Just in Time Account Creation for macOS with Jamf Pro

Access Management, Device Access, Device Integrations, IAM Domains, Integrations, Jamf, Okta WIC Platform 10 Minutes

April 2025: Additional app identifier required for the associated domain entry on macOS 15 Sequoia

Introduction to Just-in-Time Local Account Creation on macOS with Okta

Just-in-Time (JIT) local account creation is a powerful feature that enables users to create a local account on a macOS device directly from the login window, using their Okta credentials.
By leveraging their Okta username and password, users can seamlessly create accounts without requiring prior setup. This feature is especially valuable for environments with shared devices or workstations, allowing any Okta user within an organization’s tenant to quickly gain access.

The process is simplified for administrators as well, offering an efficient method to provision user accounts on macOS systems.
JIT local account creation is built on Apple’s Shared Device Keys framework, which integrates with the Platform Single Sign-On (SSO) infrastructure.
This alignment with Apple’s identity framework ensures secure, streamlined authentication while reducing the administrative burden associated with manual user account setup

Requirements for Implementing Just-in-Time Local Account Creation with Okta on macOS

To successfully implement Just-in-Time (JIT) local account creation on macOS using Okta, the following requirements must be in place:

  1. Okta Identity Engine (OIE) Organization:
    • Your organization must be operating on the Okta Identity Engine (OIE), which is essential for enabling advanced features like Just-in-Time account creation.
  2. Desktop Access SKU:
    • The Desktop Access SKU must be enabled in your OIE org. This SKU grants the necessary permissions and functionalities to manage device authentication and account provisioning on macOS.
  3. Platform Single Sign-on (Desktop Password Sync) Configuration:
    • Platform Single Sign-on (Desktop Password Sync) must be configured to ensure that users can log in with their Okta credentials. Detailed configuration steps can be found in the relevant blog post or documentation, ensuring proper sync between Okta and macOS systems.
  4. Jamf Pro Environment:
    • A Jamf Pro environment should be set up and operational, with the necessary administrative permissions configured. Jamf Pro is critical for deploying MDM profiles and managing macOS devices.
  5. Okta Verify:
    • Okta Verify version 9.27 or higher must be installed on all macOS devices.
  6. macOS Version:
    • The computer must be running macOS 14.0 (Sonoma) or later.
      JIT local account creation and related features are supported only on this version and above, ensuring compatibility with Apple’s latest security and identity management frameworks.
  7. Device Enrollment in Jamf Pro:
    • The device should be enrolled in Jamf Pro, with Bootstrap tokens enabled. Bootstrap tokens are essential for securing the device enrollment process and supporting Single Sign-On (SSO) features.
  8. Setup Assistant Completion:
    • The device’s Setup Assistant must be completed, and an initial local administrator account created. This ensures that the device is fully configured and ready for user account creation.
  9. Platform SSO MDM Profiles:
    • Platform Single Sign-On (SSO) MDM profiles must be deployed to the device. These profiles allow Okta to integrate with Apple’s identity framework, supporting seamless user authentication and local account provisioning.

Ensuring that these requirements are met will provide a secure and efficient setup for
Just-in-Time local account creation, allowing users to authenticate and create accounts directly on macOS devices using their Okta credentials.

Enable JIT provisioning in the Admin Console

In the Admin Console, go to Settings > Features.

Locate Just-In-Time Local Account Creation for macOS, and click the toggle to enable the feature.

Add custom attributes to Platform SSO app

Check that the Okta username is in an email format and the username must also be supported by macOS, some characters, such as +, are not supported.
Ensure that the Okta user’s first name and last name are populated, and not set to null.
The macOS account details are sourced from this information.

If the first and last name attributes are null, you must create a custom attribute for username mapping.

To do that, in the Admin Console, go to Directory > Profile Editor.
Open the Platform Single Sign-On for macOS or Desktop Password Sync Profile Editor.

Click +Add Attribute

Enter the necessary values in the DisplayName and Description fields. Make sure to set the Variable name to macOSAccountUsername. Leave the remaining fields unchanged, then click Save to finalize the configuration

Repeat the same steps to create another variable, this time for macOSAccountFullName.
Note: If either macOSAccountUsername or macOSAccountFullName is not set, the system will default to a predefined value.

After creating the variables, click on the Mappings button in the same tab to continue.

Click on the Okta User to Platform Single Sign-On for macOS or Okta user to Desktop Password Sync tab.
Set a particular mapping for the newly created variables
In my example, I am setting the macOSAccountUsername to the Okta user’s email.
Click on Save Mappings

And click on Apply updates now.

Set up Device Access SCEP certificates

Device Access SCEP certificates are required to use PlatformSSO on devices running macOS Sonoma (14.0) and later.
These certificates deploy with your Jamf Pro environment, and are used to grant access to specific API endpoints and to identify the device making the calls.

