Okta Device Access with Jamf a step-by step guide

Device Access, Jamf, Okta Identity Engine (OIE) 8 Minutes

October 2024: The Okta application name from “Desktop Password Sync” to
“Platform Single Sign-On for macOS”
April 2025: Additional app identifier required for the associated domain entry on macOS 15 Sequoia

Introduction

In this Blog Post, I’ll take you on a journey how to configure Okta Device Access Desktop MFA and Desktop Password Sync if you use Jamf Pro as your MDM solution for your device fleet.
We start with the configuration on Okta, show how to create the necessary configuration profiles on Jamf side and of course we have recorded some demos.
Have fun reading the blog and then, of course, integrating and testing the solution

Requirements

  • You have an Okta Identity Engine org available.
  • Your OIE org has the Desktop Access SKU enabled.
  • macOS version 14.X is the recommended for the best user experience.
  • The Okta Verify authenticator is set up in your org.
  • Okta Verify push notifications are enabled.
  • You have an Jamf Pro environment ready with the necessary permissions.

Okta Desktop MFA Configuration

In the Admin Console, go to Settings, Account, Embedded widget sign-in support.

and ensure that the Interaction Code checkbox is selected.

In the Admin Console, navigate now to  Applications –> Applications.

Click Browse App Catalog and search for Desktop MFA

Click Add integration.

On the Sign on tab, go to the Settings section and click Edit 
Click the Application username format dropdown menu and select and select 
Okta username prefix.

Assign the app to individual users or groups on the Assignments tab.
Users must be assigned the app to use Desktop Password Sync.

On the General tab, go to the Client Credentials section to find the Client ID and
Client secret. The identifier and secret are generated when you create the app integration.
Make note of these values, as you need them when you deploy create the device profile in your Jamf environment for Desktop MFA for macOS.

Okta Password Sync configuration

In the Okta Admin Console, go to Applications > Applications > Catalog.

Starting with September 2024, the Okta application name from “Desktop Password Sync” to “Platform Single Sign-On for macOS”.

Search for Platform Single Sign-On for macOS and select the app.

Click Add integration.

Search for Desktop Password Sync and select the app.

Click Add integration.

Open Desktop Password Sync from your Applications list to configure it.
On the General tab, you can edit the application label or use the default one.

On the Sign on tab, make note of the Client ID.
You need this when creating the managed app configuration in your Jamf environment.

Assign the app to individual users or groups on the Assignments tab.
Users must be assigned the app to use Desktop Password Sync.

Enroll your macOS into Jamf

In the first step we will enroll our macOS device into our Jamf environment, to do so you need to perform the following stels

  1. Navigate go to the following site:
    https://YOURENVIRONMENT.jamfcloud.com/enroll
  2. Log in with your the credentials for your Jamf Pro instance
  3. Do not enter a user to assign to, just click Enroll
  4. Click Continue then Allow on the pop up
  5. Allow the Enrollment profile to download, then open your Downloads folder and double click the .mobileconfig file you downloaded
  6. It will prompt you to go to System Settings (“Profile Installation”)
    If it doesn’t take you directly to the screen you can go to
    System Settings → Privacy & Security → Profiles
  7. Double click on the MDM Profile and click Install
  8. Click Install again on the confirmation pop up
  9. You will be prompted for the username/password you created for the
    local macOS user.

Back in your browser you should see an Enrollment complete message and in System Settings you should see a number of additional profiles appear.

Let’s take a look at the manual Enrollment flow in a short demo.

Configure the MDM profile for
Desktop MFA for macOS

Login to your Jamf environment.

Click Computers → Configuration Profiles

Click + New button on the right side of the screen

Click the Options tab and on the General tab and enter a name for this policy.
E.g: Desktop MFA

On the left menu select Application & Custom Settings to configure that specific payload and Upload and Click + Add

Enter com.okta.deviceaccess.servicedaemon as the Preference Domain and copy and paste the following XML as a plist format.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DMFAClientID</key>
<string>add-your-client-ID-here</string>
<key>DMFAClientSecret</key>
<string>add-your-client-secret-here</string>
<key>DMFAOrgURL</key>
<string>https://your-org.oktapreview.com</string>
<key>LoginPeriodWithOfflineFactor</key>
<real>168</real>
<key>LoginPeriodWithoutEnrolledFactor</key>
<real>48</real>
<key>MFARequiredList</key> <array>
<string>*</string>
</array>
</dict>
</plist>

This should look like the following in the Jamf console

Please replace add-your-client-ID-here with the client ID found in the Desktop MFA  app > Sign on tab in your Okta Tenant.
Also replace add-your-client-secret-here with the client secret found in the Desktop MFA  app > Sign on tab in your Okta Tenant.
Do not for forget to replace https://your-org.oktapreview.com with your Okta org URL.

Click Scope in the upper bar and Click + Add next to Selected Deployment Targets

In my example I select, ALL Computers and ALL Users, click the Save button to save and push your profile to your device.

You can validate if the profile was successfully deployed to your device by navigating to Configuration Profiles, click the 1 under the COMPLETED tab

and then you should see the enrolled device.

