Okta Devices Access – Just in Time Account Creation for macOS with Microsoft Intune

Access Management, Device Access, IAM Domains, Integrations, MS Intune, Workforce Identity Products 14 Minutes

April 2025: Additional app identifier required for the associated domain entry on macOS 15 Sequoia

Introduction to Just-in-Time Local Account Creation on macOS with Okta

Just-in-Time (JIT) local account creation is a powerful feature that enables users to create a local account on a macOS device directly from the login window, using their Okta credentials.
By leveraging their Okta username and password, users can seamlessly create accounts without requiring prior setup. This feature is especially valuable for environments with shared devices or workstations, allowing any Okta user within an organization’s tenant to quickly gain access.

The process is simplified for administrators as well, offering an efficient method to provision user accounts on macOS systems.
JIT local account creation is built on Apple’s Shared Device Keys framework, which integrates with the Platform Single Sign-On (SSO) infrastructure.
This alignment with Apple’s identity framework ensures secure, streamlined authentication while reducing the administrative burden associated with manual user account setup

Requirements for Implementing Just-in-Time Local Account Creation with Okta on macOS

To successfully implement Just-in-Time (JIT) local account creation on macOS using Okta, the following requirements must be in place:

  1. Okta Identity Engine (OIE) Organization:
    • Your organization must be operating on the Okta Identity Engine (OIE), which is essential for enabling advanced features like Just-in-Time account creation.
  2. Desktop Access SKU:
    • The Desktop Access SKU must be enabled in your OIE org. This SKU grants the necessary permissions and functionalities to manage device authentication and account provisioning on macOS.
  3. Platform Single Sign-on (Desktop Password Sync) Configuration:
    • Platform Single Sign-on (Desktop Password Sync) must be configured to ensure that users can log in with their Okta credentials. Detailed configuration steps can be found in the relevant blog post (blog 2) or documentation, ensuring proper sync between Okta and macOS systems.
  4. Microsoft Intune Environment:
    • A Microsoft Intune environment should be set up and operational, with the necessary administrative permissions configured.
      Microsoft Intune is critical for deploying MDM profiles and managing macOS devices.
  5. Okta Verify:
    • Okta Verify version 9.27 or higher must be installed on all macOS devices.
  6. macOS Version:
    • The computer must be running macOS 14.0 (Sonoma) or later.
      JIT local account creation and related features are supported only on this version and above, ensuring compatibility with Apple’s latest security and identity management frameworks.
  7. Device Enrollment in Microsoft Intune:
    • The device should be enrolled in Microsoft Intune, with Bootstrap tokens enabled. Bootstrap tokens are essential for securing the device enrollment process and supporting Single Sign-On (SSO) features.
  8. Setup Assistant Completion:
    • The device’s Setup Assistant must be completed, and an initial local administrator account created. This ensures that the device is fully configured and ready for user account creation.
  9. Platform SSO MDM Profiles:
    • Platform Single Sign-On (SSO) MDM profiles must be deployed to the device. These profiles allow Okta to integrate with Apple’s identity framework, supporting seamless user authentication and local account provisioning.

Ensuring that these requirements are met will provide a secure and efficient setup for
Just-in-Time local account creation, allowing users to authenticate and create accounts directly on macOS devices using their Okta credentials.

Enable JIT provisioning in the Admin Console

In the Admin Console, go to Settings > Features.

Locate Just-In-Time Local Account Creation for macOS, and click the toggle to enable the feature.

Add custom attributes to Platform SSO app

Check that the Okta username is in an email format and the username must also be supported by macOS, some characters, such as +, are not supported.
Ensure that the Okta user’s first name and last name are populated, and not set to null.
The macOS account details are sourced from this information.

If the first and last name attributes are null, you must create a custom attribute for username mapping.

To do that, in the Admin Console, go to Directory > Profile Editor.
Open the Platform Single Sign-On for macOS or Desktop Password Sync Profile Editor.

Click +Add Attribute

Enter the necessary values in the DisplayName and Description fields. Make sure to set the Variable name to macOSAccountUsername. Leave the remaining fields unchanged, then click Save to finalize the configuration

Repeat the same steps to create another variable, this time for macOSAccountFullName.
Note: If either macOSAccountUsername or macOSAccountFullName is not set, the system will default to a predefined value.

After creating the variables, click on the Mappings button in the same tab to continue.

Click on the Okta User to Platform Single Sign-On for macOS or Okta user to Desktop Password Sync tab.
Set a particular mapping for the newly created variables
In my example, I am setting the macOSAccountUsername to the Okta user’s email.
Click on Save Mappings

And click on Apply updates now.

Set up Device Access SCEP certificates

Device Access SCEP certificates are required to use PlatformSSO on devices running macOS Sonoma (14.0) and later.
These certificates deploy with your Microsoft Intune environment, and are used to grant access to specific API endpoints and to identify the device making the calls.

