Jamf Blog
September 22, 2023 by Kathryn Joy

Jamf and Okta device trust

Jon Lehtinen, Okta, joined Sean Rabbitt, Jamf, to discuss the integration Jamf and Okta Device Trust in this JNUC 2023 session.

What is Okta Device Trust?

Okta Device Trust is a contextual access management solution that establishes trust through user verification. Device enrollment and management platforms with any ownership types — like BYOD or COPE— can achieve and enforce verified trust using two types of data and information:

  1. Device Registration
    When a device is registered with Okta, Okta gets some basic information about the inventory of the device - OS version number, whether the device is secured with Face or Touch ID and a passcode or device encryption. The user initiates this registration by authenticating with their Okta credentials. Establishes the device as a source of trust to receive push notifications for multi-factor authentication (MFA).
  2. Device Management
    Device management tells Okta that something is in control of that device on an organizational level by enrolling in Mobile Device Management (MDM). This trust is established either on iOS by receiving an SCEP certificate from a configuration profile that can only be placed on the device by MDM or on iOS and iPadOS by receiving an app installed via VPP with a configured app config and a secret or management.

This allows a whole range of devices to be enrolled and trusted, including personal devices registered with account-driven user enrollment.

With device inventory data and management workflows with MDM, it is possible to truly assess whether a device connection or user is secure.

Okta collects:

  • Basic device inventory information
  • Trust established by MDM

Jamf knows:

  • Everything it collects on managed devices, like how your organization weights and calculates trust based on inventory data, Jamf’s patented SmartGroups, Configuration Profiles and more. Device security is enforced beyond a verified login based on what your policies and IT/security groups establish as your security and organizational requirements.

For example, with Jamf, Rabbitt explains that as an admin, you could scope devices for settings that indicate that users disabled FileVault and a device is no longer encrypted. SmartGroups can determine if devices are not encrypted, and because the organization’s compliance baseline is no longer met, Jamf can push this status to Okta Device Trust to revoke access to company resources and networks. Because this relationship between Okta and Jamf supports continuous verification and monitoring, access is again granted once a user and their device is remediated and compliant. Learn more remediation with Jamf.

Together, Jamf and Okta provide Apple users access to your resources while ensuring that identity verification is met through phishing-resistant authentication, like biometrics and MFA.

Aside from the mass actions of MDM SmartGroups, Okta and Jamf provide secure, individual-level authentication policies, ensuring that onboarded users are required to meet the company requirements for access and authentication from the first sign-on. Jamf can set rules based on user levels, device type or overall risk context indicators.

Watch the session for greater detail on authenticators, Global Session Policy, Managed Device Access or Private Access, keychains and what verified trust with Jamf and Okta means.

The Okta at Okta experience

Okta uses five main authentication policies that route all their applications, from unmanaged devices to their highest risk assurance policies. The users, groups and devices are measured against Okta's risk policies for consistent, customized enforcement following the defense-in-depth, zero-trust method by establishing and enforcing authentication requirements, like passwords and biometrics and time verification requirements.

By registering the device, Okta established the identity of the user and the device they’re on. By managing the device, they have the information about the device state needed to establish a baseline of trust. Okta combines that information about the user and the device with the global knowledge of millions of authentications a second.

Jamf Pro setup and deployment

Within Okta, you will configure a SCEP server by going to Security >> Device Integrations >> Add a platform.

You can find the documentation for setting up Jamf and Okta here.

Once configured, you can deploy the Okta Verify app to your Mac and mobile devices managed in your Jamf instance.

1. SCEP payload for macOS devices and do it again for mobile devices

2. Set non-exportable from keychain to allow apps

3. App config: save the secret key

Here’s the config value you need for iOS/iPadOS devices:





And while you’re at it, go the extra mile and set up the Okta Device Trust SSO extension for your managed Macs and mobile devices.

How does this affect Jamf Connect?

There are multiple ways to set up Jamf Connect with Okta. Rabbitt goes into the “usual way” using the Okta Authentication API, the second option that sets up an OIDC Application. Watch the session and tune into the 38-minute mark to hear him run through the details.

This session was a wealth of knowledge for what’s possible with Okta and Jamf to implement and enforce Zero Trust access and authentication.

When in place, Okta and Jamf provide end users with an effortless, seamless experience. They can log in, verify their identity and connect to the resources and tools they need to be efficient and effective — just like that.

Register for JNUC to access this session as well as others on demand.

Photo of Kathryn Joy
Kathryn Joy
Kathryn Joy, Senior Content Strategy Specialist.
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.