This guide applies to Mac computers
About Okta Desktop Password Sync and Platform SSO
Okta Desktop Password Sync and Platform Single Sign-On (SSO) integration in Iru Endpoint allows users to synchronize their local macOS account password with their Okta password and use Platform SSO for seamless authentication.How It Works
Okta Desktop Password Sync is currently in Okta “Early Access” release. See Okta’s resource: Manage Early Access and Beta.
Requirements
Okta Requirements
- Your Okta Identity Engine org is available.
- Your macOS computers are running a minimum of macOS Ventura 13.
- Support for Platform SSO 2.0 is available for macOS computers using macOS 14 Sonoma and later. Platform SSO 2.0 allows users to use Desktop Password Sync directly from the macOS login window.
- The Desktop Password Sync application is available for your organization in Okta. If you can’t locate the Desktop Password Sync app in the app catalog, contact your Okta account representative.
- The Okta Verify authenticator is set up in your org.
- The Okta Verify app added to your Iru Endpoint tenant from Apple Business Manager Apps & Books (See Iru Endpoint guide here).
Additional Requirements
- A plain text editor such as Visual Studio Code, Sublime Text, BBEdit, etc.
- Three mobileconfig files that will be edited and uploaded to Iru Endpoint as Custom Profiles.
FileVault Support for macOS 15+
Okta has new authentication policies available to enforce stronger authentication requirements for macOS 15+. The Desktop Password Sync experience now includes the FileVault interface. You can read more about this in Okta’s Configure Desktop Password Sync for macOS 15 article.Create Device Access SCEP Certificates for macOS 14+
Configure a Desktop SCEP Certificate Authority in Okta
1
Access Okta Admin Portal
Log in to your Okta admin portal.
2
Navigate to Security
In the left-hand navigation, select Security.
3
Select Device Integrations
In the expanded menu, select Device Integrations.
4
Select Device Access
In the Device Integration pane, select Device Access.
5
Add SCEP Configuration
Click Add SCEP configuration.
6
Select Static SCEP URL
Select Static SCEP URL.
7
Generate Configuration
Click Generate.
8
Copy SCEP URL
Copy the SCEP URL.
9
Copy Secret Key
Copy the Secret key.Make a note of the secret key, as this is the only time you will be able to view it. After this, it will be stored as a hash for your protection. If needed, this key can be rotated.
10
Save Configuration
Click Save.
11
Reset Secret Key (Optional)
If you need to Reset the secret key, you can do so from the Actions menu to the right of the integration.
Add the SCEP Payload to Your Iru Endpoint Library
To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.Configure the SCEP Certificate Profile
1
Name the Profile
Give the profile a name.
2
Assign to Blueprints
Assign it to your desired Blueprints.
3
Configure SCEP URL
In the URL field, paste the SCEP server URL you copied earlier.
4
Enter Name (Optional)
Enter a Name (optional).
5
Configure Challenge
In the Challenge field, paste the secret key you copied earlier.
6
Set Subject
In the Subject field, enter CN=$SERIAL_NUMBER.Upon saving the SCEP Library Item, Iru Endpoint will append the PROFILE_UUID to the end of the CN used.
7
Configure Subject Alternative Name
Ensure that Subject Alternative Name Type is set to None.
8
Set Key Size
For Key Size, select 2048.
9
Set Key Usage
For Key Usage, select Signing.
10
Configure Retries
Select Retries and enter 5 for the number of retries. This number can be adjusted to a value that’s appropriate for your environment.
11
Configure Retry Delay
Select Retry delay and enter 30 for the number of seconds. This number can be adjusted to a value that’s appropriate for your environment.
12
Enable Private Key Access
Select Allow apps to access the private key.
13
Prevent Key Extraction
Select Prevent the private key date from being extracted in the keychain.
14
Configure Automatic Redistribution
Select Automatic profile redistribution and enter 30 for the days before the certificate expires. This number can be adjusted to a value that’s appropriate for your environment.
15
Save Configuration
Click Save.
Configure for macOS 13+
All of the settings in section apply for all versions of macOS unless otherwise noted. You need to configure separate instances of Okta Device Access for users on macOS 13 and macOS 14+.Create and configure the Desktop Password Sync app integration in Okta
1
Access Applications Catalog
In the Okta Admin Console, go to Applications > Applications Catalog.
2
Search for Desktop Password Sync
Search for Desktop Password Sync and select the app.
3
Add Integration
Click Add Integration. If you get an error message saying This feature isn’t enabled, contact your Okta account representative.
4
Open Application Configuration
Open Desktop Password Sync from your Applications list to configure it.
5
Configure General Settings
On the General tab, you can edit the application label or use the default label.
6
Record Client ID
On the Sign on tab, take note of the Client ID. You will need this when creating the Single Sign-On profile.
7
Assign Users or Groups
Assign the app to individual users or groups on the Assignments tab. Users must be assigned the app to use Desktop Password Sync.
8
Save Configuration
Click Save.
Edit the mobileconfig template files
Three mobileconfig files are needed to enable Desktop Password Sync: two Platform SSO configuration profile and an Okta Verify configuration profile. When supporting macOS 13 and macOS 14+, you will need to deploy two of the Okta Verify configuration profiles. Follow the below steps to edit the provided templates and add them as Custom Profile Library Items in Iru Endpoint. You must edit them using a plain text editor such as Visual Studio Code, Sublime Text, BBEdit, etc.If you will not be supporting macOS 13 devices in your fleet, you can skip deploying the Okta_PSSO_Configuration_Template_macOS13.mobileconfig Profile.
1
Download macOS 13 Template
Download the Okta_PSSO_Configuration_Template_macOS13.mobileconfig file from the Iru Endpoint support GitHub repository (GitHub Link).
