Okta Device Access Out-of-the-box enrollment with Jamf Pro

Access Management, Apple Business Manager, Device Access, Device Integrations, Integrations, Jamf, MFA, SSO, Workforce Identity Products 17 Minutes

April 2025: Additional app identifier required for the associated domain entry on macOS 15 Sequoia

Introduction

In today’s dynamic and increasingly mobile workplace, organizations are prioritizing security and streamlined user experiences while managing their IT infrastructure. Apple devices, with their growing presence in the enterprise, have become a key focus for IT administrators striving to balance user productivity with robust security.
To meet these demands, the integration of Okta Device Access, Jamf Pro, and Applee Business Manager provides a comprehensive solution for managing Apple devices in the enterprise.
This deep dive explores the seamless integration of these powerful tools, focusing on Automated Device Enrollment (ADE), Okta’s Device Access, Single Sign-On (SSO), Desktop MFA, and their collective impact on business value and security.

Requirements

To successfully implement the concept described in this blog, the following requirements must be in place.

Okta

Okta Identity Engine (OIE) Organization: Your organization must be operating on the Okta Identity Engine (OIE), which is essential for enabling advanced features like Just-in-Time account creation.

Desktop Access SKU: The Desktop Access SKU must be enabled in your OIE org.
This SKU grants the necessary permissions and functionalities to manage device authentication and account provisioning on macOS.

Platform Single Sign-on (Desktop Password Sync) Configuration:
Platform Single Sign-on (Desktop Password Sync) must be configured to ensure that users can log in with their Okta credentials. Detailed configuration steps can be found in the relevant blog post or documentation, ensuring proper sync between Okta and macOS systems.

Desktop MFA Configuration:
Desktop MFA must be configured to ensure that users can log in with their Okta credentials. Detailed configuration steps can be found in the relevant blog post or documentation, ensuring proper sync between Okta and macOS systems.

Okta Verify: Okta Verify version 9.27 or higher must be installed on all macOS devices.

Apple Business Manager (ABM) Account

ABM Configuration: You must configure your ABM account to integrate with Jamf Pro, by linking the ABM account to your MDM server (Jamf Pro).

Apple Business Manager Enrollment: Your organization must have an active Apple Business Manager (ABM) account, which is a service provided by Apple for managing device procurement, assignment, and MDM enrollment.

Device Registration: Devices need to be purchased through Apple or authorized resellers who support ABM. These devices are automatically assigned to the ABM account, making them eligible for Automated Device Enrollment.

Jamf Pro MDM Configuration

Profiles and Configuration: In Jamf Pro, create an Automated Device Enrollment profile that specifies how new devices should be configured once enrolled. This profile might include steps to skip setup assistant prompts, configure Wi-Fi settings, and assign the correct user group or profile.

Jamf Pro Subscription: Your organization must have a Jamf Pro account, which serves as the MDM (Mobile Device Management) solution for managing Apple devices.

MDM Server Setup: The MDM server settings in ABM must be configured to point to your Jamf Pro instance. This allows devices enrolled in ABM to automatically be linked with your Jamf Pro server for management.

MDM Server Token: You need to download the MDM server token from ABM and upload it into Jamf Pro to establish a secure connection between the two systems.

Demos

Let’s dive into the following demos to see the integration in action and understand how the different components come together seamlessly.
These demonstrations will showcase the effectiveness and smooth operation of our setup.

Secure macOS onboarding and Platform SSO enrollment

This demo shows a user unboxes the new device.
Once the Mac is powered on and connected to Wi-Fi, it automatically enrolls into Jamf Pro, thanks to the Apple Business Manager integration, which triggers the remote management profile installation.
With Jamf Pro, we deploy necessary configurations, security policies, the Okta SCEP cert and applications such as Okta Verify.
The user is guided through the setup steps, including a custom setup experience like the location Services.
Once the user logs in, Okta Desktop Password Sync ensures that any future password changes made in Okta are automatically synced with the macOS password.
This keeps the local and Okta passwords in sync at all times.
In addition to this, enrollment into Desktop Password Sync also auto-enrolls the user into Okta Fast FastPass, enabling phishing resistant, passwordless biometric authentication to applications.

Just-in-Time (JIT) local account creation and Desktop MFA enrollment

The second demo shows the creation a local account on a macOS device directly from the login window, using their Okta credentials and a seamless enrollment into Okta Device Access Desktop MFA.
The user logs in into his Mac using his Okta credentials and needs to set up multi-factor authentication for added security.
We have the choice between a high assurance factor, such as Okta Verify Push (with or without biometrics) or Okta Verity TOTP.
Not only that, but users will be able to enroll into an offline device access code, allowing them to login in scenarios when they’re not connected to the wifi.

