Mo A. (JDP) asked a question.
Okta ODA SCEP cert - not trusted - Mac
We’re rolling out Okta Device Access (Desktop MFA) on macOS via Jamf Pro and noticed the Okta ODA SCEP cert installs but shows as “Not Trusted” in Keychain.
A few things we’re seeing:
- Cert is there after enrollment
- Shows not trusted in System keychain
- Okta Verify / Desktop MFA still works fine for now
Main questions:
- Is this expected, or should the cert be trusted automatically?
- If it should be trusted, what’s the right way to handle that (Jamf profile, full chain, etc.)?
- Any issues down the road when the cert expires if it stays untrusted?
We’ve already got some endpoints like this in rollout, so just want to make sure we’re not missing something.
Hi @Mo A. (JDP) , Thank you for reaching out to the Okta Community!
Just to clarify, you are not getting an error while authenticating as mentioned in this article, right?
You mentioned that "Okta Verify / Desktop MFA still works fine for now ", so if you are just seeing the cert showing up as "not trusted" in the keychain, that is expected. Referenced in the Management Attestation FAQ doc.
As for problems down the line, check this doc as it says that you will have to redistribute the profile before the certificate expires.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added