Set up Device Access SCEP certificates

Device Access SCEP certificates are required to use Platform SSO on devices running macOS Sonoma (14.0) and later.
These certificates deploy with yourMicrosoft Intune environment.

Configure Okta as a CA with delegated SCEP challenge for Microsoft Intune

In this blog I am covering how to configure Okta as a CA with delegated SCEP for macOS.

Register the AAD app credentials for Okta in Microsoft Entra

In Microsoft Entra admin center, click App registrations, click + New registration.

On the Register an application page, enter the following:

  1. Name: Enter a name for the application.
  2. Supported account types: Select the appropriate supported account type. Okta tested with Accounts in this organizational directory only ([Your_Tenant_Name] only – Single tenant) selected.
  3. Supported account types: Select the appropriate supported account type. Okta tested with Accounts in this organizational directory only ([Your_Tenant_Name] only – Single tenant) selected.
  4. Click Register

On the app page under Essentials, copy and make a note of the Application (client) ID.

Now wee need to add a client secret, so in the left pane

  1. Click Certificates & secrets.
  2. Under Client secrets, click + New client secret
  3. Description: Optional. Enter a description for the client secret.
  4. Expires: Select an expiration time period.
  5. Click Add

The secret appears under Client secrets, copy and make a note of the Value.

Set the Intune scep_challenge_provider permissions

In the next step we need to configure the Intune scep_challenge_provider permissions.

  1. In the left pane, click API permissions.
  2. In the Request API permissions section, scroll down, and then click Intune

Under What type of permissions does your application require?, click Application permissions.
In the Select permissions search field, enter scep, and then select the scep_challenge_provider checkbox
Click Add permissions to finish teh configuration.

In the Configured permissions section, click Grant admin consent for [Your_Tenant_Name].

Click Yes in the message that appears.

You should see the following output.

Set the Microsoft Graph Application.Read.All permissions

Click + Add a permission.
In the Request API permissions section, click Microsoft Graph

Under What type of permissions does your application require? 
click Application permissions.
In the Select permissions search field, enter application, expand Application, and then select the Application.Read.All checkbox

Click Add permissions.

In the Configured permissions section, click Grant admin consent for [Your_Tenant_Name].
Click Yes in the message that appears.

The API permissions should look this like.

Generate a SCEP URL in Okta

In the Okta Admin Console, go to Security –> Device integrations

Click the Devices Access  tab and click Add SCEP configuration

SCEP URL challenge type: Select Dynamic SCEP URL, and then select Microsoft Intune (delegated SCEP).
Enter the values that you copied from Microsoft Azure into the following fields:

  1. AAD client ID: Enter the value you copied from the previous tasks.
  2. AAD tenant: Enter your AAD tenant name followed by .onMicrosoft.com.
  3. AAD secret: Enter the secret Value you copied from previous tasks.

Copy and save the Okta SCEP URL. You will paste the URL in the Microsoft Intune admin center in a later step.

Review and Save the configuration.

Download the x509 certificate from Okta

Click the Certificate authority tab and click the Download x509 certificate icon

Rename the downloaded file, so that it includes a .cer extension.

Create a Trusted Certificate profile in Microsoft Intune

In the Microsoft Intune admin center:

  1. Go to Devices
  2. Click Configuration profiles
  3. Click + Create profile
  4. Platform: Select macOS
  5. Profile type: Select Templates
  6. In the Template name section, click Trusted certificate
  7. Click Create

On the Trusted certificate page Basics tab, do the following

  1. Name: Enter a name for the certificate
  2. Description: Optional. Enter a description for the certificate.
  3. Click Next

On the Trusted certificate page Configuration settings tab, Certificate file: Select the
x509 certificate (CER file) that you downloaded from Okta.

Click Next after the certificate was uploaded.

Assign the profile to your desired groups.

Review and create the profile.

Verify if the profile was successfully created.

Create a SCEP profile in Intune

Navigate to

  1. Devices
  2. Click Configuration profiles
  3. Click + Create profile
  4. Platform: Select macOS
  5. Profile type: Select Templates
  6. In the Template name section, click SCEP certificate
  7. Click Create

On the SCEP certificate page Basics tab, do the following

  1. Name: Enter a name for the certificate
  2. Description: Optional. Enter a description for the certificate.
  3. Click Next

On the SCEP certificate page Configuration settings tab, do the following:

  1. Certificate type: Select User
  2. Subject name format: Enter a subject name.
    For example, CN={{UserPrincipalName}} ODA {{DeviceId}}
  3. Certificate validity period: Select Years in the list, and then enter 1 in the next field.
  4. Key usage: Select Digital signature.
  5. Key size (bits): Select 2048
  6. Click + Root Certificate select the trusted certificate that you created earlier.
  7. Click OK

Continue with the setup

  1. Under Extended key usage, set Predefined values to Client Authentication
  2. SCEP Server URLs: Enter the SCEP URL you generated in Task 2.
  3. Allow all apps access to private key: Select Enable
  4. Click Next.

also assign this profile to your desired groups.

and create it.

