May 2025: This is an Early Access release
Introduction
In today’s increasingly complex and perilous digital landscape, the concept of Zero Trust has evolved from a security buzzword to a fundamental architectural principle.
Organizations are no longer able to implicitly trust any user or device, regardless of their location or network.
This paradigm shift demands a more granular and dynamic approach to access control, one that continuously validates the security posture of every device seeking to access protected resources.
Enter Okta Advanced Posture Checks: a powerful enhancement to the Okta Identity Cloud that empowers organizations to enforce stringent, customizable device security requirements, bolstering their Zero Trust framework and mitigating the risk of unauthorized access.
This blog post delves into the technical intricacies of Okta Advanced Posture Checks, exploring how it transcends traditional device assurance by enabling the creation of custom security checks tailored to an organization’s unique risk profile.
We’ll examine how this capability allows for the validation of a wide range of device attributes, from operating system configurations and patch levels to the presence of specific security software and adherence to bespoke compliance policies. Furthermore, we’ll provide a comprehensive overview of the implementation process, including best practices for defining custom checks, integrating with existing device management infrastructure, and crafting effective remediation strategies.
By equipping security teams with the tools to implement fine-grained control over device access, Okta Advanced Posture Checks represents a significant step forward in proactive security. It moves beyond simple “allow” or “deny” decisions, enabling a more nuanced approach that balances robust security with a seamless user experience.
Join us as we explore how Okta Advanced Posture Checks can help your organization strengthen its security posture, enforce compliance, and confidently navigate the challenges of modern identity and access management.
Prerequisites
Before diving into the intricacies of Okta Advanced Posture Checks, ensure the following prerequisites are in place:
- Okta Identity Engine: Advanced Posture Checks is a Early Access feature of the Okta Identity Engine.
- Okta Device Assurance: A strong understanding of Okta Device Assurance is essential, as Advanced Posture Checks builds upon its capabilities.
- Supported Devices: Verify that the devices you intend to evaluate with Advanced Posture Checks are on macOS version 14.4 or later.
- Okta Verify 9.39: End-users will need to have Okta Verify installed on their devices. Specific versions of Okta Verify may be required to support the necessary device data collection.
- Device Management: Advanced Posture Checks often integrates with device management solutions (MDM) to gather device context. Ensure you have a compatible MDM solution in place and that it is properly integrated with Okta.
- OSQuery: Familiarity with OSQuery is often necessary, as it is a powerful tool used to query device information for Advanced Posture Checks on macOS.
- Security Policies: Understanding your organization’s security policies and compliance requirements. Advanced Posture Checks is used to enforce these policies.
By ensuring these prerequisites are met, you’ll be well-equipped to leverage Okta Advanced Posture Checks to enforce a robust Zero Trust security strategy.
Demo Advanced Posture Checks
Let us begin by demonstrating Advanced Posture Checks on macOS and observing this integration in action.
Configuring Custom Device Checks on macOS User Devices
Enabling custom posture checks on macOS devices involves a multi-step process, primarily driven through your existing Mobile Device Management (MDM) infrastructure.
- MDM Configuration for Custom Checks: Initially, utilize your MDM solution to enable custom posture checks on the target macOS devices.
This prepares the devices to allow Okta Verify to gather the necessary data. - Okta Verify Deployment with Configuration: Deploy Okta Verify to macOS devices via your MDM, including a Property List (
.plist) file containing the required configuration properties. This configuration file instructs Okta Verify on how to handle custom checks. Refer to “Deploy Okta Verify to macOS devices” for detailed instructions. - Okta Verify Configuration Keys: Within the Property List file, the following keys must be appended to the Okta Verify configuration to enable and control custom OSQuery checks:
OktaVerify.EnableOSQueryCustomChecks: This key enables the use of custom OSQuery checks.OktaVerify.OSQueryAllowedDomains: This key specifies the domains from which OSQuery queries are permitted, enhancing security and preventing unauthorized data retrieval.
By following these steps, you can effectively configure macOS devices to support custom posture checks, allowing Okta Verify to enforce your organization’s specific security requirements.
The following template can be utilized to deploy the plist configuration. Ensure that the ‘YOUR_OKTA_URL’ value is appropriately modified to reflect your organization’s Okta tenant.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.mobile</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>OktaVerify.EnableOSQueryCustomChecks</key>
<true/>
<key>OktaVerify.OSQueryAllowedDomains</key>
<string>YOUR_OKTA_URL</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>FC3CB8C0-9A8B-4AF6-A874-AE0944A49C63</string>
<key>PayloadOrganization</key>
<string>JAMF Software</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>FC3CB8C0-9A8B-4AF6-A874-AE0944A49C63</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.mobile.auth-service-extension</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>OktaVerify.EnableOSQueryCustomChecks</key>
<true/>
<key>OktaVerify.OSQueryAllowedDomains</key>
<string>YOUR_OKTA_URL</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>CABBB7A4-5F01-44F6-87F1-441AFFE89287</string>
<key>PayloadOrganization</key>
<string>Your Organization</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>CABBB7A4-5F01-44F6-87F1-441AFFE89287</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Okta - APC</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>C9A6E106-A80B-4752-937E-1E56C770F10C</string>
<key>PayloadOrganization</key>
<string>Your Organization</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9B0434CC-DEB7-4B4D-A795-3F97931AF8F6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Configuration Advanced Posture Checks
To enable this feature, proceed to the Settings section, then navigate to Features, and activate Advanced Posture Checks.”
