Hi everyone,

I’m trying to design a Conditional Access setup for macOS devices using Okta + Jamf Pro, and I’d appreciate some guidance from the community.

We want to ensure that only managed, company owned macOS devices can access specific applications integrated with Okta.

All unmanaged or BYOD machines should be blocked, even if the user has valid credentials and MFA.

Our environment:

Okta (not sure which exact license tier we have, but Okta Device Trust is not available to us)

Jamf Pro managing all corporate Macs

Users authenticate via Okta SSO

We want app-level device restrictions (not global)

What I’ve tried:

I tested the flow described here:

https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-dynamic-scep-macos-jamf.htm

I successfully deployed the Okta CA dynamic SCEP certificate via Jamf.

However, when configuring Conditional Access for an application, I get stuck because Okta requires the device to be marked as “Managed”, and that status doesn’t seem to come purely from the SCEP certificate.

In our setup, the device never becomes “Managed” unless it is also registered through Okta Verify, which we’re trying to avoid.

Ideally, we want device trust to rely on the MDM + SCEP certificate, not user-driven Okta Verify enrollment.

 What is the recommended or supported way to enforce app level Conditional Access only for Jamf-managed macOS devices, if Okta Device Trust is not part of our license?

Has anyone achieved macOS device-based access control using only Jamf Pro + Okta (without FastPass and Okta Verify device registration)?

Is the SCEP based approach viable, or is Verify registration required in all cases for “Managed” state?

Any advice, best practices, or architectural suggestions would be greatly appreciated