April 2025: Additional app identifier required for the associated domain entry on macOS 15 Sequoia
Introduction
Support for Platform SSO 2.0 is available for macOS computers using Sonoma (14.0) and later.
Platform SSO 2.0 allows Desktop Password Sync to be used directly from the
macOS login window.
In this blog, I will briefly describe the configuration steps required to use Okta Device Access with Platform SSO 2.0
Prerequisites
Before you start ensure that you meet these requirements:
- Your Okta Identity Engine org is available.
- Okta Desktop Password Sync is configured, all configuration steps are describe in the following blog post.
- Your computers are running macOS Sonoma (14.0) or later, so you can implement Platform SSO 2.0.
- Okta Verify 9.19 deployed to your macOS devices
- You have an Jamf Pro environment ready with the necessary permissions
Set up Device Access SCEP certificates
Device Access SCEP certificates are required to use Desktop Password Sync on devices running macOS Sonoma (14.0) and later.
These certificates deploy with your Jamf Pro environment, and are used to grant access to specific API endpoints and to identify the device making the calls.
Configure Okta as a CA for Device Access
In this blog I am covering how to configure Okta as a CA with dynamic SCEP.
In the Okta Admin Console, open Security –> Device Integrations
Click the Device Access tab and click on the Add SCEP configuration.
Select Generic as the Dynamic SCEP URL type and press the Generate button.
Copy the following values, as you need them in a later step, while creating the SCEP profile in your Jamf Pro environment.
- SCEP URL
- Challenge URL
- Username
- Password
- Save your settings.
Create a dynamic SCEP profile in Jamf Pro
In Jamf Pro console , go to Computers –> Configuration Profiles and click New to create the new profile.
On the General page, enter the following information:
- A name for the profile.
- Optional. Enter a description of the profile.
- Select the appropriate level for the certificate.
Okta Verify uses this certificate to identify managed devices and managed users.
To ensure that all users of the device are managed, you should select Computer Level.
Click SCEP, and then click Configure.
For the SCEP profile, enter the following information:
- Paste the SCEP URL that you copied from the Okta admin console in the previous step
- Enter a name for the SCEP profile
- Choose a time frame for the profile to be redistributed when its SCEP-issused certificate is the specified number of days from expiring.
Okta doesn’t support automatic certificate renewal.
The profile must be redistributed to replace the expired certificate. - Enter an appropriate subject name. For example, if you selected Computer Level, set the subject to indicate the device name e.g.
CN=$COMPUTERNAME ODA $UDID
- Select Dynamic-Microsoft CA
- Enter the Challenge URL hat you copied from the Okta admin console in the previous step
- Enter the username
- Enter the password
- Re-enter the password
- As Key Size select 2048
- Select Use as digital signature
- Deselect Allow export from keychain
- Select Allow all apps access
- Save your settings
Now we need to configure the targets that the profile will be deployed to, navigate to the Scope menu:
- Select your Target Computers
- Select your Target Users
- Save your settings
Verify that the Okta CA was installed on your devices
Open Keychain Access on your device
to verify that a client certificate and associated private key exists.
Update your MDM profiles
Using Platform Single Sign-On 2.0 with Okta Desktop Password Sync requires you to make some configuration changes to your existing device management profiles.
- com.okta.mobile-auth-service-extension profile
- single sign-on extension profile
Update your device management profile
Log in to your Jamf Pro environment and locate the device management profile for the com.okta.mobile-auth-service-extension domain.
Edit the profile and add the following:
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>
If you create a new profile you can use this template, please change it to your
Okta URL and your Client ID.
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://replace-with-your-org-URL</string>
<key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>replace-with-your-client-ID</string>
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>
</dict>
</plist>Update your single sign-on extension profile
The next step is to update your existing single sign-on extension profile.
Navigate to the Single-Sign-On Extension payload and set the Use Shared Device Keys setting to Enabled.
Save your profile and push it to your devices.
After Shared Device Keys has been enabled, users receive a notification asking them to update their registration.
This will take the user through the Desktop Password Sync registration process to sync their Okta password to their macOS account.
Let’s take a look at this in the following demo:
- Admin updates the device management profiles in Jamf Pro
- Desktop Password Sync registration process starts again
Demo Password Sync on macOS lock screen
This demo shows the Password Sync functionality on macOS lock screen.
Demo Password Sync on macOS login screen
This demo shows the Password Sync functionality on macOS login screen.
We currently have Desktop Password Sync in production with users on Ventura and Sonoma. Will this negatively affect users on Ventura if we deploy the new Platform SSO 2.0 configs to the Macs with Ventura? What will users on Ventura experience if these new settings are pushed out?