April 2025: Additional app identifier required for the associated domain entry on macOS 15 Sequoia (mobileconfig template was updated)
Introduction
In this blog post, I’ll guide you through the process of configuring Okta Device Access Desktop MFA and Platform SSO for macOS devices managed with mosyle MDM.
We’ll begin by setting up the required configurations within Okta, followed by creating and deploying the necessary configuration profiles in mosyle. By the end, you’ll have a clear understanding of how to implement and test this integration seamlessly.
Enjoy the read, and happy integrating!
Requirements
Here’s how you can set up Okta Device Access Desktop MFA and Platform SSO for macOS devices using mosyle as your Mobile Device Management (MDM) solution.
Below are the prerequisites to ensure a smooth configuration process:
- Okta Identity Engine (OIE)
- Desktop Access SKU
- Ensure your OIE org has the Desktop Access SKU enabled.
- Ensure your OIE org has the Desktop Access SKU enabled.
- Recommended macOS Version
- macOS 14.X is recommended to provide the best user experience for this setup.
- macOS 14.X is recommended to provide the best user experience for this setup.
- Okta Verify Authenticator
- The Okta Verify authenticator must be configured and operational in your org.
- Push notifications for Okta Verify should be enabled for seamless MFA.
- mosyle MDM Environment
- A functional mosyle MDM environment with the necessary permissions is required to deploy configuration profiles and manage your macOS fleet.
With these prerequisites in place, you’re ready to dive into the configuration process.
Okta SCEP configuration
Device Access SCEP certificates are required to use Desktop Password Sync on devices running macOS Sonoma (14.0) and later.
These certificates deploy with your mosyle environment, and are used to grant access to specific API endpoints and to identify the device making the calls.
In this blog I am covering how to configure Okta as a CA with a static SCEP challenge using mosyle.
Configure Okta as a CA for Device Access
In this blog post, I’ll walk you through the process of configuring Okta as a Certificate Authority (CA) with a static SCEP challenge using mosyle.
This step-by-step guide will help you streamline certificate management for your macOS devices, enhancing security and simplifying deployment through seamless integration.
In the Okta Admin console, open Security –> Device Integrations
Click the Device Access tab and click on the Add SCEP configuration.
Select Static SCEP URL as the SCEP challenge type and click Generate.
Copy and save the Okta SCEP URL and the Secret key as you will paste these in the Mosyle configuration.
Press Save to finish the configuration.
You should see the new Device Access SCEP configuration.
Mosyle macOS User Enrollment
This is a demo of the Mosyle macOS User Enrollment
Mosyle SCEP configuration
Log In to your mosyle console
Navigate to the SCEP Management Profiles section.
Click on Add new profile
Configure the following values
- Profile Name
- the SCEP URL you’ve copied from the Okta SCEP config
- Subject e.g. CN=%SerialNumber% ODA
- Subject Alternative Name Value e.g. CN=%SerialNumber% ODA
Scroll down and configure
- Challenge (pre-shared secret you’ve copied from the Okta SCEP config)
- select 2048 as Key Size
- select Use for Signing
- select Allow access to all apps Allow all apps to access the certificate in the keychain
Assign the profile and save your settings.
The SCEP Profile is now successfully created.
Verify that the certificate was installed on device
Open Keychain Access on your device and check the certificate and private key.
Okta Desktop MFA configuration
Let’s continue with the Desktop MFA configuration.
Okta Configuration
In the Okta Admin Console, go to Settings, Account, Embedded widget sign-in support.
and ensure that the Interaction Code checkbox is selected.
In the Okta Admin Console, navigate now to Applications –> Applications.
Click Browse App Catalog and search for Desktop MFA
Click Add integration.
On the Authentication tab, go to the Sign-on settings section and click Edit
Click on the Application username format dropdown menu and select and select
Okta username prefix.
Assign the app to individual users or groups on the Assignments tab.
Users must be assigned the app to use Desktop MFA.
On the General tab, go to the Client Credentials section to find the Client ID and
Client secret. The identifier and secret are generated when you create the app integration.
Make note of these values, as you need them when you create the profiles in Mosyle environment for Desktop MFA.
Mosyle Configuration
In the mosyle console, navigate to the Certificate / Custom Profiles section and click on
Add new profile.
Configure the Okta Desktop MFA Profile:
- fill in a Profile Name
- select your .mobileconfig file
- assign the profile to your devices
- *optional* select Show this profile at the Self-Service Page
- select System as the Profile Scope
- Save your settings
You can customize the provided template by updating the specified fields with your values. Once updated, save the file with a .mobileconfig extension to ensure compatibility with your MDM solution.