Configure Single-Sign-On

In this section, I will walk you through detailed, step-by-step instructions to configure single sign-on (SSO) settings in Okta.
This configuration will enable seamless SSO integration for specific functionalities within Jamf Pro, ensuring a streamlined and secure login experience for administrators and users alike.

Okta Configuration

In the Okta Admin Dashboard navigate to Applications > Applications

Click Browse App Catalog

Search for Jamf Pro and select the Jamf Pro SAML application

Click Add Integration

Enter your Jamf Pro URL and click Done.

Click the Authentication pane and click Edit.

In the SAML 2.0 section, set the http://schemas.xmlsoap.org/claims/Group pop-up menu to “Matches Regex” and enter .* in the field.

Click Save.

Use the Assignments pane to assign users or groups to the Jamf Pro application.

Go to the Authentications tab, and the SAML Setup section on the right-side of the page, click View SAML setup instructions.

Copy the Metadata URL provided in step 3 of the procedure.
This URL will be required during the Jamf Pro configuration process to complete the integration setup seamlessly.

Jamf Pro Configuration

Log in to your Jamf Pro account as administrator an navigate to Settings > System > Single sign-on.

In the Single sign-on menu 

  • select Enable Single Sign-On Authentication
  • select Okta as the Identity Provider
  • enter the Metadata URL you copied during the Okta configuration

In the Single Sign-On menu, navigate further down to locate the SAML IdP User Mapping section.
Proceed to configure it as follows:

  1. Identity Provider User Mapping: Select NameID.
  2. Jamf User Mapping: This value has to match the Application username from Okta.
    By default, it is set to Username.
  3. Identity Provider Group Attribute Name: Ensure it is set to http://schemas.xmlsoap.org/claims/Group

Navigate further down to the SAML IdP Options section.
In my setup, I’ve configured the following options to align with the security and operational requirements.
These settings ensure seamless and secure SSO functionality tailored to the needs of the integration.

  1. Single Sign-On Options for Jamf Pro
  2. Enable Single Sign-On for Self Service for macOS
  3. Enable Single Sign-On for User Authentication during Enrollment

Click Save to finish the configuration.

Configure Okta LDAP with Jamf Pro

If Okta LDAP is integrated with Jamf Pro, the User and Location information is populated using a lookup from Jamf Pro to Okta LDAP.
If LDAP is not integrated with Jamf Pro, the Username field is the only information populated in the User and Location category, and user lookup will not work during enrollment.

Okta Configuration

In the Admin Console, go to Directory > Directory Integrations.

If you don’t have any directory integrations configured, click Add LDAP Interface.
Otherwise, click Add Directory > Add LDAP Interface.

The LDAP Interface is Active now.

Please take a note of the

  1. Host
  2. Base DN
  3. User base DN
  4. Group base DN

These values are essential for completing the LDAP configuration within the Jamf Pro environment.

Jamf Pro LDAP configuration

In this section we will add the Okta LDAP Server using the LDAP Server Assistant.
In Jamf Pro, click Settings in the sidebar and click LDAP servers.

Click New.

Select Configure Manually and click Next

In the Connection pane configure:

  1. Display Name
  2. select Configure Manually
  3. select Use SSL
  4. enter the LDAP Server and Port
    (These values can be taken from the Okta LDAP interface configuration)

Scroll down and:

  1. select Simple as the Authentication Type
  2. enter your service account that was previously created in Okta

    This service account needs to be an admin, but can be an Okta Read-only admin.
    Also, make sure that this account does NOT need MFA to authenticate through Okta.
  3. enter the password for the service account
  4. re-enter the password for the service account

Towards the bottom of this configuration page:

  1. select Use default from LDAP service
  2. select Use Wildcard When Searching

Move to the Mappings pane configure as follows:

  1. select User Mappings
  2. select All ObjectClass Values
  3. inetOrgPerson
  4. fill in the Search Base
    (These values can be taken from the Okta LDAP interface configuration)
  5. select All Subtrees

Scroll down to the Attribute Mappings section and enter the following values.

Continue in the Mappings menu and move to the User Group Mappings.
The following must be configured here:

  1. select All ObjectClass Values
  2. groupofUniqueNames
  3. fill in the Search Base
    (These values can be taken from the Okta LDAP interface configuration)
  4. select All Subtrees

Scroll down to the Attributes Mappings section and and enter the following values.

