This is recommended if the computer is lost or stolen, or if the end user is deactivated. In this introductory whitepaper, we will cover the various features within Okta which allow you to deliver passwordless authentication to the workforce, customers, and consumers (B2E, B2B and B2C). Webview must have access to the device keychain — Device Trust for managed macOS computers works with any SAML/WS-Fed-enabled app that supports authentication through a webview. It seems redundant when you’re only making a simple web app login experience like this example, but it makes more sense once you have a native app and web app that you want to tie together under a single login experience. On the macOS device, search for Keychain Access. For more awesome content, follow @oktadev or subscribe to our YouTube channel. in addition to its apparent end user functionality, what else is it doing? The latest version of the Okta Device Registration Task is also available from the Okta Admin Console Settings > Downloads page. Before you click Sign In, you should set up the mechanism for handling the redirect back from Apple. This is displayed in a few places, but the most convenient is in the top right corner of the screen. The last step to getting the user’s info is to decode the ID token. Is the Okta Device Registration Task that you modified and added to Jamf Pro the latest version? WebAuthn is a secure way of implementing passwordless across the organization. First, you’ll generate a random state value and save it in the session. You can also find the user’s email or proxy email in the claims as well. ¨ Exchange ActiveSync client is unselected. “Supervision of laptops has always been challenging, but we believe the way Okta is implementing centralized management is revolutionizing how devices should be managed,” said Phil Ibarrola, TechOps Head of Technology at ThoughtWorks. JumpCloud Directory-as-a-Service patents include No. I couldn’t find any documentation on which URL to use as the authorization endpoint, or even whether these were the right parameters, but thankfully the rest of the API looked like OAuth so I was able to figure it out despite the missing docs. Device Trust isn't supported with all versions of Microsoft Office thick clients — This Device Trust solution has been tested to work with Microsoft Office thick client versions 16.13.1 and 16.15. Apple is taking a firm stance to protect user’s privacy with this new feature. He is an editor of several internet specs, and is the co-founder of IndieWebCamp, a conference focusing on data ownership and online identity. If you add apps to the original Okta-defined whitelist, you should consider testing your modified whitelist with a subset of users before rolling it out to all users. The App ID in the previous step is a sort of way to collect things about this app. Admins can specify Okta FastPass usage only on managed devices, on any device registered to Okta, only from specific networks, etc. Since in this example we used response_type=code to get the ID token, the ID token was obtained via the back channel, which means we don’t need to worry about validating the JWT signature of the ID token. https://platform.cloud.coveo.com/rest/search, https://support.okta.com/help/s/global-search/%40uri, https://support.okta.com/help/services/apexrest/PublicSearchToken?site=help, STEP 2 — Modify the Okta Device Registration Task, Add the modified Okta Device Registration Task to Jamf Pro and distribute it to macOS devices, Configure app Sign On policy rules in Okta, MacOktaDeviceRegistrationTaskSetup.1.0.2.py, Add the modified Okta Device Registration Task to Jamf Pro and distribute it to macOS devices, Step 1 — Enable the global Device Trust setting for your org, STEP 1 — Enable the global setting for your org, STEP 3 — Add the modified Okta Device Registration Task to Jamf Pro and distribute it to macOS devices, STEP 1 — Enable the global Device Trust setting for your org, STEP 4 — Configure app Sign On policy rules in Okta, Step 2 — Modify the Okta Device Registration Task, STEP 3 - Add the modified Okta Device Registration Task to Jamf Pro and distribute it to macOS devices, Revoke and remove Device Trust certificates, STEP 3 — Add the modified Okta Device Registration Task to Jamf Pro and distribute it to macOS devices. Schedules a lightweight task that runs once a day and whenever users log in to their computer. Also, if you later want to edit your configuration and generate a new Secret Key through the Reset macOS Secret Key button, you must perform this procedure again. The standard, Federal Information Processing Standard (FIPS) for a personal identity verification (PIV) system, is based on the use of smart cards with a X.509 compliant certificate and key pair. That way, end users don’t change their workflow, and now can use those same credentials to access a wide range of IT infrastructure including systems, servers, on-prem applications, networks, and files.. It also allows you to secure your sign-in information from websites you frequently visit on to the Okta cloud, if your IT has enabled feature. The benefit of Okta FastPass is that the device does not need to be Active Directory domain joined or on network for the passwordless experience, and Okta FastPass works across Windows, MacOS, iOS