Introduction
In this blog post, I’ll take you on a journey how to configure Okta Device Access Desktop MFA if you use Microsoft Intune as your Mobile Device Management (MDM) solution for your macOS device fleet.
We start with the configuration on Okta and show how to create the necessary configuration profile on Intune side.
Have fun reading the blog and then, of course, integrating and testing the solution
Okta Requirements
- You have an Okta Identity Engine org available.
- Your OIE org has the Desktop Access SKU enabled.
- macOS version 14.X is the recommended for the best user experience.
- The Okta Verify authenticator is set up in your org.
- Okta Verify push notifications are enabled.
- You have a Microsoft Intune environment and licenses ready with the necessary permissions.
Microsoft Intune Requirements
- You have a Microsoft Intune environment ready with the necessary permissions.
- You have the right Microsoft Intune Licenses in place
- You have the Apple MDM Push Certificate configured in your Microsoft Intune environment.
The Apple MDM Push Certificate can be checked in the Microsoft Intune admin center
You have prepared a configuration profile file in the form of an .xml or .mobileconfig file.
In my setup I used the following configuration, please adapt to your own needs if necessary.
Please replace add-your-client-ID-here with the client ID found in the Desktop MFA app > Sign on tab in your Okta Tenant.
Also replace add-your-client-secret-here with the client secret found in the Desktop MFA app > Sign on tab in your Okta Tenant.
And do not for forget to replace https://your-org.oktapreview.com with your Okta org URL.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>2F0FC0DC-953A-4247-A4E6-F64A0A3FA2DB</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>beste</string>
<key>PayloadIdentifier</key>
<string>2F0FC0DC-953A-4247-A4E6-F64A0A3FA2DB</string>
<key>PayloadDisplayName</key>
<string>Microsoft Payload</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>3472DF62-D492-4211-9D59-748B2107CDE9</string>
<key>PayloadOrganization</key>
<string>Microsoft Intune</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>3472DF62-D492-4211-9D59-748B2107CDE9</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<dict>
<key>com.okta.deviceaccess.servicedaemon</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>DMFAClientID</key>
<string>add-your-client-ID-here</string>
<key>DMFAClientSecret</key>
<string>add-your-client-secret-here</string>
<key>DMFAOrgURL</key>
<string>https://your-org.oktapreview.com</string>
<key>LoginPeriodWithOfflineFactor</key>
<real>168</real>
<key>LoginPeriodWithoutEnrolledFactor</key>
<real>48.0</real>
<key>MFARequiredList</key>
<array>
<string>*</string>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>Okta Desktop MFA Configuration
In the Admin Console, go to Settings, Account, Embedded widget sign-in support.
and ensure that the Interaction Code checkbox is selected.
In the Admin Console, navigate now to Applications –> Applications.
Click Browse App Catalog and search for Desktop MFA
Click Add integration.
On the Sign on tab, go to the Settings section and click Edit
Click the Application username format dropdown menu and select and select
Okta username prefix.
On the Assignments tab, assign the app to relevant users or groups.
On the General tab, go to the Client Credentials section to find the Client ID and
Client secret. The identifier and secret are generated when you create the app integration.
Make note of these values, as you need them when you deploy the MDM profile.
Enroll your macOS into Microsoft Intune
In this blog I am covering a manual macOS device enrollment and my Office 365 tenant is of course federated with Okta
Install Microsoft Company Portal app
Go to Enroll My Mac. and wait while the Company Portal installer .pkg file downloads.
Open the installer when it’s ready, continue on this page.
On the License page, read through the Microsoft Application License Terms. Select Continue.
Select Agree to agree to the terms of the software license agreement.
On the Installation Type page, select Install.
Enter your device password or registered fingerprint. Then select Install Software.
Wait for Company Portal to finish installing.
Enroll your Mac
Open the Company Portal app and Sign in
Type in your email address and press the Next button
Wait a moment…
In my example and configuration I am getting redirected to Okta and just need to press Next here.
Based on my Okta Sign-On Policy, I need to authenticate accordingly
In the next screen, review the privacy information and press the Continue button.
On the Set up access page, select Begin.
On the Install management profile page, select Download profile.
Your macOS system settings open in a new window and the management profile you just downloaded is shown.
You need to navigate to Privacy & Security –> Profiles, select the Management Profile to open it.
Select Install.
Enter your device password to allow the profile to enroll your device, then select Enroll.
Wait while the management profile installs and then enrolls your device.
The Management Profile should look this like after a successful Enrolment.
Return to the Company Portal app and verify that there’s a green checkmark next to
Install management profile.
When setup is complete, select Done.
Your device is ready to use for work. and you can navigate to Devices in the Company Portal app to view and manage your enrolled Mac.
You can also check your device in the Intune admin center.
Demo macOS Enrollment Intune
Here the demo of the manual Enrollment process.:-)
Configure the MDM profile for
Desktop MFA for macOS
Sign in to the Microsoft Intune admin center, navigate to Devices section and select
macOS devices.
Click Configuration profiles –> Create, select Temples from the drop down, Custome and click the Create button.
Enter a Name for the policy and click Next
Enter:
- Configuration profile name (this name is also shown on the device)
- Select a Deployment channel.
- Select the Configuration profile file: Browse to the
.xmlor.mobileconfigfile you’ve created upfront.
In my example I am using the .xml file.
The imported file is shown. You can also Remove a file after it’s been added, click Next to continue.
The next step is to assign the policy to your user or device groups.
In my example I assign it to All devices.
In the final step just press the Create to finish your configuration.
Your Okta Desktop MFA profile is ready and assigned to your device(s).
After some time, the profile should also have arrived and been installed on the device.
It’s important to deploy the Desktop MFA configuration profile to your macOS device before Okta Verify itself is deployed.
Okta Verify looks for the configuration profile during install to determine whether or not to enable the Desktop MFA integration components.
Deploy Okta Verify to your Intune enrolled device
In the next step we will deploy the Okta Verify application to our enrolled macOS device.
- Select Apps
- macOS apps
- Click Add
- In the Select app type pane, under the Other app types, select macOS app (PKG).
- Click Select
In the Add app pane, click Select app package file.
In the App package file pane, select the browse button.S
Select a macOS PKG file with the extension .pkg.
The app details will be displayed, select OK on the App package file pane to add the app.
In the App information page, add the details for your app. Depending on the app that you chose, some of the values in this pane might be automatically filled in.
- Publisher: Enter the name of the publisher of the app.
- Logo: Upload your Okta Verify icon
- Press Next to continue
You can optionally configure a preinstall script and a post-install script to customize the app install, click Next to continue.
You can choose the minimum operating system required to install this app.
In my example I’ve selected macOS Monterey 12.0 as the Minumum operating system.
You can use detection rules to choose how an app installation is detected on a managed macOS device, press Next to continue.
In my example I’ve assigned the Okta Verify Application to All devices.
Review the values and settings you entered for the app.
When you’re done, click Create to add the app to Intune.
The Overview pane for the macOS PKG app is displayed.
Your Okta Verify application is ready and assigned to your devices.
After some time, the following message should appear on the device and the
Okta Verify application will be installed automatically.
Demo Desktop MFA macOS
And last but not least the Okta Device Access Desktop MFA demo on a macOS.