Final step User Group Membership Mappings:

  1. select Group Object
  2. fill in UniqueMember
  3. select Use distinguished name of member user when searching the LDAP directory
  4. Save the settings

Let’s proceed to test the LDAP Attribute Mappings to ensure everything has been correctly configured.

Type in the username, press the Test button and if the configuration has been implemented correctly, the desired result will be displayed.

Okta Device Access configuration

This section will delve into the Okta Device Access configurations, focusing on critical components such as the SCEP (Simple Certificate Enrollment Protocol) setup and the configuration profiles for PlatformSSO and Desktop Multi-Factor Authentication (MFA).

Set up Device Access SCEP certificates

Device Access SCEP certificates are required to use PlatformSSO on devices running macOS Sonoma (14.0) and later.
These certificates deploy with your Jamf Pro environment, and are used to grant access to specific API endpoints and to identify the device making the calls.

Configure Okta as a CA for Device Access

In this section I am covering how to configure Okta as a CA with dynamic SCEP.
In the Okta Admin Console, open Security –> Device Integrations 

Click the Device Access tab and click on the Add SCEP configuration.

Select Generic as the Dynamic SCEP URL type and press the Generate button.

Make sure to note down the following values, as they will be required later when setting up the SCEP profile within your Jamf Pro environment.
These details are essential for ensuring a seamless configuration process.

  1. SCEP URL
  2. Challenge URL
  3. Username
  4. Password
  5. Save your settings

Create a dynamic SCEP profile in Jamf Pro

In the Jamf Pro console , go to Computers –> Configuration Profiles and click New to create the new profile.

On the General page, enter the following information:

  1. name for the profile.
  2. Optional. Enter a description of the profile.
  3. Select the appropriate level for the certificate.
    Okta Verify uses this certificate to identify managed devices and managed users.
    To ensure that all users of the device are managed, you should select Computer Level.

Click SCEP, and then click Configure.

For the SCEP profile, enter the following information:

  1. Paste the SCEP URL that you copied from the Okta admin console in the previous step
  2. Enter a name for the SCEP profile
  3. Choose a time frame for the profile to be redistributed when its SCEP-issused certificate is the specified number of days from expiring.
    Okta doesn’t support automatic certificate renewal.
    The profile must be redistributed to replace the expired certificate.
  4. Enter an appropriate subject name. For example, if you selected Computer Level, set the subject to indicate the device name e.g.
    CN=$COMPUTERNAME ODA $UDID
  1. Select Dynamic-Microsoft CA
  2. Enter the Challenge URL hat you copied from the Okta admin console in the previous step
  3. Enter the username
  4. Enter the password
  5. Re-enter the password
  1. As Key Size select 2048
  2. Select Use as digital signature
  3. Deselect Allow export from keychain
  4. Select Allow all apps access
  5. Save your settings

Now we need to configure the targets that the profile will be deployed to, navigate to the Scope menu:

  1. Select your Target Computers
  2. Select your Target Users
  3. Save your settings

Configure PlatformSSO MDM profile in Jamf Pro

In this section, we will cover the steps to configure a Platform Single Sign-On (SSO) MDM profile with Just-in-Time (JIT) account creation support within a Jamf Pro environment.
This configuration enables seamless integration between Okta and macOS devices, allowing users to authenticate and create local accounts using their Okta credentials.
We’ll walk through how to set up the MDM profile to ensure proper support for JIT account creation, streamlining user onboarding and device management.

In the Jamf Pro console navigate to Computers > Configuration Profiles 

Click + New 
Click the Options tab 
Click on the General tab and enter a name for this policy. e.g.: Okta PSSO

Scroll down, click on the Single Sign-On Extensions  and click + Add to add a new extension.

Set the following parameters:

  • Payload type: SSO 
  • Extension identifier: com.okta.mobile.auth-service-extension 
  • Team identifier: B7F62B65BN 
  • Sign-on type: Redirect 

Under URLs, enter a URL with the following format (for your own Okta org):
https://<<your-org>>.oktapreview.com/device-access/api/v1/nonce 
Click on the +Add to add a second URL and set to:
https://<<your-org>>.oktapreview.com/oauth2/v1/token
Replace https://<&lt;your-org>>.oktapreview.com with your Okta org URL.

Set these parameters:

  • Use Platform SSO: Include
  • Authentication method: Password

and enable

  • Use Shared Device Keys
  • Create New User at Login

Registration Token should be set to a random value as field isn’t used, as the SCEP certificate is used in place of the Registration Token, but must be populated.

