Desktop Password Sync meets Platform SSO 2.0 and Kandji

October 2024: The Okta application name from “Desktop Password Sync” to
“Platform Single Sign-On for macOS”
April 2025: Additional app identifier required for the associated domain entry on macOS 15 Sequoia (mobileconfig template was updated)

Introduction

Support for Platform SSO 2.0 is available for macOS computers using Sonoma (14.0) and later.
Platform SSO 2.0 allows Desktop Password Sync to be used directly from the
macOS login window.
In this blog, I will briefly describe the configuration steps required to use Okta Device Access with Platform SSO 2.0 with Kandji as your MDM solution.

Prerequisites

Before you start ensure that you meet these requirements:

• Your Okta Identity Engine org is available.
• Okta Desktop Password Sync with Kandji is configured, all configuration steps are described in the following blog post.
• Your computers are running macOS Sonoma (14.0) or later, so you can implement Platform SSO 2.0.
• Okta Verify 9.39 deployed to your macOS devices
• You have Kandji  environment ready with the necessary permissions

Set up Device Access SCEP certificates

Device Access SCEP certificates are required to use Desktop Password Sync on devices running macOS Sonoma (14.0) and later.
These certificates deploy with your kandji environment, and are used to grant access to specific API endpoints and to identify the device making the calls.

Configure Okta as a CA for Device Access

In this blog I am covering how to configure Okta as a CA with a static SCEP challenge using Kandji.
In the Okta Admin console, open Security –> Device Integrations 

Click the Device Access tab and click on the Add SCEP configuration.

Select Static SCEP URL as the SCEP challenge type and click Generate.

Copy and save the Okta SCEP URL and the Secret key as you will paste these in the Kandji configuration.

Press Save to finish the configuration.

You should see the new Device Access SCEP configuration.

Kandji SCEP configuration

Kandji’s SCEP Profile feature allows you to distribute and re-distribute certificates to
Apple devices automatically.
Log in to your Kandji tenant before performing the next steps. 

1. Click Library from the left-hand navigation bar. 
2. Click Add New from the upper right-hand corner.

Select the SCEP option and then click Add & Configure.

Give your SCEP Library item a name and select the Blueprint you want to deploy the
SCEP profile to.

Input the base URL for your SCEP server and the Challenge.
Optionally, put in a display a Name and Fingerprint.

Now configure the 

1. Subject
2. Subject Alternative Name Type
3. Uniform Resource Identifier

and configure the 

1. Key Size
2. Key Usage and
3. select Allow apps to access the private key

Save your Library.

You should now see the SCEP Profile as part of your Blueprint.

Verify that certificate was installed on device

Open Keychain Access on your device

to verify that a client certificate and associated private key exists.

Update your Kandji Library profiles

Using Platform Single Sign-On 2.0 with Okta Desktop Password Sync requires you to make some configuration changes to your existing device management profiles.

1. Single sign-on extension profile
2. Okta Verify com.okta.mobile-auth-service-extension profile

Platform SSO configuration profile

Log in to your Kandji environment, locate and open the device management profile for the single sign-on extension configuration.

Edit the Library.

Scroll down to the Profile Details section and delete the existing Profile.

Upload the new Profile, that contains the Platform SSO 2.0 configuration.