and Android. A JumpCloud Free account includes 10 complimentary users and systems to get you started. While they don’t explicitly call out OAuth or OIDC in their documentation, they use all the same terminology and API calls. Back in the main Certificates, Identifiers & Profiles screen, choose Keys from the side navigation. If you implement endpoint protection software, make sure to configure it in a way that doesn't block your clients from completing the certificate exchange with Okta. Take care when disabling the macOS Device Trust setting — Don't disable the macOS Device Trust setting on the Security > Device Trust page if you have also configured an app sign on policy that allows trusted macOS devices. Okta checks with Jamf Pro to make sure the device is managed. Make sure you save this file, because you won’t be able to get it back again later! Here are a few examples of policies you could create with Factor Sequencing: 1. This gives you an extra layer of security so that you - and only you - can access your applications. This section also identifies which use case (workforce identity vs. customer identity) each feature is most applicable to. They can also push security commands like remote lock and wipe to the device if necessary. Mike earned his bachelor’s in Information Technology at the Rochester Institute of Technology and MBA at the UCLA Anderson School of Management. Multi-factor authentication is defined as two out of the three categories of knowledge, possession, and inherence factors. To re-secure an end user's computer with Device Trust after revoking their Device Trust certificate(s), you need to remove the revoked certificate from their computer before enrolling a new certificate. Once you’ve set up the sample code above and registered your own redirect URL, your app will exchange the authorization code for an access token and ID token, and will show the output on the screen! 1. Change the way that they change their passwords, going directly through their device instead of web browsers. Hi Graham, It is only possible to sync user accounts and passwords from a directory of some sort (LDAP or Active Directory) to and from Okta. This example shows Device Trust rules for managing access to Office 365. At the end of this process, you’ll end up with a registered client_id (which they call a Service ID), a private key downloaded as a file, and you’ll verify a domain and set up a redirect URL for the app. This is where Okta can help. Other Okta app links should be treated this way by default. python MacOktaDeviceRegistrationTaskSetup.1.0.2.py uninstall. Thanks! This would simplify the view and overall experience. Thankfully, Apple adopted the existing open standards OAuth 2.0 and OpenID Connect to use as the foundation for their new API. Exchange ActiveSync or Legacy Auth client, When an end user is deactivated Okta also revokes their. Again this will look familiar if you’ve written OAuth code before. If the user has two-factor authentication enabled then they will have to confirm this login from another device. Here’s how it works. If this explanation doesn't help and you would love to provide more info, please email us at email@example.com and we can help. The Mutual TLS certificate exchange (handshake) in this Device Trust flow occurs on Okta URLs that are separate from your Okta org URL (indicated by the wildcard character (*) in the following example). Note: There are other approaches that you can implement in Jamf Pro to trigger deployment of the script (for example, Extension Attributes, which allow you to validate that the certificate is on the device and to deploy the certificate if it is missing). Accounting for its highly mobile workforce, global technology consultancy ThoughtWorks includes laptops in its definition of mobile devices. If you want to follow along with this blog post, then you can use the placeholder redirect URL https://example-app.com/redirect which will catch the redirect so you can see the authorization code returned. Various trademarks held by their respective owners. Let’s walk through building a short sample application that can leverage Apple’s new API to sign users in. Create one or more permissive rules to support the scenarios that will allow access to the app, then assign those rules the highest priority. The end user will be redirected to an Okta authentication screen where they can use PIV as the login credential. Thankfully they do return the user’s email address that way, so that’s where you should get it from. It does seem to prompt for two-factor auth every time you log in to an app, which is definitely secure, but can be a little frustrating especially while testing. Once you confirm that, you’ll see a screen asking if you would like to continue signing in to the app. The hardest part of this whole process is registering an application in the Apple Developer Portal. The description isn’t too important, but type something descriptive. If you cannot access your Okta account via Okta Browser Plugin, please contact your IT admin.Use the following link to learn about the most recent version changes: https://help.okta.com/en/prod/Content/Topics/Settings/Version_Histories/Ver_History_Browser_Plugin.htm, This version includes the following:* The Okta Browser Plugin improves the popover UX.