Configure Okta as a CA for Device Access

In this section I am covering how to configure Okta as a CA with dynamic SCEP.
In the Okta Admin Console, open Security –> Device Integrations 

Click the Device Access tab and click on the Add SCEP configuration.

Select Generic as the Dynamic SCEP URL type and press the Generate button.

Copy the following values, as you need them in a later step, while creating the SCEP profile in your Jamf Pro environment.

  1. SCEP URL
  2. Challenge URL
  3. Username
  4. Password
  5. Save your settings.

Create a dynamic SCEP profile in Jamf Pro

In the Jamf Pro console , go to Computers –> Configuration Profiles and click New to create the new profile.

On the General page, enter the following information:

  1. name for the profile.
  2. Optional. Enter a description of the profile.
  3. Select the appropriate level for the certificate.
    Okta Verify uses this certificate to identify managed devices and managed users.
    To ensure that all users of the device are managed, you should select Computer Level.

Click SCEP, and then click Configure.

For the SCEP profile, enter the following information:

  1. Paste the SCEP URL that you copied from the Okta admin console in the previous step
  2. Enter a name for the SCEP profile
  3. Choose a time frame for the profile to be redistributed when its SCEP-issused certificate is the specified number of days from expiring.
    Okta doesn’t support automatic certificate renewal.
    The profile must be redistributed to replace the expired certificate.
  4. Enter an appropriate subject name. For example, if you selected Computer Level, set the subject to indicate the device name e.g.
    CN=$COMPUTERNAME ODA $UDID
  1. Select Dynamic-Microsoft CA
  2. Enter the Challenge URL hat you copied from the Okta admin console in the previous step
  3. Enter the username
  4. Enter the password
  5. Re-enter the password
  1. As Key Size select 2048
  2. Select Use as digital signature
  3. Deselect Allow export from keychain
  4. Select Allow all apps access
  5. Save your settings

Now we need to configure the targets that the profile will be deployed to, navigate to the Scope menu:

  1. Select your Target Computers
  2. Select your Target Users
  3. Save your settings

Verify that the Okta CA was installed on your devices

Open Keychain Access on your device

to verify that a client certificate and associated private key exists.

Configure PlatformSSO MDM profile in
Jamf Pro

In this section, we will cover the steps to configure a Platform Single Sign-On (SSO) MDM profile with Just-in-Time (JIT) account creation support within a Jamf Pro environment.
This configuration enables seamless integration between Okta and macOS devices, allowing users to authenticate and create local accounts using their Okta credentials.
We’ll walk through how to set up the MDM profile to ensure proper support for JIT account creation, streamlining user onboarding and device management.

In the Jamf Pro console navigate to Computers > Configuration Profiles 

Click + New 
Click the Options tab 
Click on the General tab and enter a name for this policy. e.g.: Okta PSSO

Scroll down, click on the Single Sign-On Extensions  and click + Add to add a new extension.

Set the following parameters:

  • Payload type: SSO 
  • Extension identifier: com.okta.mobile.auth-service-extension 
  • Team identifier: B7F62B65BN 
  • Sign-on type: Redirect 

Under URLs, enter a URL with the following format (for your own Okta org):
https://<<your-org>>.oktapreview.com/device-access/api/v1/nonce 
Click on the +Add to add a second URL and set to:
https://<<your-org>>.oktapreview.com/oauth2/v1/token
Replace https://&lt;your-org>>.oktapreview.com with your Okta org URL.

Set these parameters:

  • Use Platform SSO: Include
  • Authentication method: Password

Enable

  • Use Shared Device Keys
  • Create New User at Login

Registration Token should be set to a random value as field isn’t used, as the SCEP certificate is used in place of the Registration Token, but must be populated.

  • Configure the User Mapping settings
    • Set macOSAccountUsername as the AccountName
    • Use macOSAccountFullName as the FullName

In the sidebar of the window, scroll up and click on Associated Domains click on
Configure

Click + Add

and put the following In the App Identifier box:
B7F62B65BN.com.okta.mobile.auth-service-extension and B7F62B65BN.com.okta.mobile

In the Associated Domain box, you will need to add your Okta org URL with
authsrv: preceding the URL. e.g.: authsrv:<<your-org>>.oktapreview.com
Click Save.

