<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008wukZxCAIOkta Classic EngineMulti-Factor AuthenticationAnswered2023-03-23T19:50:39.000Z2023-03-22T18:09:53.000Z2023-03-23T19:50:39.000Z

KerryK.85181 (Customer) asked a question.

March 22, 2023 at 6:09 PM
Using FIDO2 with Okta-integrated UEM for autopilot enrollment

We are leveraging autopilot enrollment for Apple devices in our UEM platform (VMware Workspace ONE). WS1 is integrated with Okta for user provisioning and authentication. The scenario we’re trying to build is:

 

  1. New employee is onboarded into AD and JIT provisioned into Okta
  2. Pre-enroll FIDO2 hardware token (YubiKey) for new user
  3. Apple laptop and YubiKey ship directly to end-user (Apple Business Manager points laptop to WS1 during activation)
  4. Laptop begins UEM enrollment by prompting user to authenticate (via Okta)
  5. Username and PW entered then challenged for MFA (only FIDO2 enabled)
  6. End-user inserts YubiKey and successfully authenticates, Okta groups dictate UEM groups and policies are applied
  7. Enrollment completes

 

We can build this same scenario with Okta Verify Push in place of FIDO2 and it works perfectly. But when we change to FIDO2, MFA never completes and simply displays an error Operation failed.

 

I suspect this might be an issue with the mini-browser window that launches for the Okta authentication but can’t check any logs since the laptop is not fully functional since it has not completed enrollment.

 

This is obviously a very specific use-case but wondering if anyone has successfully implemented an Okta-integrated UEM autopilot enrollment process with FIDO2 hardware tokens.

 

Thanks!

  • 3 answers
  • 430 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @KerryK.85181 (Customer)​ , Thank you for reaching out to the Okta Community!

     

    I wasn't able to locate any similar reports of issues with the enrollment.  

    Maybe it's a long shot but you mentioned the use case is for Apple devices.

    There's mention in the following documentation about  

    " • The FIDO2 (WebAuthn) authenticator may not function correctly using the Safari browser on Apple Macintosh computers running on the Apple M1 processor. "  - under Browser-specific Considerations

     

    https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-webauthn.htm

     

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    Expand Post

  • KerryK.85181 (Customer)

    Thanks Mihai! That link applies to OIE. We're on Okta Classic Engine. Do you know if the same limitations apply?

     

    For what it's worth, I do think this is an issue with the mini-browser that launches during the activation / enrollment process. But was hoping that there might be a workaround somewhere.

     

    Thanks again!

     

    Kerry

    Expand Post
This question is closed.
Loading
Using FIDO2 with Okta-integrated UEM for autopilot enrollment