Setting up Okta Device Trust with Workspace ONE UEM

-
Okta is updating their identity platform and moving away from the Okta Classic Engine to the Okta Identity Engine. With this update, the way that Device Trust is configured has completely changed. The updated device trust now relies upon the MDM deployment of the Okta Verify app deployed with a specific Application Configuration containing a key generated from the Okta console. If the key from the console matches the key stored in the app on the device, the device must be enrolled (otherwise, how would it have received the matching key) and the device is considered trusted.

Add Okta Verify as an authenticator
  1. In the Okta console, go to Security > Authenticators
  2. Under Setup, click Add Authenticator
  3. Select Okta Verify and configure the required options



Create an enrollment policy (or edit the default)
  1. In the Admin console, to go Security > Authenticators
  2. Under Enrollment, add a new policy (or edit an existing one)
  3. In the Eligible Authenticators section, select one of the following Okta Verify options:
    • Optional: New and existing users can choose to enroll in Okta Verify as an authenticator. Okta Verify enrollment is not mandatory.
    • Required: New and existing users must enroll a device in Okta Verify to access Okta-protected resources



Configure Okta endpoint management for mobile devices
  1. In the admin console, go to Security > Device Integrations
  2. On teh Endpoint managmenet oage, click Add Platform
  3. Select Android or iOS and click Next
  4. In Configure management attestation click Copy next to the secret key
  5. Enter Workspace ONE as the Device management provider
  6. For the enrollment link, enter https://getws1.com
  7. Click Save

Integrate Okta with Workspace ONE UEM
  1. In the Workspace ONE UEM console, Add the Okta Verify application and assign it to the appropriate devices
  2. In the Restrictions setting, select Make App EMM Managed if User Installed.
  3. In the Application Configuration settings, enter the Token copied above
Android


iOS



Create authentication policies
  1. In the Okta console, go to Security > Authentication Policies
  2. Click Add a policy and create a name (eg MDM Enrolled)
  3. Click Add Rule and create rule for MDM enrolled (managed) devices. Device state setting should be Registered and device management state should be Managed
  4. Platform should be iOS and Android
  5. Access should be allowed
  6. Click save

  7. Create a second rule for non-mobile devices to allow access. These devices do not need to be managed

  8. Update the catch-all rule to deny access for all other scenarios



Assign Policies to the applications
  1. In the console, to go Security > Authentication Policies > [Policy created above]
  2. Select Applications
  3. Select Switch Policy for each application that you would like to enforce device trust (or Add App if no applications are listed) and select the created policy. Do not apply this policy to WS1 Access since (if using Access as Source of Authentication) this is used for device enrollment and you will end up in a chicken/egg situation.


Configure the SSO Extension for iOS (Optional)

Deploy the SSO Extension profile to iOS devices with the appropriate settings


Extension identifier: com.okta.mobile.auth-service-extension
Type: Credential
Realm: Okta Device
Hosts: Your Okta tenant
Certificate: None
Custom XML: <dict><key>managementHint</key><string>[Token goes here]</string></dict>


    Comments

    Post a Comment

    Popular posts from this blog

    Windows device lifecycle. Hands-off reprovisioning with Workspace ONE.

    -
    Image
    There are multiple options available for onboarding a Windows desktop into Workspace ONE UEM. Different options are available depending on if the device is a Greenfield device (brand new out-of-the-box device) or a Brownfield device (currently used device, possible under a legacy device management system). But what about device recycling? How do you enroll a device that has been returned to IT? Typically, this is a hands-on approach and will involve multiple steps that will look something like: Re-imaging the device, via USB or Windows Deployment Services (WDS). Logging in as the staging account. Downloading Intelligent Hub. Enrolling as the staging user. Logging out. Handing the device off to the final end user, or placing it back into stock. Workspace ONE Tunnel (or other pre-auth VPN) if the device is to be domain joined. If testing using a VM, ensure that the VM has been assigned a serial number What if there was a better way? What if you could deploy a new image to a device and ha...
    Read more

    Deploying certificates to the Quest 2

    -
    Image
    I spent some time working with the Workspace ONE XR Hub team (find out about HR Hub here ) and whilst it is very simple to install a certificate to a Quest enrolled in Workspace ONE, it's not that simple to install one on a non-enrolled device. Why would you want to install a certificate on an Oculus Quest you might ask? Well, I am a volunteer CS teacher for TEALS  and the school I was working with purchased some Quest 2 headsets for the students. Unfortunately, she was unable to connect them to the school network as the network was protected by securly an needed a certificate installed on the device before it was able to connect to the network. The schools IT team were unable to help and since I had experience with the Quest 2 while working with XR Hub team I was asked if I could help. The Quest 2 (like most VR/XR headsets) runs a version of Android AOSP  heavily customized by the OEM. If I could get to the underlying O/S, I would be ...
    Read more

    Adobe Acrobat Reader customizations for Windows

    -
    Image
    Adobe Acrobat Reader is an essential tool when working with PDF documents but is not the easiest tool deploy to a fleet of Windows devices. Adobe has made available a customization wizard however that can be used to modify the package for easier deployment. Required items: Adobe Acrobat Reader MUI 64-bit Adobe Acrobat Customization Wizard 7-zip (or other zip archive utility) Note: The Customization Wizard only works in the multi-language, 64-bit version of Adobe Reader. Step 1: Download required software. Download both Adobe Reader and the Customization Wizard linked above. Step 2: Install the Customization wizard Step 3: Extract Acrobat Reader executable file into a folder Step 4: Launch the customization wizard and open AcroPro.msi Step 5: Modify the following items: Personalization options: Suppress display of End User License Agreement Installation Options: Make reader the default PDF viewer Run installation Silently (no interface) Suppress reboot Online services and features Disa...
    Read more