Introduction
In today’s dynamic and hybrid work environments, ensuring that only trusted and secure devices can access corporate resources is a fundamental pillar of a Zero Trust strategy. Device posture, including real-time security health and risk state, is critical in enabling secure access decisions — and this is where the integration between Okta and CrowdStrike’s Zero Trust Assessment (ZTA) capability delivers significant value.
This post will guide you through each phase of the integration process to ensure a seamless configuration
Requirements
Before implementing the integration of Okta Endpoint Security with CrowdStrike Zero Trust Assessment (ZTA), ensure you have the following components in place:
Okta Configuration
- Okta Identity Engine (OIE) must be enabled in your tenant
- Okta Verify app deployed on macOS and Windows devices
- Okta FastPass enabled and device registered
- Admin access to the Okta Admin Console
CrowdStrike Configuration
- CrowdStrike Falcon Console access with administrative privileges
- Falcon Zero Trust Assessment (ZTA) module enabled in your CrowdStrike tenant
- CrowdStrike Falcon Sensor installed on macOS endpoints
- Ensure the ZTA module is properly configured to generate the
data.ztafile
Device Management / MDM
- An MDM/UEM solution (e.g., Jamf Pro, Omnissa Workspace ONE, Intune ) to push Managed App Configuration to devices
macOS Device Requirements
- Devices must be running macOS 13 (ventura) or later
- Full disk access granted to the CrowdStrike sensor, if prompted
- System extensions enabled and approved for CrowdStrike components
Windows Device Requirements
- Windows 10 or later
- Enable the ZTA plugin in the Okta Verify deployment
Network & Connectivity
- Devices must have outbound connectivity to both Okta and CrowdStrike services.
Okta configuration steps
The first step is to connect Okta to your Crowdstrike as the EDR provider, this integration allows Okta to receive device trust signals.
Endpoint Security Integration
Navigate to Security > Endpoint Security in your Okta Admin Console.
Click Add Endpoint Integration and select CrowdStrike from the list of vendors.
Select your desired platform.
The Endpoint security integration was successfully created.
Create an endpoint security integration authentication policy
With the integration active, we can now create rules within authentication policies that use these device signals to make access decisions.
Go to Security > Authentication Policies
Select the policy you wish to modify.
Click Add Rule to Begin Configuration.
Configure an Authentication Policy Rule Using Device State, EDR Signals, and Assurance Levels:
- Type a Rule name to describe the rule.
- Select Registered in the Device state
- Specify the EDR signals you want a policy to evaluate by entering a custom expression.
Refer to the official documentation for a complete list of supported EDR signals available for custom expressions. - Configure the Authenticator assurance level compliance according to your requirements.
- Configure the re-authentication frequency
- Save the new rule.
and ensure it is placed in the correct priority order, rules are evaluated top-down.
Install the CrowdStrike sensor on macOS
While it is generally recommended to leverage an MDM or UEM solutions to deploy and manage the CrowdStrike Falcon Sensor across your endpoint fleet — ensuring consistency, compliance, and simplified lifecycle management — there are scenarios where a manual installation is necessary or preferred (e.g., testing, proof of concept, or small-scale deployments).
Endpoint security integration plugin for macOS
To enable plugins on macOS devices, it is essential to configure and deploy a managed app configuration through your device management platform.
This configuration allows Okta Verify to securely collect trust signals from the EDR client operating on the same device, enhancing endpoint security and visibility.
This example demonstrates how to deploy a managed app configuration using Jamf Pro. However, any device management solution that supports managed app configuration deployment to Apple devices can be used, provided it accommodates the specified Okta key name and value.
The official documentation provides further technical details on this configuration
Now we’ll continue by downloading the latest Falcon Sensor installer from the
CrowdStrike Falcon console and retrieving the CrowdStrike Customer ID (CID) required to activate and register your endpoint with your CrowdStrike tenant.
Download the Mac sensor and copy your customer ID to enter during install
In this demo, we will walk through the step-by-step process of manually installing the CrowdStrike Falcon Sensor on a macOS device.
To verify that the CrowdStrike Falcon Sensor has been successfully installed, run the following command in the terminal:
Okta retrieves the Zero Trust Assessment (ZTA) score by reading the data.zta file generated by CrowdStrike.
This file is located at:/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta
If the data.zta file is missing or contains no data, the ZTA score will not appear in the system logs.
In such cases, it is recommended to contact CrowdStrike Customer Support to ensure that the CrowdStrike Falcon Zero Trust Assessment feature is properly enabled and configured.
Install the CrowdStrike sensor on Windows
The first step in enabling endpoint security posture checks is deploying Okta Verify with the Zero Trust Assessment (ZTA) Plugin enabled.
In this demo, we will walk through the step-by-step process of manually installing Okta Verify on a Windows device, ensuring it is properly configured to support ZTA-based policy enforcement.
If Okta Verify is installed with EnableZTAPlugin=TRUE flag, it will create a default plugin file named com.okta.ztaDefault.json under C:\ProgramData\Okta\OktaVerify\Plugins\ folder.
If Okta Verify is already deployed on your devices, the ZTA Plugin functionality can be enabled or disabled using a PowerShell script.
Now we’ll continue by downloading the latest Falcon Sensor installer from the
CrowdStrike Falcon console and retrieving the CrowdStrike Customer ID (CID) required to activate and register your endpoint with your CrowdStrike tenant.
Download the Windows sensor and copy your customer ID to enter during install
In this demo, we will walk through the step-by-step process of manually installing the CrowdStrike Falcon Sensor on a Windows device.
Okta obtains the ZTA score by reading the data.zta file provided by CrowdStrike.
The file can be found (default) in the following path: C:\ProgramData\CrowdStrike\ZeroTrustAssessment\data.zta
Review Okta System Logs
Once the CrowdStrike endpoint integration and corresponding authentication policies are active, the Okta System Log becomes your primary tool for verifying that everything is working as expected.
It provides detailed insight into how device posture signals are being received and evaluated during every sign-in attempt.
When a user attempts to sign in from a device managed by CrowdStrike, Okta evaluates the signal and logs the outcome.
By expanding the log entry for a sign-on event, you can view the exact data provided by the integration
Device Integrator{“CROWDSTRIKE”:{“expirationDateTime”:”1750413440000″,“os”:72,”
csSerialNumber”:”SERIALNUMBER”,”issuedDateTime”:”1749203840000″,
“overall”:26,”aid”:”7f6428c302604a4fadf7557507c17c13″,
“sensorConfig”:9,“csPlatform”:”macOS“,”cid”:”.CUSTOMERID”},}
Conclusion
Integrating CrowdStrike Zero Trust Assessment (ZTA) with Okta Endpoint Security provides a powerful, adaptive layer of protection that directly enhances your Zero Trust architecture. By leveraging device posture signals from CrowdStrike’s EDR platform, Okta can make more informed access decisions—ensuring that only healthy, compliant, and trusted devices can access your critical applications.
With simple policy configurations and automated device signal ingestion, this approach helps security and identity teams align endpoint and identity security in a way that is actionable, measurable, and scalable.
