This guide applies to iOS, iPadOS, and macOS devices
Product Name Update: Throughout this guide, you may notice references to both “Kandji” and “Iru Endpoint.” Our product is now called Iru Endpoint, but some integration interfaces may still display the previous name. This is a temporary situation that will be resolved as our integration partners update their systems.
About Okta Device Trust Integration Setup
Okta Device Trust Integration Setup in Iru Endpoint allows admins to ensure that Iru Endpoint manages their devices before end users can access Okta-protected apps, enabling passwordless authentication and FastPass functionality.How It Works
Okta Device Trust allows admins to ensure that Iru Endpoint manages their Apple devices before end users can access Okta-protected apps from their devices. This integration enables Okta FastPass for a passwordless authentication experience, allowing users to sign in to Okta and their Okta resources without needing a password. For iOS, iPadOS, and macOS devices specifically, FastPass allows users to leverage Face ID and Touch ID to access resources. Okta FastPass is a feature of Okta Identity Engine.Prerequisites
During the integration setup process, Iru Endpoint will check for the presence of the following items. These items must be configured in the Okta tenant before setting up the ODT integration with Iru Endpoint. A warning modal will be displayed if Iru Endpoint finds one or more of these items missing.- The Okta tenant must be migrated from Okta Classic Engine to Okta Identity Engine
- Okta FastPass must be enabled in the Okta tenant
- The Okta Verify Apple App Store app must be assigned to Iru Endpoint via Apps and Books in Apple Business Manager.
- The Okta user setting ODT should have the super admin in Okta. The super admin credentials are only needed for the initial authentication and adding if the API Service Integration.
- Okta Adaptive MFA is required in order to add Device integrations in Okta.
Integration Setup
1
Login to Iru Endpoint
Login to your Iru Endpoint tenant.
2
Navigate to Integrations
Navigate to Integrations.
3
Discover Integrations
Click Discover Integrations.
4
Find Okta Device Trust
In the Security section, find Okta Device Trust.
5
Add and Configure
Click Add and configure.
6
Get Started
In the Welcome to Okta Device Trust modal, click GetStarted.
7
Specify Okta Domain
In the Specify your Okta Domain modal, enter your Okta tenant URL and click Next.
8
Sign In with Okta
In the Sign in with Okta modal, click Sign in with Okta. This will open a new browser window and navigate you to your Okta tenant, where you will create an API Service Integration. Once that is done, you will return to Iru Endpoint to continue the ODT integration setup.
The Okta user used to configure ODT must have the super admin role in Okta.
9
Install and Authorize
Once signed into Okta, you should be on the Authorize Kandji Device Trust integration page. On this page, click Install & Authorize. The Kandji API Service integration uses the following scopes:
- okta.devices.manage
- okta.devices.read
- okta.authenticators.read
10
Copy Client Secret
On the Copy your client secret modal, copy the client secret to a safe place for use later in Iru Endpoint. This is the only time you will be able to view it.
11
Complete Okta Setup
Click Done.
12
Copy Client ID
On the Kandji Device Trust overview page, copy the Client ID to a safe place for use later in Iru Endpoint.
13
Return to Iru Endpoint
Head back to Iru Endpoint to continue the ODT integration setup.
14
Complete Tasks Modal
In the Complete the following tasks in Okta modal, click Next.
15
Enter Credentials
In the API Service Integration Credentials modal, enter the Client ID and Client Secret copied from earlier.
16
Connect to Okta
Click Connect to Okta. Iru Endpoint will check in the background to ensure the Okta tenant is on Okta Identity Engine and Okta FastPass is enabled.
Configuring Device Platforms in Okta
This section outlines creating device integration in Okta. This information is used when adding device platforms in Iru Endpoint.Okta Adaptive MFA is required in order to add Device integrations in Okta.
Adding Device Integrations in Okta
1
Log In to Okta Admin Portal
Log in to the Okta admin portal.
2
Navigate to Device Integrations
In the left-hand navigation, click Security > Device Integrations.
3
Add Platform
Click Add platform.
Adding macOS as a Device Integration
1
Select Desktop Platform
On the Select platform step, select Desktop (Windows and macOS only).
2
Continue to Next Step
Click Next.
3
Configure Certificate Authority
On the Configure management attestation step, select Use Okta as certificate authority.
4
Configure SCEP URL Challenge
For SCEP URL challenge type, select Dynamic SCEP URL and Generic.
5
Generate SCEP URL
Next to SCEP URL, click Generate.
6
Copy Credentials
Copy the SCEP URL, Challenge URL, Username, and Password to a safe place. Later, in Iru Endpoint, this information will be used to set up MacOS as a device platform.This will be the only time you can view the password. If needed, you can rotate it later in the menu from the main Device integrations page in Okta.
7
Save Configuration
Click Save.
Adding iOS as a Device Integration
1
Select iOS Platform
On the Select platform step, select iOS.
2
Continue to Next Step
Click Next.
3
Copy Secret Key
On the Configure management attestation step, copy the Secret key to a safe place for use later in Iru Endpoint when adding iOS as a device platform in Iru Endpoint.This will be the only time you can view the secret key. If needed, you can rotate the key later in the menu from the main Device integrations page in Okta.
4
Enter Device Management Provider
For Device management provider, enter a descriptive, user-friendly value.
5
Enter Enrollment Link
For Enrollment link, enter your Iru Endpoint tenant’s device enrollment link. (Example:
https://accuhive.kandji.io/enroll where accuhive should be your tenant subdomain.)6
Save Configuration
Click Save.
Modifying a Device Integration in Okta
Rotating a macOS Challenge Password or iOS Secret
1
Navigate to Device Integrations
Go to the Device Integrations page.
2
Access Actions Menu
Next to the integration that you want to change, click the Actions menu.
3
Select Reset Option
Click the reset option for that platform.
4
Confirm Reset
Click the Reset button in the modal that appears.
Deleting a macOS Challenge Password or iOS Secret
1
Navigate to Device Integrations
Go to the Device Integrations page.
2
Access Actions Menu
Next to the integration that you want to change, click the Actions menu.
3
Select Delete
Click Delete.
4
Confirm Delete
Click the Delete button in the modal that appears.
Configuring Device Platforms in Iru Endpoint
1
Select Platforms to Configure
In the Configure device platforms modal, select the platforms to configure. You can configure macOS, iOS, or both.
2
Continue to Next Step
Click Next.
3
Configure macOS Platform
If selecting macOS, enter the required information in the Add macOS as a device platform modal and click Next.
4
Configure iOS Platform
If selecting iOS, enter the required information in the Add iOS as a device platform modal and click Finish setup.
5
Complete Setup
In the Okta Device Trust setup complete modal, you can choose View integration settings to see additional information about the ODT integration in Iru Endpoint or choose Go to Library item to configure the Okta Verify app for ODT deployment.