Skip to main content
This guide applies to iOS, iPadOS, and macOS devices
Product Name Update: Throughout this guide, you may notice references to both “Kandji” and “Iru Endpoint.” Our product is now called Iru Endpoint, but some integration interfaces may still display the previous name. This is a temporary situation that will be resolved as our integration partners update their systems.

About Okta Device Trust

Iru Endpoint’s Okta Device Trust (ODT) integration combines the device management capabilities of Iru Endpoint with the app management capabilities of Okta, enabling password-less authentication and ensuring only managed devices can access Okta-protected apps.

How It Works

About the Integration

Iru Endpoint’s Okta Device Trust (ODT) integration combines the device management capabilities of Iru Endpoint with the app management capabilities of Okta. Iru Endpoint’s ODT integration is built on Okta Identity Engine (OIE). It streamlines the setup and configuration of ODT by validating that a customer’s Okta environment is ready for ODT on OIE and by automatically deploying ODT configurations to devices in the scope of Okta Device Trust in Iru Endpoint. Okta Device Trust allows Okta admins to ensure that Iru Endpoint manages their Apple devices before end users can access Okta-protected apps from their devices. This, in part, enables Okta FastPass for a password-less authentication experience for end users, enabling them to sign in to Okta and their Okta resources without needing a password. For iOS, iPadOS, and macOS devices specifically, FastPass allows users to leverage Face ID and Touch ID to access resources. Okta FastPass is a feature of Okta Identity Engine.

Before you begin

During the integration setup process, Iru Endpoint will check for the presence of the following items. These items must be configured in the Okta tenant before setting up the ODT integration with Iru Endpoint.
  • The Okta Verify Apple App Store app must be assigned to Iru Endpoint via Apps and Books in Apple Business Manager or Apple School Manager. This is the only supported deployment of Okta Verify for ODT.
  • The Okta tenant must be migrated from Okta Classic Engine to Okta Identity Engine.
    • The user setting up the ODT integration must have access to an Okta user account with the super admin role. The super admin credentials are only needed for the initial authentication and adding of the API Service Integration.
  • Okta FastPass must be enabled in the Okta tenant. Use this Okta guide to enable and configure FastPass for your organization.
  • Okta Adaptive MFA is required in order to add Device integrations in Okta.

Configuration steps

Below are high-level steps to set up and deploy ODT with Iru Endpoint.
1

Set Up Integration

Set up the Okta Device Trust integration in Iru Endpoint.
2

Configure Device Platforms in Okta

Add and configure device platforms in Okta.
3

Configure Device Platforms in Iru Endpoint

Add and configure Okta device platforms in Iru Endpoint.
4

Configure Okta Verify Library Item

Configure the Okta Verify Library item to deploy Okta Device Trust.

What settings are deployed to devices

Once the ODT setup, enabled, and scope to your blueprints, the following settings payloads are automatically configured and delivered to Apple devices in the scope of Okta Device Trust in Iru Endpoint.
Payload settingPlatformDescription
Dynamic SCEP certificatemacOSThis is a unique Okta SCEP certificate per device. The certificate is used in the device registration process.
OktaVerify.EnrollmentOptionsmacOSOkta Verify SilentEnrollmentEnabled configuration is sent to macOS devices. This will launch Okta Verify automatically if an unregistered device attempts to access Okta resources and prefill the Organization URL for the user.
Okta Verify Login itemmacOSThis payload adds Okta Verify as a login item on macOS and will start Okta Verify at user login.
Managed app configiOS and iPadOSThis App Config contains the OktaVerify.OrgUrl and device managementHint used to register the device as managed in Okta.
SSO Extension payloadmacOS, iOS, and iPadOSThe SSO extension forwards requests from the browser or app to Okta Verify, and users do not receive the Open Okta Verify browser prompt. Not supported on Chrome or Firefox.
The EDR Plugin setting is not deployed with the ODT integration, but can be delivered via a separate configuration profile if needed. Doing so will not impact any settings listed in the table above. (example EDR plugin profile)

End user device registration with Okta

If you are already deploying a manual configuration of ODT (aka Okta device attestation) there should not be any impact to existing devices when switching over to the Iru Endpoint ODT Integration. Once the Iru Endpoint ODT integration is configured and deployed to devices, the Device attestation Library items can be set to inactive or removed.
After Okta Verify and the required settings are on the device, the end user will go through the following steps to register their managed Apple devices with Okta. Please review Okta’s Device registration article for additional information.
For previously registered devices with Management status of “Not Managed” If a device has already registered with Okta through Okta Verify but has not yet been configured for Okta Device Trust (i.e. has a Management status in Okta of “Not managed”) via the ODT integration with Iru Endpoint or Okta Device Attestation (manual ODT configuration), the device record will need to be deleted from the Okta Universal directory, and the end user will need to sign out of the Okta Verify app on the device before re-registering the device with Okta using the following the steps below.

macOS

1

Open Okta Verify

Open the Okta Verify app. (Okta verify should auto launch at login on macOS)
2

Sign In and Set Up Touch ID

Sign in with Okta credentials and set up Touch ID for passwordless authentication.
3

Sign In to Okta Dashboard

Launch a web browser and sign in to their Okta Dashboard (example: .okta.com), authenticating with Okta FastPass.
4

Open App in Dashboard

Open an app in the Okta Dashboard.
5

Complete Registration

Done.

iOS and iPadOS

1

Open Okta Verify

Open the Okta Verify app.
2

Add Account

Tap Add Account.
3

Select Organization

Tap Organization.
4

Choose Sign-In Method

Choose No, Sign in Instead as the sign-in method. (the end user can also use the QR code method if available)
5

Continue to Next Step

Tap the screen to tap the Next button. (The Organization’s Sign-in URL should be pre-populated)
6

Sign In to Okta

Sign in to Okta.
7

Configure Push Notifications

Choose to allow or skip push notifications on the device.
8

Enable Biometric Authentication

Enable Touch ID or Face ID.
9

Complete Registration

Done.
Once the above process is complete, the device record should show as managed in the Okta Universal Directory.

Up next

Set up the Okta Device Trust integration