In order to utilize custom remediation messages for users failing to meet device assurance compliance, the following feature must also be enabled.
To access device integration settings, navigate to the Security section within the Okta Admin Console, and then select Device Integrations.
Establish the osquery integration within the Endpoint security tab by selecting ‘Add endpoint integration‘ and specifying ‘osquery‘
Choose the relevant platform and save the configuration.
The device integration should be configured as illustrated below.
Create custom checks
The configuration of custom checks is accessed via the Security -> Advanced Posture Checks path within the Okta Admin Console.
Begin the custom check creation process by clicking ‘Add custom check’ on the
Custom checks tab.
The following steps outline the procedure for configuring a posture check:
- Name: Provide a descriptive and unique name for the posture check.
- Description: Enter a detailed description of the check’s purpose and the conditions it evaluates.
- Variable Assignment: Assign a unique variable to this posture check. This variable will be used to reference the check when configuring device assurance policies.
- Select macOS
- SQL Query Definition: Construct a query using standard SQL syntax to define the logic of the posture check. Ensure the query terminates with a semicolon (;).
- Remediation Guidance: Optionally, to enhance the user experience, provide clear and concise remediation instructions that will be displayed in the browser if the device fails the posture evaluation.
- Text: Enter the remediation text.
- Remediation Link: Optionally, provide a custom URL link with more detailed remediation information.
- Remediation Link: Paste your custom URL.
- Save: Save the posture check configuration.
The following query provides an example of how to verify whether the macOS Firewall is enabled.
SELECT
CASE
WHEN global_state = 0 THEN 0
ELSE 1
END AS firewall_enabled
FROM
alf;The operation should yield the following results.
Add the custom check to a device assurance policy
Navigate to Security > Device Assurance Policies
In the Device Assurance Policies click Add a policy.
The following procedure details the configuration of a device assurance policy:
- Policy Name: Specify a unique and descriptive name for the set of device attributes to be defined.
- Platform: Select the target device platform for which the device conditions will be established.
- Configure the device assurance conditions specific to the chosen platform.
- Custom Posture Check Selection: Within the ‘Custom posture check’ section, locate
- and select the desired posture checks from the dropdown menu.
- Posture Check Enforcement: Select ‘Enabled’ to incorporate the chosen checks into the policy.
- Save: Save the device assurance policy configuration.
Validate the settings within the Device Assurance Policy.
Add the device assurance policy to an authentication policy
Platform-specific device assurance policies can be integrated into authentication policy rules to enforce stringent access controls.
By incorporating device checks into these rules, organizations can establish minimum security requirements for unmanaged devices seeking access to critical systems and applications. It’s important to note that when a policy rule is configured with multiple conditions, the satisfaction of any single condition will trigger the rule.
To ensure comprehensive device signal collection by Okta, it is imperative to configure a DENY action within the catch-all rule.
This configuration guarantees that all access attempts, including those that do not meet the specified device assurance criteria, result in the collection of relevant device information.
In the Admin Console, go to Security > Authentication Policies.
Select a policy and click Add Rule to add a new rule for device assurance.
- For AND Device state is, select Registered.
- For AND Device assurance policy is, select Any of the following Device Assurance conditions,
- and then enter the name of a device assurance you have previously created.
Logs
The device context for that authentication can be viewed in the Okta console by navigating to Reports > System Log.
The custom check should appear as a Device property.
Miscellaneous
Foundational osquery proficiency is required for effective utilization.
Consult the following resources for guidance on query development and modification, noting that AI assistants can provide supplementary support:
- Osquery Schema Version 5.14.1
- Instructional Blogs on osquery Query Authoring
- Sample Query Repository
Conclusion
As organizations navigate an increasingly complex threat landscape, the adoption of a robust Zero Trust security framework is no longer a matter of choice, but a strategic imperative. Okta Advanced Posture Checks provides a pivotal enhancement to this framework, empowering organizations to move beyond perimeter-based security and embrace a more granular, context-aware approach to access control.
By enabling the creation of custom, fine-grained device checks, Okta Advanced Posture Checks allows for the continuous validation of device security, ensuring that only compliant and healthy devices can access sensitive resources.
From a technical perspective, the ability to define custom checks using industry-standard SQL, integrate with existing MDM solutions, and leverage OSQuery for detailed macOS insights represents a significant leap forward in device security.
This granular control allows security teams to enforce policies tailored to their specific risk profiles, addressing vulnerabilities that traditional device assurance solutions might miss. Furthermore, the customizable remediation capabilities empower end-users to proactively address compliance issues, reducing the burden on IT support and improving overall security hygiene.
The business value of Okta Advanced Posture Checks is equally compelling.
By minimizing the attack surface and reducing the risk of data breaches, organizations can protect their valuable assets and maintain customer trust. This translates to increased operational efficiency, reduced security costs, and improved compliance with industry regulations such as GDPR, HIPAA, and PCI DSS. Moreover, by fostering a culture of security awareness and empowering users to take ownership of their device compliance, Okta Advanced Posture Checks contributes to a stronger overall security posture. In conclusion, Okta Advanced Posture Checks is not merely a technical solution, but a strategic enabler for organizations seeking to establish a resilient Zero Trust architecture, mitigate risk, and thrive in the face of ever-evolving cyber threats.