You can use the this mobileconfig template, but please adjust it to your tenant address.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>Configuration</key>
			<array>
				<dict>
					<key>ApplicationIdentifier</key>
					<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
					<key>AssociatedDomains</key>
					<array>
                        <!-- replace with your tenant address -->
						<string>authsrv:your_tenant_address</string>
					</array>
				</dict>
                <dict>
					<key>ApplicationIdentifier</key>
					<string>B7F62B65BN.com.okta.mobile</string>
					<key>AssociatedDomains</key>
					<array>
                        <!-- replace with your tenant address -->
						<string>authsrv:your_tenant_address</string>
					</array>
				</dict>
			</array>
			<key>PayloadDisplayName</key>
			<string>Associated Domains for Okta Verify</string>
			<key>PayloadIdentifier</key>
			<string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
			<key>PayloadOrganization</key>
			<string>CUSTOMER NAME</string>
			<key>PayloadType</key>
			<string>com.apple.associated-domains</string>
			<key>PayloadUUID</key>
			<string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>AuthenticationMethod</key>
			<string>Password</string>
			<key>ExtensionIdentifier</key>
			<string>com.okta.mobile.auth-service-extension</string>
			<key>Hosts</key>
			<array/>
			<key>TeamIdentifier</key>
			<string>B7F62B65BN</string>
			<key>PlatformSSO</key>
	<dict>
		<key>UseSharedDeviceKeys</key>
		<true/>
	</dict>
			<key>Type</key>
			<string>Redirect</string>
			<key>URLs</key>
			<array>
				<!-- replace with your tenant address -->
				<string>https://your_tenant_address/device-access/api/v1/nonce</string>
				<string>https://your_tenant_address/oauth2/v1/token</string>
			</array>
			<key>PayloadDisplayName</key>
			<string>Okta Verify Sign-On Extensions Payload</string>
			<key>PayloadIdentifier</key>
			<string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
			<key>PayloadOrganization</key>
			<string>CUSTOMER NAME</string>
			<key>PayloadType</key>
			<string>com.apple.extensiblesso</string>
			<key>PayloadUUID</key>
			<string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Okta PSSO extension configuration</string>
	<key>PayloadDisplayName</key>
	<string>Okta PSSO extension</string>
	<key>PayloadIdentifier</key>
	<string>com.customer-name.profiles.ssoextension</string>
	<key>PayloadOrganization</key>
	<string>CUSTOMER NAME</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>D78FE406-0C61-4007-8C51-FFA5FDE5F54B</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

and Save your settings.

Okta Verify configuration profile

We also need to update com.okta.mobile-auth-service-extension profile, so open it.

Edit the Library.

Scroll down to the Profile Details section and delete the existing Profile.

Upload the new Profile, that contains the Platform SSO 2.0 configuration.

You can use the this mobileconfig template, but please adjust it to your Okta tenant address and your Client ID.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>OktaVerify.OrgUrl</key>
			<string>https://your_tenant_address</string>
			<key>OktaVerify.PasswordSyncClientID</key>
			<string>your_Client_ID</string>
			<!-- optional keys-->
			<key>OktaVerify.EnrollmentOptions</key>
			<string>SilentEnrollmentEnabled</string>
			<key>OktaVerify.ReportDiagnostics</key>
			<true/>
			<!-- optional keys-->
			<key>PayloadDescription</key>
			<string>Configures Okta Verify settings</string>
			<key>PayloadDisplayName</key>
			<string>Okta Verify configuration</string>
			<key>PayloadIdentifier</key>
			<string>DEB5863A-E503-468C-A3DE-D90479F1E10A</string>
			<key>PayloadOrganization</key>
			<string>CUSTOMER NAME</string>
			<key>PayloadType</key>
			<string>com.okta.mobile</string>
			<key>PayloadUUID</key>
			<string>1D89FEA8-BAFE-42F5-9393-634BE23009D8</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>OktaVerify.OrgUrl</key>
			<string>https://your_tenant_address</string>
			<key>OktaVerify.PasswordSyncClientID</key>
			<string>your_Client_ID</string>
			<!-- optional keys-->
			<key>PayloadDescription</key>
			<string>Configures Okta Verify settings</string>
			<key>PayloadDisplayName</key>
			<string>Okta Verify (auth service) configuration</string>
			<key>PayloadIdentifier</key>
			<string>E5F1356E-3B04-43F7-8E8C-2213F7D74B13</string>
			<key>PayloadOrganization</key>
			<string>CUSTOMER NAME</string>
			<key>PayloadType</key>
			<string>com.okta.mobile.auth-service-extension</string>
			<key>PayloadUUID</key>
			<string>6764E8E4-0A37-4206-96E2-A73B2DFA5673</string>
			<key>PlatformSSO.ProtocolVersion</key>
            <string>2.0</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Configures settings</string>
	<key>PayloadDisplayName</key>
	<string>Okta Verify Configuration</string>
	<key>PayloadIdentifier</key>
	<string>com.customer-name.profiles.oktaverify</string>
	<key>PayloadOrganization</key>
	<string>CUSTOMER NAME</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>9A641D93-471C-44D7-8B54-264E842A12C8</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

and Save your settings.

After the configuration has been updated, users receive a notification asking them to update their registration.
This will take the user through the Desktop Password Sync registration process to sync their Okta password to their macOS account.

Demo Password Sync on macOS lock screen

This demo shows the Password Sync functionality on macOS lock screen on a Kandji enrolled device.