October 2024: The Okta application name from “Desktop Password Sync” to
“Platform Single Sign-On for macOS”
April 2025: Additional app identifier required for the associated domain entry on macOS 15 Sequoia
Introduction
In this blog post, I’ll take you on a journey how to configure Okta Device Access Desktop Password Sync if you use Microsoft Intune as your Mobile Device Management (MDM) solution for your macOS device fleet.
We start with the configuration on Okta, show how to create the necessary configuration profiles on Microsoft Intune side and a demo how the Okta Device Access Desktop Password Sync user experience on an Intune enrolled device is looking like.
Have fun reading the blog and then, of course, integrating and testing the solution
Okta Requirements
- You have an Okta Identity Engine org available.
- Your OIE org has the Desktop Access SKU enabled.
- macOS version 14.X is the recommended for the best user experience.
- The Okta Verify authenticator is set up in your org.
- Okta Verify push notifications are enabled.
- Latest Okta Verify app
- You have a Microsoft Intune environment and licenses ready with the necessary permissions.
Microsoft Intune Requirements
- You have a Microsoft Intune environment ready with the necessary permissions.
- You have the right Microsoft Intune Licenses in place
- You have the Apple MDM Push Certificate configured in your Microsoft Intune environment.
This can be checked within the Microsoft Intune admin center
In my configuration and this blogs post I’ve configured and deployed
- One Settings Catalog Profile with Extensible SSO and Associated Domains
- Two Preference file Profiles to deploy Okta app settings and the Desktop Password Sync client settings, including the client ID.
There may certainly be other ways to create and distribute the profiles, but the path I documented is working.
Okta Desktop Password Sync Configuration
In the Okta Admin Console, go to Applications > Applications > Catalog.
Starting with September 2024, the Okta application name from “Desktop Password Sync” to “Platform Single Sign-On for macOS”.
Search for Platform Single Sign-On for macOS and select the app.
Click Add integration.
Search for Desktop Password Sync and select the app.
Click Add integration.
Open Desktop Password Sync from your Applications list to configure it.
On the General tab, you can edit the application label or use the default one.
On the Authentication tab, make note of the Client ID.
You need this when creating the configuration profiles in your
Microsoft Intune environment.
Assign the app to individual users or groups on the Assignments tab.
Users must be assigned the app to use Desktop Password Sync.
Enroll your macOS into Microsoft Intune
In this blog I am covering a manual macOS device enrollment and my Office 365 tenant is of course federated with Okta
Install Company Portal app
Go to Enroll My Mac. and wait while the Company Portal installer .pkg file downloads.
Open the installer when it’s ready, continue on this page.
On the License page, read through the Microsoft Application License Terms. Select Continue.
Select Agree to agree to the terms of the software license agreement.
On the Installation Type page, select Install.
Enter your device password or registered fingerprint, then select Install Software.
Wait for Company Portal to finish installing.
Enroll your Mac
Open the Company Portal app and Sign in
Type in your email address and press the Next button
Wait a moment.
In my example and configuration I am getting redirected to Okta and just need to press Next here.
Based on my Okta Sign-On Policy, I need to authenticate accordingly.
In the next screen, review the privacy information and press the Continue button.
On the Set up access page, select Begin.
On the Install management profile page, select Download profile.
Your macOS system settings open in a new window and the management profile you just downloaded is shown.
Select the Management Profile to open it.
And click on Install.
Enter your device password to allow the profile to enroll your device, then select Enroll.
Wait while the Management profile installs and then enrolls your device, it should look this like after a successfull Enrolment.
Return to the Company Portal app and verify that there’s a green checkmark next to Install management profile.
When setup is complete, select Done.
Your device is ready to use for work.
You can go to Devices in the Company Portal app to view and manage your enrolled Mac.
And you can also check your device within the Intune admin center.
Deploy Okta Verify to your Intune enrolled device
In the next step we will deploy the Okta Verify application to our enrolled macOS device.
- Select Apps
- macOS apps
- Click Add
- In the Select app type pane, under the Other app types, select macOS app (PKG).
- Click Select
In the Add app pane, click Select app package file.
In the App package file pane, select the browse button.
Select a macOS PKG file with the extension .pkg.
The app details will be displayed, select OK on the App package file pane to add the app.
In the App information page, add the details for your app. Depending on the app that you chose, some of the values in this pane might be automatically filled in.
- Publisher: Enter the name of the publisher of the app.
- Logo: Upload your Okta Verify icon
- Press Next to continue
You can optionally configure a preinstall script and a post-install script to customize the app install, click Next to continue.
You can choose the minimum operating system required to install this app.
In my example I’ve selected macOS Monterey 12.0 as the Minumum operating system.
You can use detection rules to choose how an app installation is detected on a managed macOS device, press Next to continue.
In my example I’ve assigned the Okta Verify Application to All Devices.
Review the values and settings you entered for the app.When you’re done, click Create to add the app to Intune.
The Overview pane for the macOS PKG app is displayed.
