z9o7y (z9o7y) asked a question.
I am wanting to set up a Group Policy to deploy the Okta Credential Provider agent across all workstations in my network, so that I can be 100% confident none have been missed and that all RDP logins will be subject to MFA. Server is Windows Server 2016 and workstations are Windows 10. I can easily install the MSI using Group Policy Software Installation, but this won't allow me to include the command line parameters for Client_ID, Client_Secret and URL, which means that the agent will be installed with invalid config, thus rendering the machine inaccessible (pretty dangerous I think?). Is anybody able to help with a way around this?
In addition, I want to configure the Agent to RdpOnly=true. As far as I can see this can't be done by command line on installation, but only by editing the Config file after installation ... is this correct? I guess I could create a login script to update the config file - but how can I ensure the login script runs after the Config file has been created?
Finally, I have seen other posts on this forum lamenting the fact that Okta MFA can't be simply deployed against the Remote Desktop Gateway, rather than having to have an agent installed on every computer. This would be easier to deploy and a lot more reliable (ie. it couldn't be turned off on individual PCs either accidentally or deliberately)
I believe the MSI string would like similar to this: msiexec /qb /log log.txt /i OktaWindowsCredentialProvider.msi CLIENT_ID="cid" CLIENT_SECRET="cs" OKTA_URL="https://a.b.c"
Since you're using GPO, you'll need to use a transforms file (MST) for the config settings. I suppose you could do a startup script GPO or use a push mechanism.. .
This was found here, under step 2: https://help.okta.com/en/prod/Content/Topics/Security/proc-mfa-win-creds-rdp.htm
Thanks for your feedback Jeff. I had seen that command in the documentation, and started running it manually, but I found that some machines had trouble installing C++ run-time, so the installation failed ... i even found one that didn't have TLS 1.2 enabled (which I thought was standard on Windows 10). I could do a Start script in GPO that dealt with these issues, but it's getting more complicated - pity, because I think it is a security weakness if I can't be sure that all devices on the network are covered by MFA.
Did you ever figure out a way to deploy this via GPO? We're hitting the same roadblocks. Manual installs are not an option due to the quantity of machines that we need to install this on. psexec64 just flat isn't working due to other security restrictions (and also gives no coverage of future machines that join the domain). Even scripting the installs via the instructions under "silent install" are not working correctly since the installs 1. are not silent (still showing install dialogs), and 2. are ignoring the RdpOnly=true parameter we put in - thereby requiring us to manually touch every config file anyway.
If we could figure out how to use a transform file (that the msi will actually listen to for the RDP option as well as the ID, secret, and URL), then that would be ideal.