This guide applies to Mac computers, iOS devices, and iPadOS devices
Product Name Update: Throughout this guide, you may notice references to both “Kandji” and “Iru Endpoint.” Our product is now called Iru Endpoint, but some integration interfaces may still display the previous name. This is a temporary situation that will be resolved as our integration partners update their systems.
About Okta Device Trust
Iru Endpoint’s Okta Device Trust (ODT) integration combines the device management capabilities of Iru Endpoint with the app management capabilities of Okta, enabling password-less authentication and ensuring only managed devices can access Okta-protected apps.How It Works
About the Integration
Iru Endpoint’s Okta Device Trust (ODT) integration combines the device management capabilities of Iru Endpoint with the app management capabilities of Okta. Iru Endpoint’s ODT integration is built on Okta Identity Engine (OIE). It streamlines the setup and configuration of ODT by validating that a customer’s Okta environment is ready for ODT on OIE and by automatically deploying ODT configurations to devices in the scope of Okta Device Trust in Iru Endpoint. Okta Device Trust allows Okta admins to ensure that Iru Endpoint manages their Apple devices before end users can access Okta-protected apps from their devices. This, in part, enables Okta FastPass for a password-less authentication experience for end users, enabling them to sign in to Okta and their Okta resources without needing a password. For iOS, iPadOS, and macOS devices specifically, FastPass allows users to leverage Face ID and Touch ID to access resources. Okta FastPass is a feature of Okta Identity Engine.Before You Begin
Configure the following in your Okta tenant before you set up ODT with Iru Endpoint.- The Okta tenant must be migrated from Okta Classic Engine to Okta Identity Engine.
- The user setting up ODT needs an Okta account with the super admin role. Super admin credentials are only required for initial authentication and adding the API Service Integration.
- Okta FastPass must be enabled in the Okta tenant.
- Okta Adaptive MFA is required to add Device integrations in Okta.
Prerequisites
Complete the following in Iru Endpoint before or during ODT setup. Iru Endpoint checks for these items during integration setup and shows a warning if any are missing.- Make Okta Verify available in your Library from Apps and Books in Apple Business or Apple School Manager.
- On macOS, assign the Okta Verify Auto App Library item from Auto Apps.
- On iOS and iPadOS, assign the Okta Verify App Store app Library item from App Store Apps.
- If one Blueprint includes Macs and mobile Apple devices, use conditional logic in the Assignment Map to assign each Library item to the correct platform.
Configuration Steps
Below are high-level steps to set up and deploy ODT with Iru Endpoint.Configure Okta Verify Library Item
Configure the Okta Verify Library item to deploy Okta Device Trust. On Mac, use the Okta Verify Auto App. See Configure Okta Verify for Device Trust for setup and migration from the App Store app.
What Settings Are Deployed to Devices
Once ODT is set up, enabled, and scoped to your blueprints, the following settings payloads are automatically configured and delivered to Apple devices in the scope of Okta Device Trust in Iru Endpoint.| Payload setting | Platform | Description |
|---|---|---|
| Dynamic SCEP certificate | macOS | This is a unique Okta SCEP certificate per device. The certificate is used in the device registration process. |
| OktaVerify.EnrollmentOptions | macOS | Okta Verify SilentEnrollmentEnabled configuration is sent to macOS devices. This will launch Okta Verify automatically if an unregistered device attempts to access Okta resources and prefill the Organization URL for the user. |
| Okta Verify Login item | macOS | This payload adds Okta Verify as a login item on macOS and will start Okta Verify at user login. |
| Managed app config | iOS and iPadOS | This App Config contains the OktaVerify.OrgUrl and device managementHint used to register the device as managed in Okta. |
| SSO Extension payload | macOS, iOS, and iPadOS | The SSO extension forwards requests from the browser or app to Okta Verify, and users do not receive the Open Okta Verify browser prompt. Not supported on Chrome or Firefox. |
The EDR Plugin setting is not deployed with the ODT integration, but can be delivered via a separate configuration profile if needed. Doing so will not impact any settings listed in the table above. (example EDR plugin profile)
End User Device Registration with Okta
If you are already deploying a manual configuration of ODT (aka Okta device attestation) there should not be any impact to existing devices when switching over to the Iru Endpoint ODT Integration. Once the Iru Endpoint ODT integration is configured and deployed to devices, the Device attestation Library items can be set to inactive or removed.
For previously registered devices with Management status of “Not Managed” If a device has already registered with Okta through Okta Verify but has not yet been configured for Okta Device Trust (i.e. has a Management status in Okta of “Not managed”) via the ODT integration with Iru Endpoint or Okta Device Attestation (manual ODT configuration), the device record will need to be deleted from the Okta Universal directory, and the end user will need to sign out of the Okta Verify app on the device before re-registering the device with Okta using the following the steps below.
macOS
Sign In and Set Up Touch ID
Sign in with Okta credentials and set up Touch ID for passwordless authentication.
Sign In to Okta Dashboard
Launch a web browser and sign in to their Okta Dashboard (example: .okta.com), authenticating with Okta FastPass.
iOS and iPadOS
Choose Sign-In Method
Choose No, Sign in Instead as the sign-in method. (the end user can also use the QR code method if available)
Continue to Next Step
Tap the screen to tap the Next button. (The Organization’s Sign-in URL should be pre-populated)