Verify if the profile was successfully created.

Verify the certificate installation on a macOS device

On a macOS device managed by Microsoft Intune, open KeychainLogin to verify that a client certificate and associated private key exists.

Configure PlatformSSO MDM profile in
Microsoft Intune

In this section, we will cover the steps to configure a Platform Single Sign-On (SSO) MDM profile with Just-in-Time (JIT) account creation support within a Microsoft Intune environment.
This configuration enables seamless integration between Okta and macOS devices, allowing users to authenticate and create local accounts using their Okta credentials.
We’ll walk through how to set up the MDM profile to ensure proper support for JIT account creation, streamlining user onboarding and device management.

Configure single sign-on extension profile for Platform SSO in Intune

Let’s start with the Settings catalog profile to configure the Extensible SSO settings.

In the Microsoft Intune admin center, navigate to the Devices section and select
macOS devices.
Click Configuration profiles –> Create, select Settings catalog from the drop down and click the Create button.

Enter a Name for the policy and click Next

Within the Configuration settings click on the +Add settings button to continue.

Select the and configure the settings as described:

  1. type in SSO
  2. press the Search button
  3. select Authentication > Extensible Single Sign On (SSO)
  4. select Extension Identifier
  5. select Platform SSO
  6. select Registration Token
  7. select Team Identifier
  8. select Type
  9. select URLs

Within the Platform SSO section:

  1. select Account Display Name
  2. select Authentication Method
  3. select Enable Create User At Login

scroll down and

  1. select Token To User Mapping
  2. select Account Name
  3. select Full Name
  4. select Use Shared Device Keys

Still in the Settings picker click on the App Management > Associated Domains settings and click Select all these settings to add these configuration settings as well.

Configure Associated Domains settings

To configure Associated Domains settings:

  1. Click on the Edit instance in the Associated Domains menu
  2. Type in the Application Identifier :
    B7F62B65BN.com.okta.mobile.auth-service-extension
  3. In the Associated Domain field type in your Okta org URL with authsrv: preceding the URL, for example, authsrv:your-org.oktapreview.com
  4. Click Save

Repeat the configuration for the second Associated Domain

  1. Type in the Application Identifier : B7F62B65BN.com.okta.mobile
  2. In the Associated Domain field type in your Okta org URL with authsrv: preceding the URL, for example, authsrv:your-org.oktapreview.com
  3. Click Save

The configuration should look like this.

Configure Extensible Single Sign On (SSO) settings

Continue with the Extensible Single Sign On (SSO) settings:

  1. Extension identifier: com.okta.mobile.auth-service-extension
  2. Account Display Name: Type in a Display Name (e.g. Okta SSO)
  3. Authentication method: Password
  4. Enable Create User At Login
  5. Set macOSAccountUsername as the Account Name
  6. Set macOSAccountFullName as the Full Name
  7. Enable Use Shared Device Keys
  8. Registration Token should be set to a random value as field isn’t used, as the SCEP certificate is used in place of the Registration Token, but must be populated.

scroll down and continue the configuration

  1. Team identifier: B7F62B65BN
  2. Type: Select Redirect
  3. URL: https://your-org.oktapreview.com/device-access/api/v1/nonce
    Replace your-org.oktapreview.com with your Okta tenant URL
  4. URL: https://your-org.oktapreview.com/oauth2/v1/token
    Replace your-org.oktapreview.com with your Okta tenant URL

The next step is to assign the policy to your user or device groups, in my example I assign it to All devices.

In the final step just press the Create to finish your configuration.

Create device management profiles for Platform SSO Intune

Now we need to configure two Preference file Profiles to deploy the Okta app settings and the Platform SSO client settings, including the client ID.

I have prepared a piece of code here, which can be copied and adapted to your configuration.
Simply save it in a .plist file and then select it in the next steps.
{{mail}} is an optional value for OktaVerify.UserPrincipalName.
Please replace https://your-org.oktapreview.com with your Okta tenant URL.

<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{{mail}}</string>

Sign in to the Microsoft Intune admin center, navigate to Devices section and select
macOS devices.
Click Configuration profiles –> Create, select Temples from the drop down, click on
Preference file and click the Create button.

Enter a Name for the policy and click Next

Enter:

  1. com.okta.mobile in the Preference domain name
  2. Select the Configuration profile file: Browse to the .plist file (okta_mobile.plist) file you’ve created upfront.

