<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Device Management with Iru (Formally known as Kandji) QuickStart Guide
Jan 22, 2026
Devices and Mobility
Okta Identity Engine
Overview

This article outlines how to configure management attestation for desktop devices with Iru (formerly known as Kandji) MDM. This is enabled by delivering an Okta CA SCEP certificate to the endpoints via Iru. This process is further detailed (specifically for other MDMs) in our manual, which should be used for reference here: Configure management attestation for desktop devices.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Verify FastPass
  • Kandji 
  • Iru
Solution
  1. First, in the Okta Admin console, head to Security > Device Integrations. The Endpoint Management tab will open.
  2. Click + Add Platform, and the following screen will appear:

Add device management platform 
 

  1. Copy the SCEP URL and Secret Key and keep them safe and securely documented.
  2. In the Kandji Admin Console, navigate to the Library, search for SCEP, and click Add & Configure:
    Add Library item 
  3. Give the profile a name, then in the Settings > General section, enter the SCEP URL copied from Okta.
  4. Enter a Name (optional).
  5. The Challenge is the Secret Key copied from Okta.

General

  1. Configure the Subject section. In this example, it was entered: CN=$SERIAL_NUMBER.

NOTE: Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, include the device ID (UDID) and user identifier provided by the MDM in the profile variables. For a list of supported variables, see the Kandji document: Global Variables.

As configured in our demonstration, this will set the Subject Name to the device's Serial Number.

Subject name

  1. In the Key section, use 2048 and Signing.

Key

  1. As configured in this demonstration, we used the following in the Options section:

Options

  1. Save the Profile as normal.
  2. Next, the profile must be assigned to a Blueprint.

SCEP

  1. Once this is saved, a certificate will be requested from the Okta CA and will be delivered to the endpoints. If successful, there should be success logs in both Iru and Okta. Iru should show the following information under the Profile Status:

Profile Status



In the Okta admin console, under Reports > System Log, search for Issue client certificate.
System logs 
 

Having this cert deployed to Endpoints ensures that when users register their Okta Verify App, the device is marked as Managed. Okta Administrators can then set Sign-On Policies to take a Managed device into account. Okta Administrators can deploy Okta Verify from the Mac App Store and deliver via Apple Business Manager in Iru. Check out this link for more details about managed app configurations for macOS devices.


NOTE: Users must sign in using FastPass before the device shows as managed in the Admin Console.

Once the above is configured, Admins should proceed to the manual chapter on the Add an authentication policy rule for desktop. Tasks, as outlined in our manual chapter on Desktop Device Management Configuration Workflow, should be completed in the presented sequence to complete the configuration of management attestation for desktop devices. Mandatory and recommended tasks are listed in the table.


Task

Description

Add an authentication policy rule for desktop

Create policies to manage access to apps based on specified criteria in the policy rules.

Okta FastPass must be enabled. Optionally, configure policies to remove password-based authentication.

See Configure Okta FastPass.

Configure an SSO extension for managed macOS devicesmacOS-only. If setting up passwordless authentication for macOS users, configure the Credential SSO extension to forward requests from a browser or app to Okta Verify so end users on managed macOS devices have a seamless, single sign-on experience.

Deploy Okta Verify to macOS devices

macOS only. Deploy Okta Verify to end-user devices using the device management solution.

Deploy Okta Verify to Windows devices

Windows only. Deploy Okta Verify to end-user devices using the device management solution or Microsoft Endpoint Manager (MEM).

(Optional) Let users skip the Open Okta Verify prompt

Provide a check box allowing end users to prevent being prompted to Open Okta Verify.

(Optional) Endpoint security integrations

Integrate Okta Verify with the organization’s Endpoint Detection and Response (EDR) solution. EDR integration extends device posture evaluation by enabling Okta Verify to capture signals collected by the EDR client running on the same device.

(Optional) Managed app configurations

macOS only. Remotely configure Okta Verify by deploying managed app configurations through the device management solution.

 

Related References

 

Recommended content

Still looking for help?
Loading
Device Management with Iru (Formally known as Kandji) QuickStart Guide