  • Configure the User Mapping settings to e.g.
    • Set macOSAccountUsername as the AccountName
    • Use macOSAccountFullName as the FullName

In the sidebar of the window, scroll up and click on 

  1. Associated Domains
  2. and click on Configure

Click + Add

and put the following In the App Identifier box:
B7F62B65BN.com.okta.mobile.auth-service-extension and B7F62B65BN.com.okta.mobile

In the Associated Domain box add your Okta org URL with authsrv: preceding the URL.
e.g.: authsrv:<<your-org>>.oktapreview.com

Now navigate to Applications & Custom Settings > Upload and Click on the + Add button

Enter com.okta.mobile for the first preference domain
You can paste the following XML snippet into the property list to complete the configuration

<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>CLIENTID</string>
</dict>
</plist>

Replace https://your-org.oktapreview.com with your Okta org URL, and replace CLIENTID with the Client ID found in the Platform Single Sign-On for macOS or Desktop Password Sync app Authentication tab in your Okta Tenant.

$USERNAME is an optional value for OktaVerify.UserPrincipalName, which automatically populates the username in the Sign-In Widget.
If a value isn’t specified, users need to input their username when logging in.

Next, proceed by clicking the + Add button once more to include an additional preference domain in the configuration.


Enter com.okta.mobile.auth-service-extension for the second preference domain
You can paste the following XML snippet into the second property list to complete the configuration:

<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>CLIENTID</string>
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>
</dict>
</plist>

Replace https://your-org.oktapreview.com with your org URL, and replace CLIENTID with the Client ID found in the Platform Single Sign-On for macOS or Desktop Password Sync app Authentication tab in your Okta Tenant.

Navigate to the Scope section and distribute the profile to your devices.

Configure Desktop MFA MDM profile in Jamf Pro

In this section we will create the Okta Device Access Desktop MFA profile.

On the left menu select Application & Custom Settings to configure that specific payload and Upload and Click + Add

Enter com.okta.deviceaccess.servicedaemon as the Preference Domain and copy and paste the following XML as a plist format.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DMFAClientID</key>
<string>add-your-client-ID-here</string>
<key>DMFAClientSecret</key>
<string>add-your-client-secret-here</string>
<key>DMFAOrgURL</key>
<string>https://your-org.oktapreview.com</string>
<key>LoginPeriodWithOfflineFactor</key>
<real>168</real>
<key>LoginPeriodWithoutEnrolledFactor</key>
<real>48</real>
<key>AdminEmail</key>
<string>YOUR_ADMIN_EMAIL</string>
<key>AdminPhone</key>
<string>111-222-3333</string>
<key>DeviceRecoveryPINDuration</key>
<real>60</real>
<key>MFARequiredList</key> <array>
<string>*</string>
</array>
</dict>
</plist>

This should appear as follows within the Jamf Pro console interface.

Replace the following

  1. add-your-client-ID-here with the client ID 
  2. add-your-client-secret-here with the client secret

found in the Desktop MFA app, Authentication tab in your Okta Tenant.
Do not for forget to replace https://your-org.oktapreview.com with your Okta org URL.

Click Scope in the upper bar and Click + Add next to Selected Deployment Targets

Create an Enrollment Customization Configuration

In this section, we will set up the Enrollment Customization options within Jamf Pro to enhance and tailor the user experience during Automated Device Enrollment.

By configuring Enrollment Customization settings, we create a reusable configuration that can be applied to a PreStage Enrollment.
This allows us to define specific workflows, settings, and user prompts, further refining the macOS onboarding process for your organization’s unique needs.

In Jamf Pro, click Settings, in the Global section, click Enrollment customization 

Click New.

For the Enrollment Customization enter

  1. Display Name
  2. Description
  3. the desired Site

Click Add Pane, and then do the following:

  1. Enter a Display Name for the pane
  2. Choose “Single Sign-On Authentication” from the Pane Type
  3. Choose “Any identity provider user” from the Enrollment Access
  4. Click Add

Create PreStage Enrollments in Jamf Pro

PreStage Enrollment streamlines the onboarding process by allowing administrators to create predefined configurations and synchronize them with Apple.
This approach minimizes the time and manual effort required to prepare new Macs for deployment, ensuring they are enrolled seamlessly with Jamf Pro right out of the box.
By setting up a PreStage Enrollment, you can define the enrollment parameters and tailor the user experience during the macOS Setup Assistant.

In Jamf Pro, click Computers, PreStage Enrollments and click New.

