Apple released a security update for macOS 10.15.xx (Catalina) and 11.xx (Big Sur). If any of these macOS versions are in use and the Okta Device Registration Task is utilized, device enrollment failures may occur. This may result in users not being able to access applications that are protected by the Okta Device Trust policy. It may also result in a Keychain Access prompt.
For example:
- Okta Classic Engine
- Device Trust
- MacOS
If macOS 10.15.xx (Catalina) or 11.xx (Big Sur) is in use, it is recommended to update the Okta Device Registration Task from Python 2.7 to Python 3. Updating any version below 10.15.xx may disrupt existing deployments.
Procedure:
- Install Python 3.x runtime environment on macOS 10.15.xx and 11.xx devices.
- Install dependencies that are required for the macOS Device Registration Task.
- Update the "Device Registration Task" with the latest version.
Step 1. Install Python 3
*If Python 3 is already installed, proceed to step 2.
- To check the currently used version of Python, open a Terminal, enter python --version, and then press enter.
- There are different ways to install Python 3. This step provides installation instructions using the macOS Xcode command line tool. Okta recommends using the preferred method.
- Run the following script on the macOS machine to update the macOS environment to Python 3:
#!/bin/sh
echo "Checking for the existence of the Apple Command Line Developer Tools"
/usr/bin/xcode-select -p &> /dev/null
if [[ $? -ne 0 ]]; then
echo "Apple Command Line Developer Tools not found."
touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
installationPKG=$(/usr/sbin/softwareupdate --list | /usr/bin/grep -oE 'Command Line Tools.+' | head -n1)
echo "Installing ${installationPKG}"
/usr/sbin/softwareupdate --install "${installationPKG}" --verbose
else
echo "Apple Command Line Developer Tools are already installed."
fi
exit
Step 2. Install the Device Trust Dependencies
- The updated macOS Device Registration Task requires the “python3“ and “pip3“ aliases on the device to point to the correct Python 3 installation.
- Run the following script to install the required Device Trust dependencies:
#!/bin/sh
echo "Running pip3 install --upgrade pip"
sudo pip3 install --upgrade pip
echo "Running pip3 install pyobjc-framework-SystemConfiguration"
sudo pip3 install pyobjc-framework-SystemConfiguration
echo "pip3 install pyOpenSSL"
sudo pip3 install pyOpenSSL
exit
Step 3. Update the Device Registration Task
Complete STEP 2. Modify the Okta Device Registration Task procedure of Enforce Okta Device Trust for Jamf Pro-managed macOS devices to deploy the latest Python 3 Device Trust script through Jamf, but use the attached Python 3 Device Trust script.
Troubleshooting
- Verify that the Python 3 dependency packages are installed correctly.
If the following error is seen: module not found error (for example, ModuleNotFoundError: No module named 'SystemConfiguration'), confirm that the dependencies from Step 2 (above) are set up correctly.
#!/bin/sh
echo "Python location"
python3 -c "import sys; print(sys.executable)"
echo "Python version"
python3 --version
echo "Python3 Dependency version"
echo "********************"
python3 -m pip show pyobjc-framework-SystemConfiguration
echo "********************"
python3 -m pip show pyOpenSSL
echo "********************"
exit- An access prompt displays when attempting to sign in from a third-party app.
If an access prompt displays from an app that previously worked with Device Trust in the environment, verify that the app's TeamID was added to the script before deploying the updated version of the Python 3 script.
The image below indicates the section of the script to edit to specify the apps to be allowisted.
If the app's TeamID is missing, add it and then redeploy the policy.
Related References