You can also check the profile on the device, just go to System Settings and Profiles, here you should see the Desktop MFA profile.

Deploy Okta Verify to your Jamf enrolled device

Within the JAMF Admin Console you will now set up a policy to deploy the Okta Verify app to your device.
In this blog post I assume that the Okta Verify package has been successfully added by the Jamf administrator.

Go to Computers → Policies and click + New

Under General ensure the following are set:
Display Name: Okta Verify Install
Enabled: True
Trigger: Login, Recurring Check-in, Enrollment Complete, Custom
Custom Event: ov

You can adjust these settings according to your needs.

Select the Execution Frequency: E.g. Once per computer

Click Packages on the sidebar then Configure

and Click Add next to OktaVerify_ODA.pkg (in my example)
The package name may of course be different in your environment.

You can accept the default options and.

Click Scope in the upper bar.
In my example I select, ALL Computers and ALL Users, click the Save button to save and push your profile to your device.

Click Self Service in the upper bar and check the box for
Make the policy available in Self Service
Set the Self Service Display Name to something like “Okta Verify Install” and Click Save.

Once this profile is saved, it will trigger the installation of Okta Verify onto your
macOS device
In this short demo you can see that Okta Verify was successfully deployed to the device.

You can check the Okta Verify Configuration Policy in the Jamf console as-well.

Now that both the profile and the Okta Verify app have been successfully installed on the device, here is a demo of how Okta Device Access Desktop MFA looks from the end user perspective.

Configure the MDM profile for macOS password sync

In the next step we will configure the macOS password sync profile, still in
JAMF Pro navigate to Computers > Configuration Profiles 

Click + New 
Click the Options tab 
Click on the General tab and enter a name for this policy. E.g: ODA Password Sync Policy

Scroll down, and click on the Single Sign-On Extensions  and click + Add to add a new extension.

Set the following parameters:

  • Payload type: SSO 
  • Extension identifier: com.okta.mobile.auth-service-extension 
  • Team identifier: B7F62B65BN 
  • Sign-on type: Redirect 

Under URLs, enter a URL with the following format (for your own Okta org):
https://<<your-org>>.oktapreview.com/device-access/api/v1/nonce 
Click on the +Add to add a second URL and set to:
https://<<your-org>>.oktapreview.com/oauth2/v1/token

Replace https://<&lt;your-org>>.oktapreview.com with your Okta org URL.
Set these parameters:

  • Use Platform SSO: Include
  • Authentication method: Password

In the sidebar of the window, scroll up and click on Associated Domains click on
Configure

Click + Add

and put the following In the App Identifier box:
B7F62B65BN.com.okta.mobile.auth-service-extension
In the Associated Domain box, you will need to add your Okta org URL with
authsrv: preceding the URL. e.g.: authsrv:<<your-org>>.oktapreview.com

Repeat it for the second domain

  • B7F62B65BN.com.okta.mobile
  • authsrv:<<your-org>>.oktapreview.com

Click Save

Now click on Applications & Custom Settings > Upload and Click on the + Add button
Please enter com.okta.mobile for the first preference domain

Copy the following XML and enter it in the property list:

<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>CLIENTID</string>
</dict>
</plist>

Replace https://your-org.oktapreview.com with your org URL, and replace CLIENTID with the client ID found in the Desktop Password Sync app > Sign on tab in your Okta Tenant

$USERNAME is an optional value for OktaVerify.UserPrincipalName, which automatically populates the username in the Sign-In Widget. If a value isn’t specified, users need to input their username when logging in.

In the next step click on the + Add button again to add another preference domain.
Enter com.okta.mobile.auth-service-extension for the second one.

Copy and paste the XML from the first preference domain
into the second preference domain so they both have the same XML configuration defined.

<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string><key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>CLIENTID</string>
</dict>
</plist>

Click Scope in the upper bar and Click + Add next to Selected Deployment Targets

In my example I select, ALL Computers and ALL Users, click the Save button to save and push your profile to your device and click Save.

You can also validate this profile on the device, just go to System Settings and Profiles, here you should see the ODA Password Sync Policy

and as well as in the Jamf Console.

Now let’s have a look at the end user experience for Desktop Password Sync in this demo .

Published by Arkadiusz Krowczynski (Arki)

Published

7 thoughts on “Okta Device Access with Jamf a step-by step guide

  1. Pingback: FIDO2 for Desktop MFA for macOS – IAMSE

  2. We are looking at purchasing Jamf Connect along with Jamf Pro. Any major differences between jamf connect and desktop password sync? we are already okta customers, so it might be better for us to go that route.

    Reply
  3. Pingback: Desktop Password Sync meets Platform SSO 2.0 and Jamf Pro – IAMSE
  4. Pingback: Okta Device Access macOS TOTP account link – IAMSE
  5. Pingback: Just in Time Account Creation for macOS with Jamf Pro – IAMSE
  6. Pingback: Okta Device Access Out-of-the-box enrollment with Jamf Pro – IAMSE
  7. Pingback: Better together: Okta Device Access and Okta FastPass – IAMSE

Leave a Reply