The imported file is shown. You can also remove a file after it’s been added, click Next to continue.

The next step is to assign the policy to your user or device groups, in my example I assign it to All devices.

In the final step just press the Create to finish your configuration.

Now now let’s create the second plist profile for our configuration.

You can also use the code snippet, which you can simply copy and adapt to your configuration as already described above.Please replace add-your-client-ID-here with the Client ID found in the 
Platform Single Sign-On for macOS or Desktop Password Sync  app > Authentication tab in your Okta Tenant.
And also replace https://your-org.oktapreview.com with your Okta tenant URL.

{{mail}} is an optional value for OktaVerify.UserPrincipalName, which automatically populates the email email add in the Sign-In Widget.
If a value isn’t specified, users need to input their username when signing in.

<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{{mail}}</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>add-your-client-ID-here</string>
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>

In the Microsoft Intune admin center, navigate to Devices section and select
macOS devices.
Click Configuration profiles –> Create, select Temples from the drop down, Preference file and click the Create button.

Enter a Name for the policy and click Next

Enter:

  1. com.okta.mobile.auth-service-extension in the Preference domain name
  2. Select the Configuration profile file: Browse to the .plist file (e.g. okta_extension.plist) file you’ve created upfront.

The imported file is shown and you can also remove a file after it’s been added, click Next to continue.

The next step is to assign the policy to your user or device groups, in my example I assign it to All devices.

In the final step just press the Create to finish your configuration.

Preparing the macOS Device for User Enrollment

Once all configuration steps are completed and the prerequisites are in place, the IT administrator needs to perform the following actions on the device:

Sign in to the computer using the administrator account.

The device will undergo silent registration using the SCEP certificate to authenticate its identity and enroll the PlatformSSO keys.

To verify successful registration:

  • Look for the Registration Required notification, prompting the user to sign in with their credentials

or

  • Open Terminal and run the command: app-sso platform -s
    If the registration is successful, the output will display Device Configuration and
    Login Configuration details awaiting completion.

You can verify the steps in the Okta System Logs

The new device was successfully enrolled

and activated

At this point, avoid completing the device registration process, as doing so will enroll the administrator account into Okta FastPass.
The final registration should be left for the end user who the device is being provisioned for to ensure proper enrollment.

Follow these steps to ensure the device is properly set up:

  1. Check for Duplicate User Accounts:
    • On the macOS device, go to System Settings > Users & Groups and verify there are no duplicate user accounts with similar names (e.g., j.work and ja.work).
    • If duplicate accounts are present, remove the unnecessary accounts and delete their associated home directories from the /Users/ folder.
  2. Configure Login Window Settings:
    • Open System Settings > Lock Screen and set When Switching User > Login window shows > Name and Password.
    • This ensures the login window displays the username field, allowing users to enter their credentials.

Once these steps are completed, the device is ready to be handed off to the end user for final setup.

Demo Just-in-Time Local Account Creation

In this demo, we’ll walk through the process of Just-in-Time (JIT) local account creation using Okta on a macOS device.
You’ll see how users can seamlessly create local accounts directly from the macOS login window using their Okta credentials.
This demonstration highlights how the feature simplifies onboarding and device provisioning, ensuring a smooth, secure user experience in shared or multi-user environments.

Conclusion and Benefits of Just-in-Time Local Account Creation on macOS with Okta

Just-in-Time (JIT) local account creation on macOS with Okta offers a streamlined, efficient solution for both users and administrators.
By allowing users to create accounts at the login window using their Okta credentials, this feature simplifies the process of accessing macOS devices, particularly in shared environments.
It leverages Apple’s Shared Device Keys and Platform Single Sign-On, ensuring security and seamless integration with existing identity management frameworks.

Benefits of JIT Local Account Creation:

  1. Simplified User Onboarding: Users can quickly create accounts on macOS devices without pre-configured profiles, reducing administrative overhead.
  2. Improved Security: By using Okta credentials and Apple’s identity framework, organizations ensure secure authentication and account creation.
  3. Ideal for Shared Devices: Perfect for environments where multiple users share devices, enabling any Okta user to log in and create their account in real-time.
  4. Reduced Admin Effort: Automating account creation means less manual intervention, freeing up IT resources for more critical tasks.
  5. Seamless Integration: JIT leverages Apple’s SSO framework, ensuring a smooth experience for both users and admins.

This feature is a valuable addition for organizations looking to optimize user access while maintaining strong security and reducing the complexity of account management

Published by Arkadiusz Krowczynski (Arki)

Published

One thought on “Okta Devices Access – Just in Time Account Creation for macOS with Microsoft Intune

  1. in regards to the scep profile should that be user channel? and deployed to users instead of devices ?

    Reply

Leave a Reply