This article provides guidance on how to configure the SCEP profile to kick off certificate reissue flow before the client certificates expire, as specified in our documentation: Configure management attestation for desktop devices.
 

Context

• For Okta Identity Engine (OIE) organizations using the Okta CA to provide management attestations in the app sign-on policy,
• Configure management attestation for desktop devices | Okta  > Configure a Certificate Authority section.
• SCEP client certificates are used to provide management attestation (Device Managed Condition) in the App Sign On Policy when using FastPass with Okta Verify. Read more in the FastPass white paper > Managed Devices section.
• The organization CA issues client certificates (deposited on the device) for one year. Before these client certificates expire, we expect MDM to run an SCEP flow on the endpoint/device to request (reissue) the new client certificates.

Impact

• If the SCEP profile is not correctly configured in MDM, then it would lead to the MDM client not requesting new certificates from the Okta service. As a result of this, an expired client certificate would fail to provide management attestation and will fail the “managed” sign-on condition.

• Okta Identity Engine (OIE)
• Simple Certificate Enrollment Protocol (SCEP)
• Mobile Device Management (MEM)
• Multi-Factor Authentication (MFA)

A. Documentation

In Okta documentation for Configure a Certificate Authority, as well as other pages detailing the configuration of SCEP profiles in the MDM, it is specified that:

• Okta, as a CA, does not support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate. All MDM SCEP policies should be configured to allow for profile redistribution

In JAMF-specific configurations, Okta has clarified that the Redistribute Profile attribute from the MDM SCEP profile should be used to redistribute the SCEP profile to the endpoints/devices when its SCEP-issued certificate is the specified number of days from expiring.

Okta does not support automatic certificate renewal. The profile must be redistributed to replace the expired certificate.
 

B. Action Items for the MDM Admins

1. Make sure that the existing SCEP profile is correctly configured to redistribute the SCEP profile to endpoints X days before the client certificate expiry.

   1. At Okta, X = 120 days has been configured in the JAMF redistribution profile. That means JAMF will redistribute the SCEP profile to the endpoint 120 days before the existing certificate expiry. It will attempt to keep distributing the profile until a new certificate is successfully issued.

   2. JAMF maintains an inventory of client certificate expiry dates and can, hence, determine when to redistribute the certificates X days before the expiry.
       

2. Different MDM vendors have different options within the profile.

   1. The JAMF—SCEP profile has a redistribute profile option. When selected to X, JAMF redistributes the SCEP profile X days before the client certificate expiry. That way, the device gets the new certificate before X days of the expiry of the older certificate.

   2. Intune - This Intune document lists the renewal threshold options. Enter the percentage of the certificate lifetime that remains before the device requests renewal of the certificate. For example, if 20 is entered, the renewal of the certificate will be attempted when the certificate is 80% expired. Renewal attempts continue until the renewal is successful. Renewal generates a new certificate, which results in a new public/private key pair.
       

Related References

• Configure management attestation for desktop devices
• FastPass white paper
• Configure a Certificate Authority
• Renewal requests
• JAMF-specific configurations
• Intune document