPhone and iPad will be disabled in the library item and will be managed by the ODT integration. Click Yes, turn on Okta Device Trust to continue.

  7. Once turned on, you will see the device families that are configured for ODT and the configured Okta domain.

  8. Click Save.

What settings are deployed to devices

Once ODT is set up, enabled, and scoped to your blueprints, the following settings payloads are automatically configured and delivered to Apple devices in the scope of Okta Device Trust in Kandji.

Payload settingPlatformDescription
Dynamic SCEP challenge certificatemacOSThis is a unique Okta SCEP certificate per device. The certificate is used in the device registration process.
OktaVerify.EnrollmentOptionsmacOSOkta Verify SilentEnrollmentEnabled configuration is sent to macOS devices. This will launch Okta Verify automatically if an unregistered device attempts to access Okta resources and prefill the Organization URL for the user.
Okta Verify Login itemmacOSThis payload adds Okta Verify as a login item on macOS and will start Okta Verify at user login.
Managed app configiOS and iPadOSThis App Config contains the OktaVerify.OrgUrl and device managementHint used to register the device as managed in Okta.
SSO Extension payloadmacOS, iOS, and iPadOSThe SSO extension forwards requests from the browser or app to Okta Verify, and users do not receive the Open Okta Verify browser prompt. Not supported on Chrome or Firefox.