Okta uses Simple Certificate Enrollment Protocol (SCEP) client certificates to provide management attestation in the app sign-on policy when using FastPass with Okta Verify. Configure the SCEP profile to initiate a certificate reissue flow before client certificates expire. Okta does not support automatic certificate renewal, so administrators must configure the Mobile Device Management (MDM) SCEP policies to redistribute the profile before expiration. When the SCEP profile lacks the correct configuration in the MDM, the MDM client fails to request new certificates from the Okta service. Consequently, an expired client certificate fails to provide management attestation and fails the managed sign-on condition.
- Okta Identity Engine (OIE)
- Simple Certificate Enrollment Protocol (SCEP)
- Mobile Device Management (MEM)
- Multi-Factor Authentication (MFA)
The Okta Certificate Authority Requires SCEP Profile Redistribution
Okta, acting as a Certificate Authority (CA), does not support automatic certificate renewal requests. Instead, redistribute the profile before the certificate expires to replace it. Configure all MDM SCEP policies to allow for profile redistribution. For JAMF-specific configurations, use the Redistribute Profile attribute from the MDM SCEP profile to redistribute the SCEP profile to the endpoints or devices when the SCEP-issued certificate reaches the specified number of days before expiration.
How is the SCEP profile configured in the MDM?
Ensure the existing SCEP profile correctly redistributes to endpoints a specific number of days before the client certificate expires by configuring the respective MDM vendor options, such as the redistribute profile option in JAMF or the renewal threshold percentage in Intune.
- For JAMF, configure the redistribute profile option to a specific number of days. For example, setting the value to 120 days prompts JAMF to redistribute the SCEP profile to the endpoint 120 days before the existing certificate expires. JAMF maintains an inventory of client certificate expiration dates to determine when to redistribute the certificates. JAMF continues attempting to distribute the profile until a new certificate is successfully issued.
- For Intune, configure the renewal threshold options by entering the percentage of the certificate lifetime that remains before the device requests a certificate renewal. For example, entering 20% prompts the device to attempt renewal when the certificate reaches 80% of its expiration. Renewal attempts continue until the renewal succeeds, generating a new certificate with a new public and private key pair.
