This article and video will present how to deploy certificates using an MDM solution, specifically MEM, for managed devices within the Okta Identity Engine.

• Intune
• Okta Identity Engine (OIE)
• Device management
• Multi-Factor Authentication (MFA)

Please note that the Okta Verify application is required to be deployed on the device since is used for the device check. Please check the related reference links.

Step 1 Registering an Okta application in AzureAD

1. In Microsoft Azure, click App registrations.
2. Click + New registration.
3. On the Register, an application page, enter the following:
   1. Name: Enter a meaningful name for the application.
   2. Supported account types: Select the appropriate supported account type. Okta tested with Accounts in this organizational directory only ([Your_Tenant_Name] only - Single tenant) selected.
   3. Redirect URI (optional): Leave blank, or select Web, and then enter a redirect URI.
   4. Click Register. On the app page under Essentials, copy and make a note of the Application (client) ID.
4. Add a client secret:
   1. In the left pane, click Certificates & secrets.
   2. Under Client Secrets, click + New client secret.
   3. In the Add a client secret section, enter the following:
      • Description: Optional. Enter a description for the client secret.
      • Expires: Select an expiration time period.
   4. Click Add. In the Client Secrets section, copy and make a note of the Value.
5. Set the Intune scep_challenge_provider permissions:
   1. In the left pane, click API permissions.
   2. Click + Add a permission.
   3. In the Request API permissions section, scroll down, and then click Intune.
   4. Under What type of permissions does the application require?, click Application permissions.
   5. In the Select permissions search field, enter scep, and then select the scep_challenge_provider checkbox.
   6. Click Add permissions.
   7. In the Configured permissions section, click Grant admin consent for [Your_Tenant_Name].
   8. Click Yes in the message that appears.
6. Set the Microsoft Graph Application.Read.All permissions:
   1. Click + Add a permission.
   2. In the Request API permissions section, click Microsoft Graph.
   3. Under What type of permissions does the application require? click Application permissions.
   4. In the Select permissions search field, enter application, expand Application, and then select the Application.Read.All checkbox.
   5. Click Add permissions.
   6. In the Configured permissions section, click Grant admin consent for [Your_Tenant_Name].
   7. Click Yes in the message that appears.

Step 2 Configure management attestation and generate a SCEP URL in Okta and download the x509 certificate from Okta

1. Generate the SCEP URL in Okta
   1. In the Admin Console, go to Security > Device integrations.
   2. Click the Endpoint management tab.
   3. Click Add platform.
   4. Select Desktop (Windows and macOS only).
   5. Click Next.
   6. Configure the following:
      1. Certificate authority: Select Use Okta as Certificate Authority.
      2. SCEP URL challenge type: Select Dynamic SCEP URL, and then select Microsoft Intune (delegated SCEP).
      3. Enter the values that were copied from Microsoft Azure into the following fields:
         • AAD client ID: Enter the value copied from Step 1.3.d.
         • AAD tenant: Enter the AAD tenant name followed by .onMicrosoft.com.
         • AAD secret: Enter the secret Value copied from Step 1.4.d.
      4. Click Generate.
      5. Copy and save the Okta SCEP URL.
2. Download the x509 certificate from Okta
   1. In the Admin Console, go to Security > Device integrations.
   2. Click the Certificate authority tab.
   3. In the Actions column for Okta CA, click the Download x509 certificate icon.
   4. Rename the downloaded file, so that it includes a .cer extension. That format is required when uploading the certificate to Microsoft Endpoint Manager (MEM).

Step 3 Create device configuration profiles in Microsoft Endpoint Manager

1. Create a Trusted Certificate profile
   1. In the Microsoft Endpoint Manager (MEM) admin center, go to Devices.
   2. Click Configuration profiles.
   3. Click + Create profile.
   4. In Create a profile, do the following:
      1. Platform: Select Windows 10 and later.
      2. Profile type: Select Templates.
      3. In the Template name section, click Trusted certificate.
      4. click Create
   5. On the Trusted certificate page Basics tab, do the following:
      1. Name: Enter a name for the certificate.
      2. Description: Optional. Enter a description for the certificate.
      3. Click Next.
   6. On the Trusted certificate page Configuration settings tab, do the following:
      1. Certificate file: Select the x509 certificate (CER file) that was downloaded from Okta in Step 2.2
      2. Destination store: Select Computer certificate store - Intermediate.
      3. Click Next.
   7. On the Trusted certificate page Assignments tab, do the following:
      1. Included groups: Assign the trusted certificate profile to one or more user groups. The user group(s) must be the same as the group(s) assigned the SCEP profile
      2. Click Next.
   8. On the Trusted certificate page Applicability Rules tab, do the following:
      1. Configure any required rules.
      2. Click Next.
   9. On the Trusted certificate page, Review + create tab, review the configuration, and then click Create.
2. Create a SCEP profile.
   1. In the Microsoft Endpoint Manager (MEM) admin center, go to Devices.
   2. Click Configuration profiles.
   3. Click + Create profile.
   4. In Create a profile, enter the following:
      1. Platform: Select Windows 10 or later.
      2. Profile type: Select Templates.
      3. Under Template name, click SCEP certificate.
      4. Click Create
   5. On the SCEP certificate page Basics tab, do the following:
      1. Name: Enter a name for the certificate.
      2. Description: Optional. Enter a description for the certificate.
      3. Click Next
   6. On the SCEP certificate page Configuration settings tab, do the following:
      1. Certificate type: Select User.
      2. Subject name format: Enter a subject name.
      3. Key storage provider (KSP): Select Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.
      4. Key usage: Select Digital signature.
      5. Key length: Select 2048.
      6. Hash algorithm: Select SHA-2.
      7. Click + Root Certificate.
      8. On the Root Certificate page, select the trusted certificate that was created earlier in Step 3.1.
      9. Click OK.
      10. Under Extended key usage, set Predefined values to Client Authentication.
      11. SCEP Server URLs: Enter the SCEP URL generated in Step 2.1.
      12. Click Next.
   7. On the SCEP certificate page Assignments tab, do the following:
      1. Assign the SCEP certificate to the same user group(s) to which was assigned the Trusted certificate profile.
      2. Click Next.
   8. On the SCEP certificate page Applicability Rules tab, do the following:
      1. Configure any required rules.
      2. Click Next.
   9. On the SCEP certificate page Review + create tab, review the configuration, and then click Create.

To confirm the profiles are being deployed correctly, they can check the profiles after they are created.
To confirm the certificates have been deployed correctly they can check the Manage user certificates, the certificate is under Personal > Certificates and has been issued by the Organization Intermediate Authority, it can be found in the Intermediate Certificate Authority > Certificates.
The event can be viewed in the Event Viewer Applications and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise > Admin.

Related References

• Configure Okta as a CA with delegated SCEP challenge for Windows using MEM (formally Intune)
• Okta Verify Deployment with Intune