Deploy certificates using a Mobile Device Management (MDM) solution, specifically Microsoft Endpoint Manager (MEM), for managed devices within Okta Identity Engine.

• Okta Identity Engine (OIE)
• Microsoft Endpoint Manager (MEM) / Intune
• Device management
• Multi-Factor Authentication (MFA)

Register an Okta application in Azure Active Directory, generate a Simple Certificate Enrollment Protocol (SCEP) URL in Okta, and create device configuration profiles in Microsoft Endpoint Manager to configure management attestation for desktop devices.

NOTE: The Okta Verify application is required to be deployed on the device since Okta uses it for the device check. Review the related reference links for more information.

How is an Okta application registered in Azure Active Directory?

Register the application in Microsoft Azure, add a client secret, and set the required permissions for Intune and Microsoft Graph.

1. In Microsoft Azure, select App registrations.
2. Select + New registration.
3. On the Register an application page, enter the following information:
   • Name: Enter a meaningful name for the application.
   • Supported account types: Select the appropriate supported account type. Okta tested with Accounts in this organizational directory only (<Example_Tenant_Name> only - Single tenant) selected.
   • Redirect URI (optional): Leave blank, or select Web, and then enter a redirect URI.
4. Select Register.
5. On the app page under Essentials, copy and save the Application (client) ID.
6. Add a client secret by selecting Certificates & secrets in the left pane.
7. Under Client Secrets, select + New client secret.
8. In the Add a client secret section, enter the following information:
   • Description: Optional. Enter a description for the client secret.
   • Expires: Select an expiration time period.
9. Select Add.
10. In the Client Secrets section, copy and save the Value.
11. Set the Intune scep_challenge_provider permissions by selecting API permissions in the left pane.
12. Select + Add a permission.
13. In the Request API permissions section, scroll down, and then select Intune.
14. Under What type of permissions does the application require?, select Application permissions.
15. In the Select permissions search field, enter scep, and then select the scep_challenge_provider checkbox.
16. Select Add permissions.
17. In the Configured permissions section, select Grant admin consent for <Example_Tenant_Name>.
18. Select Yes in the message that appears.
19. Set the Microsoft Graph Application.Read.All permissions by selecting + Add a permission.
20. In the Request API permissions section, select Microsoft Graph.
21. Under What type of permissions does the application require?, select Application permissions.
22. In the Select permissions search field, enter application, expand Application, and then select the Application.Read.All checkbox.
23. Select Add permissions.
24. In the Configured permissions section, select Grant admin consent for <Example_Tenant_Name>.
25. Select Yes in the message that appears.

How is management attestation configured and the x509 certificate downloaded from Okta?

Generate the SCEP URL in the Okta Admin Console and download the x509 certificate from the Certificate authority tab.

1. In the Okta Admin Console, go to Security > Device integrations.
2. Select the Endpoint management tab.
3. Select Add platform.
4. Select Desktop (Windows and macOS only).
5. Select Next.
6. Configure the following settings:
   • Certificate authority: Select Use Okta as Certificate Authority.
   • SCEP URL challenge type: Select Dynamic SCEP URL, and then select Microsoft Intune (delegated SCEP).
   • Enter the values copied from Microsoft Azure into the following fields:
     • AAD client ID: Enter the Application (client) ID value copied previously.
     • AAD tenant: Enter the Azure Active Directory (AAD) tenant name followed by <.onMicrosoft.com>.
     • AAD secret: Enter the secret Value copied previously.
7. Select Generate.
8. Copy and save the Okta SCEP URL.
9. Go to Security > Device integrations.
10. Select the Certificate authority tab.
11. In the Actions column for Okta CA, select the Download x509 certificate icon.
12. Rename the downloaded file to include a .cer extension. This format is required when uploading the certificate to Microsoft Endpoint Manager (MEM).

How are device configuration profiles created in Microsoft Endpoint Manager?

Create a Trusted Certificate profile and a SCEP profile in the Microsoft Endpoint Manager admin center.

1. In the Microsoft Endpoint Manager (MEM) admin center, go to Devices.
2. Select Configuration profiles.
3. Select + Create profile.
4. In Create a profile, configure the following settings:
   • Platform: Select Windows 10 and later.
   • Profile type: Select Templates.
   • In the Template name section, select Trusted certificate.
5. Select Create.
6. On the Trusted certificate page Basics tab, enter a name and an optional description for the certificate, and then select Next.
7. On the Configuration settings tab, select the x509 certificate (CER file) downloaded from Okta.
8. For the Destination store, select Computer certificate store - Intermediate, and then select Next.
9. On the Assignments tab, assign the trusted certificate profile to one or more user groups. The user groups must be the same as the groups assigned to the SCEP profile. Select Next.
10. On the Applicability Rules tab, configure any required rules, and then select Next.
11. On the Review + create tab, review the configuration, and then select Create.
12. Go back to Devices > Configuration profiles and select + Create profile to create the SCEP profile.
13. Configure the following settings:
    • Platform: Select Windows 10 and later.
    • Profile type: Select Templates.
    • Under Template name, select SCEP certificate.

14. Select Create.
15. On the SCEP certificate page Basics tab, enter a name and an optional description for the certificate, and then select Next.
16. On the Configuration settings tab, configure the following settings:
    • Certificate type: Select User.
    • Subject name format: Enter a subject name.
    • Key storage provider (KSP): Select Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.
    • Key usage: Select Digital signature.
    • Key length: Select 2048.
    • Hash algorithm: Select SHA-2.

17. Select + Root Certificate.
18. On the Root Certificate page, select the trusted certificate created previously, and then select OK.
19. Under Extended key usage, set Predefined values to Client Authentication.
20. For SCEP Server URLs, enter the SCEP URL generated in Okta, and then select Next.
21. On the Assignments tab, assign the SCEP certificate to the same user groups assigned to the Trusted certificate profile, and then select Next.
22. On the Applicability Rules tab, configure any required rules, and then select Next.
23. On the Review + create tab, review the configuration, and then select Create.

How is the profile deployment confirmed?

Verify the successful deployment of the profiles and certificates by checking the user certificates and the Event Viewer logs.

1. Check the profiles in the Microsoft Endpoint Manager admin center after creation to confirm they are deployed correctly.
2. To confirm the certificates are deployed correctly, open Manage user certificates on the device. The certificate is located under Personal > Certificates and is issued by the Organization Intermediate Authority, which is found in Intermediate Certificate Authority > Certificates.
3. View the event in the Event Viewer under Applications and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise > Admin.

Related References

• Configure Okta as a CA with delegated SCEP challenge for Windows using MEM (formally Intune)
• Okta Verify Deployment with Intune