<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Preventing Jamf Pro Expired Certificates in Okta
Jan 15, 2025
Devices and Mobility
Okta Identity Engine
Overview

Approximately one year following the integration of Jamf Pro, it is possible customers may encounter authentication issues stemming from expired Device Management certificates. Simple Certificate Enrollment Protocol (SCEP) client certificates facilitate management attestation (Device Managed Condition) within the App Sign-On Policy when utilizing FastPass.

 

This article will describe the setting required in Jamf to account for certificate expiration.

Applies To
  • Okta Identity Engine (OIE)
  • Jamf Pro
  • Mobile Device Management (MDM)
  • MDM Configuration Profiles
  • Simple Certificate Enrollment Protocol (SCEP)
  • Public Key Infrastructure (PKI)
Cause

The Okta Certificate Authority (CA) issues client certificates, which are installed on the device, with a validity period of one year.

Prior to the expiration of these management certificates, it is expected that the Mobile Device Management (MDM) will initiate the SCEP flow on the endpoint or device to request the reissuance of new client certificates.

If the SCEP Configuration Profile is not correctly configured, the client will not receive a new certificate from the Okta CA.

Consequently, an expired client certificate will fail to provide the requisite management attestation, thereby failing to meet the "managed" sign-on condition.

Solution

Within the Jamf Configuration Profile for the client SCEP management certificate, there is an option to configure the Redistribute Profile setting. This option should be configured to redistribute the SCEP configuration profile to endpoints before the SCEP-issued management certificate expires. This is advised in the Okta Device Management guide for Jamf Pro (see Task 2 - Step 5 of Configure Okta as a CA with dynamic SCEP challenge for macOS with Jamf Pro).

 

This is important as Okta does not support automatic certificate renewal; therefore, the profile must be redistributed in order to replace the expired certificate with a new management certificate.

 

Jamf maintains an inventory of client certificate expiration dates, allowing it to ascertain the appropriate timing for redistributing management certificates within a specified number of days before expiration.

 

 

Related References

Recommended content

Still looking for help?
Loading
Preventing Jamf Pro Expired Certificates in Okta