Configure the MDM profiles for macOS password sync
Now it’s time to configure the the necessary configuration profiles in the Intune admin center and distribute them to the macOS device(s).
Configure single sign-on extension profile for Desktop Password Sync in Intune
Let’s start with the Settings Catalog Profile to configure the Extensible SSO and Associated Domains settings.
In the Microsoft Intune admin center, navigate to the Devices section and select
macOS devices.
Click Configuration profiles –> Create, select Settings catalog from the drop down and click the Create button.
Enter a Name for the policy and click Next
Within the Configuration settings click on the +Add settings button to continue.
Select the and configure the settings as described:
- type in SSO
- press the Search button
- select Authentication > Extensible Single Sign On (SSO)
- select Extension Identifier
- select Platform SSO
- select Team Identifier
- select Type
- select URLs
Within the Platform SSO section
- select Account Display Name
- select Authentication Method
Still in the Settings picker click on the App Management > Associated Domains settings and click Select all these settings to add these configuration settings as well.
Configure Associated Domains settings
To configure Associated Domains settings:
- Click on the Edit instance in the Associated Domains menu
- Type in the Application Identifier :
B7F62B65BN.com.okta.mobile.auth-service-extension - In the Associated Domain field type in your Okta org URL with authsrv: preceding the URL, for example, authsrv:your-org.oktapreview.com
- Click Save
Repeat the configuration for the second Associated Domain
- Type in the Application Identifier : B7F62B65BN.com.okta.mobile
- In the Associated Domain field type in your Okta org URL with authsrv: preceding the URL, for example, authsrv:your-org.oktapreview.com
- Click Save
The configuration should look like this.
Configure Extensible Single Sign On (SSO) settings
Continue with the Extensible Single Sign On (SSO) settings:
- Extension identifier: com.okta.mobile.auth-service-extension
- Account Display Name: Type in a Display Name (e.g. Okta SSO)
- Authentication method: Password
- Team identifier: B7F62B65BN
- Type: Select Redirect
- URL: https://your-org.oktapreview.com/device-access/api/v1/nonce
Replace your-org.oktapreview.com with your Okta tenant URL - URL: https://your-org.oktapreview.com/oauth2/v1/token
Replace your-org.oktapreview.com with your Okta tenant URL
The next step is to assign the policy to your user or device groups, in my example I assign it to All devices.
In the final step just press the Create to finish your configuration.
Create device management profiles for Password Sync
in Intune
Now we need to configure two Preference file Profiles to deploy the Okta app settings and the Desktop Password Sync client settings, including the client ID.
I have prepared a piece of code here, which can be copied and adapted to your configuration.
Simply save it in a .plist file and then select it in the next steps.
{{mail}} is an optional value for OktaVerify.UserPrincipalName.
Please replace https://your-org.oktapreview.com with your Okta tenant URL.
<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{{mail}}</string>Sign in to the Microsoft Intune admin center, navigate to Devices section and select
macOS devices.
Click Configuration profiles –> Create, select Temples from the drop down, click on
Preference file and click the Create button.
Enter a Name for the policy and click Next
Enter:
- com.okta.mobile in the Preference domain name
- Select the Configuration profile file: Browse to the .plist file (okta_mobile.plist) file you’ve created upfront.
The imported file is shown. You can also remove a file after it’s been added, click Next to continue.
The next step is to assign the policy to your user or device groups, in my example I assign it to All devices.
In the final step just press the Create to finish your configuration.
Now now let’s create the second plist profile for our configuration.
You can also use here the code snippet, which you can simply copy and adapt to your configuration as already described above.
Please replace add-your-client-ID-here with the Client ID found in the Desktop Password Sync app > Authentication tab in your Okta Tenant.
And also replace https://your-org.oktapreview.com with your Okta tenant URL.
{{mail}} is an optional value for OktaVerify.UserPrincipalName, which automatically populates the email email add in the Sign-In Widget.
If a value isn’t specified, users need to input their username when signing in.
<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{{mail}}</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>add-your-client-ID-here</string>In the Microsoft Intune admin center, navigate to Devices section and select
macOS devices.
Click Configuration profiles –> Create, select Temples from the drop down, Preference file and click the Create button.
Enter a Name for the policy and click Next
Enter:
- com.okta.mobile.auth-service-extension in the Preference domain name
- Select the Configuration profile file: Browse to the
.plist file (okta_extension.plist) file you’ve created upfront.
The imported file is shown. You can also remove a file after it’s been added, click Next to continue.
The next step is to assign the policy to your user or device groups, in my example I assign it to All devices.
In the final step just press the Create to finish your configuration.
We should now have the following configuration profiles created and assigned in the
Microsoft Intune admin center.
And this should then also be reflected on the macOS device in the Profiles section.
Demo Desktop Password Sync
And here the demo of Okta Device Access Desktop Password Sync on a Microsoft Intune enrolled device
2 thoughts on “Okta Device Access Desktop Password Sync with Microsoft Intune”