2
Download macOS 14+ Template
Download the Okta_PSSO_Configuration_Template_macOS14.mobileconfig file from the Iru Endpoint support GitHub repository (GitHub Link).
3
Download Okta Verify Template
Download the Okta_Verify_Configuration_Template.mobileconfig file from the Iru Endpoint support GitHub repository (GitHub Link).
Okta PSSO Configuration Profile for macOS 13
1
Open Template File
Open the Okta_PSSO_Configuration_Template_macOS13.mobileconfig file in your text editor.
2
Update Associated Domains
Update the AssociatedDomains section of the Associated Domains payload, replacing the example domain with your own Okta tenant address.Example: authsrv:accuhive.okta.com
3
Update URLs Section
Update the URLs section of the Extensible SSO payload and replace the example domain with your Okta tenant information. Leave the rest of the URL as is.Example: accuhive.okta.com
4
Save Configuration
Save the mobileconfig file.
Okta PSSO Configuration Profile for macOS 14+
1
Open configuration template
Open the Okta_PSSO_Configuration_Template_macOS14.mobileconfig file in your text editor.
2
Update auth-service-extension AssociatedDomains
Update the AssociatedDomains section of the Associated Domains auth-service-extension payload, replacing the example domain with your own Okta tenant address.
-
Example: authsrv:accuhive.okta.com
3
Update AssociatedDomains payload
Update the AssociatedDomains section of the Associated Domains payload, replacing the example domain with your own Okta tenant address.
-
Example: authsrv:accuhive.okta.com
4
Update Extensible SSO URLs
Update the URLs section of the Extensible SSO payload and replace the example domain with your Okta tenant information. Leave the rest of the URL as is.
-
Example: accuhive.okta.com
5
Save configuration file
Save the mobileconfig file.
Okta Verify Configuration Profile
1
Open Okta Verify template
Open the Okta_Verify_Configuration_Template.mobileconfig file in your text editor.
2
Update com.okta.mobile OrgUrl
Update the OktaVerify.OrgUrl section of the com.okta.mobile payload with your Okta tenant URL.
-
Example: https://accuhive.okta.com
3
Update com.okta.mobile PasswordSyncClientID
Update the OktaVerify.PasswordSyncClientID section of the com.okta.mobile payload with the Client ID of your Desktop Password Sync app that you recorded earlier.
4
Update auth-service-extension OrgUrl
Update the OktaVerify.OrgUrl section of the com.okta.mobile.auth-service-extension payload with your Okta tenant URL.
5
Update auth-service-extension PasswordSyncClientID
Update the OktaVerify.PasswordSyncClientID section of the com.okta.mobile.auth-service-extension payload with the Client ID of your Desktop Password Sync app that you recorded earlier.
6
Update PlatformSSO ProtocolVersion
Update the the PlatformSSO.ProtocolVersion section of the com.okta.mobile.auth-service-extension payload to the appropriate version for your org.
- For macOS 13 Ventura, set to 1.0
-
For macOS 14 Sonoma or later, set to 2.0
- If you will be supporting macOS 13 and macOS 14+, you will need to save multiple versions of the Okta_Verify_Configuration_Template.mobileconfig file, each with the appropriate PlatformSSO.ProtocolVersion setting.
7
Save configuration files
Save the mobileconfig file(s).
Create the Custom Profiles Library Items in Iru Endpoint
To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.1
Name the Library Item
Provide a name for the Library Item.
2
Assign to Blueprints
Assign it to your desired Blueprints.
3
Upload macOS 13 Template
Upload the modified “Okta_PSSO_Configuration_Template_macOS13.mobileconfig” file.
4
Save Configuration
Click Save.
5
Create Additional Profiles
Repeat the previous steps in this section for the “Okta_PSSO_Configuration_Template_macOS14.mobileconfig” and for all “Okta_Verify_Configuration_Template.mobileconfig” files.
6
Assign Okta Verify App
Ensure the Okta Verify app is assigned to the same Blueprint(s) as the Custom Profile Library Items created earlier.
7
Configure Assignment Maps
Follow the steps in the Deploying Profiles with Assignment Maps section so that Profiles are only deployed to compatible devices.
8
Deploy to Devices
Once the profiles and Okta Verify app are distributed to your Mac computers, users will be prompted to register and synchronize their Okta password.
Deploying Profiles with Assignment Maps
There are up to four Okta Custom Profiles that need conditional logic to ensure they are deployed to the correct devices. An Assignment Map provides an easy solution for all of your devices in one convenient view. Please review our Creating a Blueprint and Using Conditional Logic in Assignment Maps articles.1
Create Conditional Block
Start with the For All devices on this Blueprint conditional block.
2
Assign Okta Verify App
Assign the Okta Verify App Store App to the block.
3
Set macOS Version Condition
Set the top of the conditional block to If macOS is greater than or equal to 14.0.
4
Assign SCEP Certificate
Assign the Okta Device Access Certificates SCEP Library Item to the conditional block.
5
Assign macOS 14 PSSO Profile
Assign the Okta PSSO Configuration macOS 14 Custom Profile to the conditional block.
6
Assign macOS 14 Verify Profile
Assign the Okta Verify Configuration macOS 14 Custom Profile to the conditional block.
7
Configure Else Section
Continue in the else section of the conditional block.
8
Assign macOS 13 PSSO Profile
Assign the Okta PSSO Configuration macOS 13 Custom Profile to the conditional block.
9
Assign macOS 13 Verify Profile
Assign the Okta Verify Configuration macOS 13 Custom Profile to the conditional block.
User Experience and Next Steps
With Platform SSO, by design from Apple, in Users & Groups settings, in the Password field, the Change button is not available.