Introduction
You can ensure that devices are managed by an endpoint management
(in my example Workspace ONE) tool before end users can access apps from the device.
Devices are managed if they meet these conditions:
- The device is registered (enrolled in Okta Verify).
- A profile associated with the device is managed by a device management solution.
- The device is configured for device management in Security –> Device Integrations. Ensure that this is completed before the user authenticates with Okta FastPass.
- The user authenticated with Okta FastPass from the managed device at least once.
For mobile (Android, iOS), a management hint (shared secret) is deployed to the device through a managed app configuration (in this example, with Workspace ONE UEM.
Prerequisites
- Okta Tenant (OIE)
- VMware Workspace ONE UEM environment (or any other MDM solution)
- iOS or Android Device enrolled in Workspace ONE UEM
- Okta Verify App and Profiles assigned in Workspace ONE UEM
Configure management attestation
In the Okta Admin Console, go to Security –> Device integrations.
Click the Endpoint management tab and then click Add platform.
In this blog I will focus on iOS mobile devices, so let’s select iOS and click Next
Now let’s configure the management attestation:
To use a new secret key, keep the default setting, Okta generates it for you.
If you already have a secret key that you want to use, select Use existing key.
If you use an existing key, enter it in the Secret key field.
Ensure that the key was previously generated by Okta or meets these requirements:
- It has 8-256 alphanumeric characters.
- It’s a mix of uppercase and lowercase letters and symbols.
Copy the provided secret key to your clipboard by clicking the copy icon next to the field. You enter the secret key later in your Workspace ONE UEM application configuration.
Type in Device management provider label with the name of our MDM software.
The contents of this field are displayed to end users later when they enroll their device.
In the Enrollment link field, enter a web address for redirecting end users with
unenrolled devices.
You can get your Workspace ONE UEM Enrollment URL by navigating to the following section within your Workspace ONE UEM Console.
Press the Save button to finish the configuration
Integrate Okta with Workspace ONE
In this section I will cover how:
- Configure Workspace ONE to manage Okta Verify and to install it on end-user devices that don’t have it installed.
In this blog I will cover how to deploy an app via the Public App Store. - Configure the key-value pair, by using your Workspace ONE UEM software’s
managed app configuration
Log in to your Workspace ONE UEM Console, navigate to the Apps section and press the ADD APPLICATION button to add the Okta Verify application.
Select
– Platform from the drop-down field (here Apple iOS)
– keep the SEARCH APP STORE button selected
– Type in the Application Name (here Okta Verify)
and press the NEXT button to continue.
You should see Okta Verify app in the search results, press the SELECT on the right to add the app to your Inventory.
You will be automatically redirected to the next screen, where you can adjust
e.g. application label, press SAVE & ASSIGN to continue.
Within the Distribution menu
– Enter a Name
– Specify a group (Workspace ONE Assignment Group(s))
– Set the App Delivery Method to Auto
Go to the Restrictions menu and enable the Make App MDM Managed if User Installed option.
In the Application Configuration Menu enable the Send Configuration option
Click ADD
and add the following Configuration Keys:
Configuration Key: managementHint
Value Type: String
Configuration Value: Enter the Secret Key that you copied from the Okta Console
(management attestation configuration)
Configuration Key: OktaVerify.OrgUrl
Value Type: String
Configuration Value: Your Okta Url (example.okta.com)
Press the CREATE button
and SAVE your settings.
You should now see the Okta Verify App in your Workspace ONE UEM Application Inventory.
Create an SSO extension Profile
On managed iOS devices, you must create an SSO extension profile to enable
Okta FastPass authentication that doesn’t show sign-in prompts.
The SSO extension forwards requests from a browser or app to Okta Verify.
Therefore, the browser or app doesn’t prompt users to open Okta Verify.
To configure the Profile navigate in Workspace ONE to
RESOURCES –> Profiles & Baselines –> Profiles.
Click ADD, and then select Add Profile.
Click Apple iOS as the platform.
Click Device Profile.
Label the Profile
navigate to the SSO Extension Payload and configure the following settings
| Extension Type | Generic |
| Extension Identifier | com.okta.mobile.auth-service-extension |
| Type | Credential |
| Realm | Okta Device |
| Hosts | Enter your Okta org domain without the protocol scheme. For example, enter yourdomain.example.com, not https://yourdomain.example.com |
| Additional Settings | Certificate: Select None. |
- Custom XML:
Enter the Secret Key that you generated in the Okta Admin Console using the following syntax:
<dict><key>managementHint</key><string>enter-Secret-Key-here</string></dict>
SAVE & PUBLISH your profile.
Verify the managed flag in Okta
Navigate to Directory –> People
Select the desired user
Navigate to the Devices section and select your Device
We should now see that our device has the Management status “Managed“
Now we can add a authentication policy rule and leverage the Device management flag.
More details and a guide can be found here.
One thought on “Okta mobile devices Integration with Workspace ONE”