- YOUR_CLIENT_ID
- YOUR_CLIENT_SECRET
- YOUR_OKTA_URL
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>2F0FC0DC-953A-4247-A4E6-F64A0A3FA2DB</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>beste</string>
<key>PayloadIdentifier</key>
<string>2F0FC0DC-953A-4247-A4E6-F64A0A3FA2DB</string>
<key>PayloadDisplayName</key>
<string>Okta Desktop MFA</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>3472DF62-D492-4211-9D59-748B2107CDE9</string>
<key>PayloadOrganization</key>
<string>Mosyle Software</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>3472DF62-D492-4211-9D59-748B2107CDE9</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<dict>
<key>com.okta.deviceaccess.servicedaemon</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>DMFAClientID</key>
<string>YOUR_CLIENT_ID</string>
<key>DMFAClientSecret</key>
<string>YOUR_CLIENT_SECRET</string>
<key>DMFAOrgURL</key>
<string>YOUR_OKTA_URL</string>
<key>LoginPeriodWithOfflineFactor</key>
<real>168</real>
<key>LoginPeriodWithoutEnrolledFactor</key>
<real>48.0</real>
<key>AdminEmail</key>
<string>YOUR_ADMIN_EMAIL</string>
<key>AdminPhone</key>
<string>111-222-3333</string>
<key>DeviceRecoveryPINDuration</key>
<real>60</real>
<key>MFARequiredList</key>
<array>
<string>*</string>
</array>
<key>AllowedFactors</key>
<array>
<string>OV_Push</string>
<string>FIDO2_USB_key</string>
<string>OV_TOTP</string>
<string>Offline_TOTP</string>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>It’s important to deploy the Desktop MFA configuration profile to your macOS device before Okta Verify itself is deployed.
Okta Verify looks for the configuration profile during install to determine whether or not to enable the Desktop MFA integration components.
Okta PlatformSSO configuration
Okta Configuration
In the Okta Admin Console, go to Applications > Applications > Catalog.
Search for Platform Single Sign-On for macOS and select the app.
Click Add integration.
Search for Desktop Password Sync and select the app.
Click Add integration.
On the General tab, you can edit the application label or use the default one.
On the Authentication tab, make note of the Client ID.
You need this when creating the configuration profiles in your Mosyle environment.
Assign the app to individual users or groups on the Assignments tab.
Users must be assigned the app to use Desktop Password Sync.
Mosyle PSSO Profile Configuration
Navigate to the Certificate / Custom Profiles section and click on Add new profile.
Configure the PlatformSSO Profile:
- fill in a Profile Name
- select your .mobileconfig file
- assign the profile to your devices
- *optional* select Show this profile at the Self-Service Page
- select System as the Profile Scope
- Save your settings
You can customize the provided template by updating the specified fields with your values. Once updated, save the file with a .mobileconfig extension to ensure compatibility with your MDM solution.
- YOUR_OKTA_URL
- YOUR_COMPANY_NAME
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Configuration</key>
<array>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
<key>AssociatedDomains</key>
<array>
<!-- replace with your tenant address -->
<string>authsrv:YOUR_OKTA_URL</string>
</array>
</dict>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile</string>
<key>AssociatedDomains</key>
<array>
<!-- replace with your tenant address -->
<string>authsrv:YOUR_OKTA_URL</string>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Associated Domains for Okta Verify</string>
<key>PayloadIdentifier</key>
<string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
<key>PayloadOrganization</key>
<string>Okta PSSO</string>
<key>PayloadType</key>
<string>com.apple.associated-domains</string>
<key>PayloadUUID</key>
<string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PlatformSSO</key>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>UseSharedDeviceKeys</key>
<true/>
</dict>
<key>ExtensionIdentifier</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>Hosts</key>
<array/>
<key>TeamIdentifier</key>
<string>B7F62B65BN</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<!-- replace with your tenant address -->
<string>https://YOUR_OKTA_URL/device-access/api/v1/nonce</string>
<string>https://YOUR_OKTA_URL/oauth2/v1/token</string>
</array>
<key>PayloadDisplayName</key>
<string>Okta Verify Sign-On Extensions Payload</string>
<key>PayloadIdentifier</key>
<string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
<key>PayloadOrganization</key>
<string>YOUR_COMPANY_NAME</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Okta PSSO extension configuration</string>
<key>PayloadDisplayName</key>
<string>Okta PSSO extension</string>
<key>PayloadIdentifier</key>
<string>com.customer-name.profiles.ssoextension</string>
<key>PayloadOrganization</key>
<string>Okta PSSO</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D78FE406-0C61-4007-8C51-FFA5FDE5F54B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Mosyle Okta Verify Config Profile Configuration
Navigate to the Certificate / Custom Profiles section and click on Add new profile.
