Okta Device Access – Desktop MFA for macOS

Device Access, Okta Identity Engine, Products 5 Minutes

This is an Early Access feature!

Okta Desktop MFA for macOS adds an extra layer of security to the macOS sign-in process by asking users for additional authentication before allowing computer access.
In this blog we show you how to configure Desktop MFA in the Okta Admin Console, and then deploy it through VMware Workspace ONE.

Technical Prerequisites

  • You have an Okta Identity Engine org available.
  • Your OIE org has the Desktop Access SKU enabled.
  • Your macOS computers are running a minimum of macOS Monterey (12.0).
  • The Okta Verify authenticator is set up in your org.
  • Okta Verify push notifications are enabled.
  • Devices must be enrolled in mobile device management software that supports the deployment of installer packages and configuration profiles.
    In this blog we are using VMware Workspace ONE as the MDM solution.

Create and configure the Desktop MFA app integration

In the Admin Console, go to Settings, Account, Embedded widget sign-in support.

and ensure that the Interaction Code checkbox is selected.

Now we need to enable Direct Authentication, to do so go to Settings, Features and enable Direct Authentication.

In the Admin Console, navigate now to  Applications –> Applications.

Click Browse App Catalog and search for Desktop MFA

Click Add integration.

On the Sign on tab, go to the Settings section and click Edit 
Click the Application username format dropdown menu and select and select 
Okta username prefix.

On the Assignments tab, assign the app to relevant users or groups.

On the General tab, go to the Client Credentials section to find the Client ID and
Client secret. The identifier and secret are generated when you create the app integration.
Make note of these values, as you need them when you deploy create the device management profile in VMware Workspace ONE (MDM) for Desktop MFA for macOS.

Deploy Okta Verify for macOS

In this section I will not cover how to prepare a App for Deployment, as you will need to download the Workspace ONE Admin Assistant Tool and prepare the Okta Verfiy App for deployment through Workspace ONE UEM.
I have already performed these steps upfront!

Log in to your VMware Workspace ONE Console.

Navigate to Resources, then select Apps.

Click Internal, from the Add dropdown menu, select Application File.

Click Upload and select Choose File. Navigate to the folder and choose the DMG file and click Upload.

After the upload has been completed, click Continue.
You will upload the Metadata file by clicking Upload and choosing the PLIST file from the same folder. Click Save and after the upload has been completed click Continue.

Now Click Save & Assign and

  • Enter a name for the assignment. For example macOS_OV9
  • Click in the Assignment Group section and select an assignment group.
    The selected group appears underneath the text box.
  • Select a time and date to begin the deployment if you do not want to begin immediately.
  • Select Auto to deliver the app automatically or On Demand (to deliver the app when requested by the user from the catalog).

When all assignments have been created, click Save and click Publish.

Create a device management profile for Desktop MFA for macOS

Now navigate to the Resources / Profiles & Baseline section.

Click Add Profile here.

Select Apple macOS.

Select Device Profile.

Name the profile with a name of your choice

In the next step, we need to create a device management profile.
Navigate to the Custom Settings Payload within the Profile and add the following
Custom Settings.

Profile Sample:
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.deviceaccess.servicedaemon</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict><key>DMFAClientID</key>
<string>add-your-client-ID-here</string>
<key>DMFAClientSecret</key>
<string>add-your-client-secret-here</string>
<key>DMFAOrgURL</key>
<string>add-your-org-URL-here</string>
<key>LoginPeriodWithOfflineFactor</key>
<real>24</real>
<key>LoginPeriodWithoutEnrolledFactor</key>
<real>48</real>
<key>MFARequiredList</key>
<array>
<string>*</string>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>MCXToProfile.53D4D13B-FAD1-49F7-A341-59A5AB2CCCA8.alacarte.customsettings.e018cb09-de75-4195-ae80-b4cc25c02a76</string><key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>53D4D13B-FAD1-49F7-A341-59A5AB2CCCA8</string>
</dict>

Customize the profile to your preferences or needs.

Ensure that the MDM profile has been successfully deployed to end user devices before deploying the macOS Okta Verify package!!


Set up a device access code

A device access code protects your computer and data by ensuring that only you can sign in to your macOS computer. Okta Verify is used to configure an offline authentication method in addition to the MFA methods that you might already be familiar with.
After signing in to your macOS computer, you’re asked to sign in to Okta Verify and set up a device access code for your computer. Having a device access code allows you to gain access to your computer, even without an internet connection.

Demo set up a device access code

You can follow the steps in this short demo.

  1. Start your macOS computer.
  2. Enter your username and password.
  3. Before you can access your desktop, the Okta Device Access set up screen appears. Click Continue.
  4. Enter your Okta username and click Sign In.
  5. A push notification is sent to your mobile device. Tap Yes, it’s me on your device to complete the sign in.
  6. On your computer, click Continue to start the next phase of the process.


Demo Okta Verify Push

In this demo we show how to sign in to your macOS computer with Okta Verify push.

Demo Device access code

This demo shows how to sign in to your macOS computer with a device access code.

Published by Arkadiusz Krowczynski

Published

Leave a Reply