This article explains the Okta Device Trust for Jamf Pro-managed macOS devices' End-of-Life behavior and answers the most frequently asked questions.

NOTE: This announcement does not affect customers who are utilizing the newer management attestation feature in OIE, which utilizes SCEP profiles to establish device trust.

• Okta Device Trust for Jamf Pro managed macOS devices
• Okta Classic Engine
• Legacy Device Trust on Okta Identity Engine

Jamf is deprecating basic authentication for their Jamf Classic API. Basic authentication will no longer be supported with the version 11.5.0 release of Jamf Pro ( see Jamf developer documentation for more details link). Device trust on Okta Classic for macOS devices depends on this API for authentication flows that require device trust. The rollout of version 11.5.0 of Jamf Pro is targeted for May 7th, 2024. Any changes or relevant release info will be shared by Jamf here closer to the target release date (release announcements link).

UPDATED October 2024

Device Trust for Jamf Pro managed macOS devices is now end-of-life due to the deprecation of the JAMF Classic API. Customers who leverage the management attestation feature in OIE, which utilizes SCEP profiles to establish device trust, are not impacted. If your organization needs to enforce access to managed macOS devices, consider migrating to OIE and leveraging the management attestation feature. Learn more.

If you are actively using Okta Device Trust for Jamf Pro-managed macOS devices, please read this article, which covers the End of Life details.

Okta will end-of-life Okta Device Trust for Jamf Pro-managed macOS devices on September 30, 2024. After that date, enforcing device trust for these devices will cease to work. Okta is now completing the EOL process. If your organization is using this feature on Okta Classic or continues to use it after migrating to Okta Identity Engine (OIE), you will need to take action to ensure device trust can continue to be enforced.

IMPORTANT:
Basic authentication in the Classic API will be turned off for all customers starting with the release of version 11.5.0 of Jamf Pro. While it is not supported, customers who have a business need that requires basic auth may temporarily re-enable this feature. Your Jamf Pro admin will have to manually enable the API once your production instance of Jamf Pro updates to version 11.5.0. The rollout of version 11.5.0 is targeted for May 7, 2024. It can take upwards of one week to see the changes in your console. 

Please check into your Jamf console starting May 7th and ensure basic auth is enabled.

Steps to opt-in to use Basic Authentication in Jamf Pro before Okta EOL

To opt-in to basic authentication, navigate to Settings > Jamf Pro User Accounts & Groups > Password Policy and select the Allow Basic authentication in addition to the Bearer Token authentication checkbox.

Frequently Asked Questions

How do I know if my organization is impacted?

If your organization leverages the Device Trust feature for macOS ( documentation ) on Okta Classic, or continues to rely on it in OIE, then you are impacted.
 

My organization is on OIE, and we enforce device trust with SCEP Profiles. Are we impacted?

No.
 

Does my organization need to take any near-term actions before the Okta Device Trust for Jamf Pro-managed macOS devices EOL date?

Yes. The Jamf admins at any organization impacted by this change will need to opt in to continue using basic authentication after the Jamf rollout of version 11.5.0 of Jamf Pro. See Classic API Authentication Changes for instructions. This action must be performed after your Jamf Pro production servers are upgraded to 11.5.0.
 

What will happen if my organization does not opt in to use basic authentication after the upgrade to 11.5.0?

New users cannot be onboarded to Device Trust. Existing users with expired certificates on their devices will not be able to renew the certificates.
 

What errors will I see in Okta and Jamf if I forget to take the necessary actions after the 11.5.0 update?

Okta Syslog

Use the following search query in Reports > System Log to find cert issuance failures:

displayMessage eq "Device Trust certificate issuance" and outcome.result eq "FAILURE"

Jamf Logs

If basic authentication is disabled in Jamf, cert issuance/renewal will fail with the following log message available in Computers > Policies > <Your DT policy> > Logs.
 

Is Device Trust for Windows on Okta Classic impacted?

No. But we highly recommend that all our customers migrate to OIE as soon as possible to enjoy the benefits being added to the platform.
 

How can my organization continue to enforce device trust of managed macOS devices in Okta?

The newer version of device trust is Okta’s Management attestation for desktop devices feature (see documentation). This is available today to all customers with OIE environments.

Will Okta support Device Trust for the upcoming version 15 release of macOS?

No.

What are the SKU requirements to enforce management attestation in OIE?

AMFA or ASSO
 

Where can I learn more about migrating Device Trust to Management Attestation in OIE?

Learn more by checking the Migrate from Device Trust to Okta FastPass FAQ documentation.
 

I have more questions. Who do I call? 

Please reach out to the Okta account team if there are any additional questions.