Configure the Okta Verify Configuration Profile:
- fill in a Profile Name
- select your .mobileconfig file
- assign the profile to your devices
- *optional* select Show this profile at the Self-Service Page
- select System as the Profile Scope
- Save your settings
You can customize the provided template by updating the specified fields with your values. Once updated, save the file with a .mobileconfig extension to ensure compatibility with your MDM solution.
- YOUR_OKTA_URL
- YOUR_OKTA_PSSO_CLIENT_ID
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<!-- replace with your tenant -->
<key>OktaVerify.OrgUrl</key>
<string>https://YOUR_OKTA_URL</string>
<!-- replace YOUR_CLIENT_ID with your PlatformSSO app Client ID -->
<key>OktaVerify.PasswordSyncClientID</key>
<string>YOUR_OKTA_PSSO_CLIENT_ID</string>
<!-- optional keys-->
<key>OktaVerify.EnrollmentOptions</key>
<string>SilentEnrollmentEnabled</string>
<key>OktaVerify.ReportDiagnostics</key>
<true/>
<key>OktaVerify.UserPrincipalName</key>
<string></string>
<!-- optional keys-->
<key>PayloadDescription</key>
<string>Configures Okta Verify settings</string>
<key>PayloadDisplayName</key>
<string>Okta Verify configuration</string>
<key>PayloadIdentifier</key>
<string>DEB5863A-E503-468C-A3DE-D90479F1E10A</string>
<key>PayloadOrganization</key>
<string>XXX</string>
<key>PayloadType</key>
<string>com.okta.mobile</string>
<key>PayloadUUID</key>
<string>1D89FEA8-BAFE-42F5-9393-634BE23009D8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<!-- replace your tenant -->
<key>OktaVerify.OrgUrl</key>
<string>https://YOUR_OKTA_URL</string>
<!-- replace YOUR_CLIENT_ID with your Desktop Password Sync app Client ID -->
<key>OktaVerify.PasswordSyncClientID</key>
<string>YOUR_OKTA_PSSO_CLIENT_ID</string>
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>
<!-- optional keys-->
<key>OktaVerify.EnrollmentOptions</key>
<string>SilentEnrollmentEnabled</string>
<key>OktaVerify.ReportDiagnostics</key>
<true/>
<key>OktaVerify.UserPrincipalName</key>
<string></string>
<!-- optional keys-->
<key>PayloadDescription</key>
<string>Configures Okta Verify settings</string>
<key>PayloadDisplayName</key>
<string>Okta Verify (auth service) configuration</string>
<key>PayloadIdentifier</key>
<string>E5F1356E-3B04-43F7-8E8C-2213F7D74B13</string>
<key>PayloadOrganization</key>
<string>XXX</string>
<key>PayloadType</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>PayloadUUID</key>
<string>6764E8E4-0A37-4206-96E2-A73B2DFA5673</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Configures settings</string>
<key>PayloadDisplayName</key>
<string>Okta Verify Configuration</string>
<key>PayloadIdentifier</key>
<string>com.customer-name.profiles.oktaverify</string>
<key>PayloadOrganization</key>
<string>XXX</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9A641D93-471C-44D7-8B54-264E842A12C8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
In the mosyle console, you should see the following Custom Profiles successfully created.
Additionally, the profiles should be successfully installed on the macOS device.
And available in the mosyle Self-Service Page.
Okta Verify Deployment
Navigate to the Management Profiles > Install PKG and click on Add new package.
Click on Already HAVE A .PKG
Select how you want to distribute the PKG file and click Next.
Clock on ADD ENTERPRISE APP
Click on Upload
and upload the Okta Verify package
Confirm the File upload
The Okta Verify package should be visible after a short time.
Now we need to create a new Profile for the Okta Verify PKG file, click on Add new profile.
Fill in Profile Name and click on ADD APPLICATION
Select the Okta Verify app.
Select if you would like to show the file in the Self-Service, assign the profile to your devices and save your settings.
The installation process begins, during which the Okta Verify app becomes available in the mosyle Self-Service Page, and a toast notification confirms the successful registration of Platform SSO.
Demo
Here the demo on the PlatformSSO registration process on an mosyle enrolled device.
Let’s have a look at Okta Desktop MFA demo on a mosyle enrolled macOS device.