In the the General payload we will configure basic settings for the PreStage enrollment. 

  1. Display Name
  2. select your preconfigured Automated Device Enrollment Instance

scroll down and select the Enrollment Customization Configuration, we’ve configured and covered in the previos section.

Jamf Pro allows you to streamline the enrollment process by specifying which Setup Assistant screens users should bypass.
When a step is selected for omission, that particular screen is automatically skipped, ensuring a faster and more tailored onboarding experience for the user.

The Account Settings payload enables you to define a managed administrator account and determine the type of local user account that will be created on macOS devices enrolled through PreStage Enrollment.

In my setup and the demos to be seen, I have carried out the following configuration.

  1. enter the Username for the local administrator account
  2. enter the Password for the local administrator account
  3. enter the Password for the local administrator account
  4. select if you want to to hide this administrator account
  5. select your desired Local User Account Type
  6. select Pre-fill primary account information
  7. select Custom Details
  8. type $USERNAME as the Account Full Name
  9. type $FULLNAME as the Account Name

    As we have Okta as the Cloud IdP and LDAP server set up, we can enter user variables in the Account Full Name and Account Name fields when configuring the Pre-Fill Primary Account settings.
    This allows the user variables to populate during the account creation screen in the Setup Assistant.
  10. select Lock primary account information
  11. Save your settings

The Configuration Profiles payload allows us to specify profiles to be deployed to macOS devices during the enrollment process.
These profiles are installed on the devices before the user finishes the Setup Assistant, ensuring essential configurations are in place from the outset.
In my configuration, I have selected additional profiles that are not covered in this blog post

Finally, click Save to complete the configuration process.

Deploy Okta Verify

To wrap up our configuration steps, let’s deploy the Okta Verify app. To do so, navigate to:
Settings > Computer Management > Packages
Here, we will able to upload and assign the Okta Verify app to the appropriate devices in our environment.

Click New to add a new package.

Enter a Display name and click on the browse for a file button.

Select your Okta Verify .pkg file.

Review the configuration and Save your settings.

Wait a moment until the upload is complete.

The Okta Verify App package is now ready.

Navigate to Computer > Policies and click on +New to create a new one.

In the General section, enter a Display name a select a Trigger

In the Packages section click on Configure

and add the Okta Verify App Package that was created in the previous step..

Configure the Distribution Point and the desired Action.

Configure your desired Scope.

And if desired, you can make the policy available in Self Service.

Conclusion

The combination of Automated Device Enrollment, Okta Device Access, and Jamf Pro provides organizations with an automated, secure, and efficient solution for managing Apple devices.
The seamless integration not only improves business efficiency and security but also delivers long-term value by ensuring compliance and reducing administrative complexity.
With these tools, organizations are better equipped to handle the demands of modern workforce management while providing a secure, user-friendly environment for their employees.

This integrated approach relies on a diverse technology stack that blends cloud-based identity management, MDM (Mobile Device Management), and Apple’s ecosystem for device management.
The combination of Okta for identity and access management, Jamf Pro for device management, and Apple Business Manager for device registration and enrollment forms a cohesive technology stack that works seamlessly together.

Published by Arkadiusz Krowczynski (Arki)

Published

5 thoughts on “Okta Device Access Out-of-the-box enrollment with Jamf Pro

  1. Thank you for documenting this… I’m trying to implement this in my organization but the key feature we’re looking for – locking in the Account Setup variables via $FULLNAME and $USERNAME so the Create a Computer Account screen’s Full name and Account name fields are locked – isn’t working. No matter what I try they are coming up blank.

    It’s not 100% clear which of the above configurations are absolutely essential to this working and which are optional. I know I don’t need to deploy the Okta Verify pkg because you didn’t include it in your Prestage, but are the Platform SSO and Okta Device Access profiles essential to this working? If so, one of those is probably where I need to dig further for a misconfiguration.

    I can see from watching the mdmsetup process during enrollment that indeed the variables don’t come through populated, suggested that the LDAP lookup of the account has failed.

    Reply

    1. Hi,
      you need to have Okta LDAP with Jamf Pro LDAP properly configured to have the value pre-filled and locked via Enrollment policy in Jamf.

      Reply

  3. This is great, I have Jamf Connect; do I need Desktop MFA or Platform SSO? I want to achieve the same Okta verify registration experience.

    Reply

    1. Hello,
      thanks and in this setup you don’t need Jamf Connect, Okta Device Access and the Jamf Pro and Okta integration is handling everything.

      Reply

Leave a Reply