Now navigate to Applications & Custom Settings > Upload and Click on the + Add button

Please enter com.okta.mobile for the first preference domain
Copy the following XML and enter it in the property list:

&lt;plist version="1.0">
&lt;dict>
&lt;key>OktaVerify.OrgUrl&lt;/key>
&lt;string>https://your-org.oktapreview.com&lt;/string>
&lt;key>OktaVerify.UserPrincipalName&lt;/key>
&lt;string>$USERNAME&lt;/string>
&lt;key>OktaVerify.PasswordSyncClientID&lt;/key>
&lt;string>CLIENTID&lt;/string>
&lt;/dict>
&lt;/plist>

Replace https://your-org.oktapreview.com with your org URL, and replace CLIENTID with the client ID found in the Desktop Password Sync app > Sign on tab in your Okta Tenant

$USERNAME is an optional value for OktaVerify.UserPrincipalName, which automatically populates the username in the Sign-In Widget. If a value isn’t specified, users need to input their username when logging in.

In the next step click on the + Add button again to add another preference domain.
Enter com.okta.mobile.auth-service-extension for the second one.

Copy the following XML and enter it in the second property list:

&lt;plist version="1.0">
&lt;dict>
&lt;key>OktaVerify.OrgUrl&lt;/key>
&lt;string>https://your-org.oktapreview.com&lt;/string>
&lt;key>OktaVerify.UserPrincipalName&lt;/key>
&lt;string>$USERNAME&lt;/string>
&lt;key>OktaVerify.PasswordSyncClientID&lt;/key>
&lt;string>CLIENTID&lt;/string>
&lt;key>PlatformSSO.ProtocolVersion&lt;/key>
&lt;string>2.0&lt;/string>
&lt;/dict>
&lt;/plist>

Replace https://your-org.oktapreview.com with your org URL, and replace CLIENTID with the client ID found in the Desktop Password Sync app > Sign on tab in your Okta Tenant

Navigate to the Scope section and distribute the profile to your devices.

Preparing the macOS Device for User Enrollment

Once all configuration steps are completed and the prerequisites are in place, the IT administrator needs to perform the following actions on the device:

Sign in to the computer using the administrator account.


The device will undergo silent registration using the SCEP certificate to authenticate its identity and enroll the PlatformSSO keys.

To verify successful registration:

  • Look for the Registration Required notification, prompting the user to sign in with their credentials

or

  • Open Terminal and run the command: app-sso platform -s
    If the registration is successful, the output will display Device Configuration and
    Login Configuration details awaiting completion.

You can verify the steps in the Okta System Logs

The new device was successfully enrolled

and activated

At this point, avoid completing the device registration process, as doing so will enroll the administrator account into Okta FastPass.
The final registration should be left for the end user who the device is being provisioned for to ensure proper enrollment.

Follow these steps to ensure the device is properly set up:

  1. Check for Duplicate User Accounts:
    • On the macOS device, go to System Settings > Users & Groups and verify there are no duplicate user accounts with similar names (e.g., j.work and ja.work).
    • If duplicate accounts are present, remove the unnecessary accounts and delete their associated home directories from the /Users/ folder.
  2. Configure Login Window Settings:
    • Open System Settings > Lock Screen and set When Switching User > Login window shows > Name and Password.
    • This ensures the login window displays the username field, allowing users to enter their credentials.

Once these steps are completed, the device is ready to be handed off to the end user for final setup.

Demo Just-in-Time Local Account Creation

In this demo, we’ll walk through the process of Just-in-Time (JIT) local account creation using Okta on a macOS device.
You’ll see how users can seamlessly create local accounts directly from the macOS login window using their Okta credentials.
This demonstration highlights how the feature simplifies onboarding and device provisioning, ensuring a smooth, secure user experience in shared or multi-user environments.

Conclusion and Benefits of Just-in-Time Local Account Creation on macOS with Okta

Just-in-Time (JIT) local account creation on macOS with Okta offers a streamlined, efficient solution for both users and administrators.
By allowing users to create accounts at the login window using their Okta credentials, this feature simplifies the process of accessing macOS devices, particularly in shared environments.
It leverages Apple’s Shared Device Keys and Platform Single Sign-On, ensuring security and seamless integration with existing identity management frameworks.

Benefits of JIT Local Account Creation:

  1. Simplified User Onboarding: Users can quickly create accounts on macOS devices without pre-configured profiles, reducing administrative overhead.
  2. Improved Security: By using Okta credentials and Apple’s identity framework, organizations ensure secure authentication and account creation.
  3. Ideal for Shared Devices: Perfect for environments where multiple users share devices, enabling any Okta user to log in and create their account in real-time.
  4. Reduced Admin Effort: Automating account creation means less manual intervention, freeing up IT resources for more critical tasks.
  5. Seamless Integration: JIT leverages Apple’s SSO framework, ensuring a smooth experience for both users and admins.

This feature is a valuable addition for organizations looking to optimize user access while maintaining strong security and reducing the complexity of account management

Published by Arkadiusz Krowczynski (Arki)

Published

Leave a Reply