OKTA DEVICE ACCESS - INTUNE POLICY DEFINITIONS 

Okta Device Access extends Okta's Identity and Access Management capabilities to the device sign-in experience. 

This document describes how Administrative Template files can be used to enhance the device sign-in experience for Okta Device Access. 

THE CHALLENGE:
	Okta Device Access has become a prevalent solution throughout the organization. In the past, configuring changes required manual edits to registry settings across multiple systems. This method proved to be inefficient, time-consuming, and carries inherent risks. Many administrators have reported challenges in effectively managing these settings.

THE SOLUTION: 
	- Administrative Templates
		To simplify and centralize configuration management, we provide Administrative Template files. These files, consisting of language-neutral .admx files and language-specific .adml files, are designed for seamless integration with Intune Device Configuration Policies. By importing these templates into Intune, we can deploy configuration settings across domain-joined or Entra joined machines. Any modifications made are automatically applied to the relevant registry settings on the managed systems, significantly reducing the need for manual registry edits and improving overall consistency. 

UNDERSTANDING ADMINISTRATIVE TEMPLATE FILES: 
Administrative Templates utilize a two-part structure: 
  - `.admx` files: These XML-based files contain the core policy settings and are language-independent. 
  - `.adml` files: These XML-based files provide the user interface text for the policy settings in specific languages. 
This separation allows administrators to manage the same policies in different languages by pairing the .admx files with the appropriate .adml files. 

SUPPORTED OPERATING SYSTEMS: 
 - Windows 10 
 - Windows 11
 - Windows Server 2019 
 - Windows Server 2022 
 - Windows Server 2025 

INCLUDED FILES:  
The file Okta_Device_Access_PolicyDefinitions_v1.zip contains the following: 

  - Okta_Device_Access_PolicyDefinitions_v1
      |- Okta_Device_Access_PolicyDefinitions_v1_Intune_Readme.txt
      |- Okta_ODA_Policy_Definitons_v1_GPO_readme.txt
	- Okta_ODA_PolicyDefinitions
	    |- Okta.admx
	    |- OktaODA.admx
	       - en-US
		  |- Okta.adml
		  |- OktaODA.adml

PREREQUISITES 
Before proceeding, ensure you have the following: 
 - Microsoft Intune Subscription: An active Intune subscription with administrative privileges. 
 - Windows 10/11 Devices: Client machines enrolled in Intune. 
 - ADMX and ADML Files: 
   ▪ The ADMX file (Okta.admx and OktaODA.admx) contains the policy setting definitions. 
   ▪ The corresponding ADML language file (en-US\Okta.adml and en-US\OktaODA.adml) contains the language-specific resources for the ADMX file. You will need an ADML file for each language you want to support. Typically, en-US(English) is the minimum. 
 - Supported ADMX: 
   ▪ Intune supports ingesting ADMX files that are registry-backed (i.e., they write to HKLM). 
 
IMPORTING ADMX AND ADML FILES TO INTUNE 
Follow these steps to import your ADMX and ADML files into Microsoft Intune:

1. Navigate to Intune Admin Center: 
   - Open your web browser and go to the Microsoft Intune admin center. 
2. Access Device Configuration: 
   - In the left-hand navigation pane, select Devices. 
   - Under Manage devices, select Configuration. 
3. Import ADMX: 
   - Click on the Import ADMX tab. 
   - Upload Files: 
	 ▪ ADMX file: Click "Browse" or drag and drop your Okta.admx file. 
	 ▪ ADML file for default language: Click "Browse" or drag and drop your corresponding Okta.adml file (e.g., from the en-US folder). 
   - Once the files are uploaded, Intune will validate them. 
   - If validation is successful, click Next. 
   - Review the summary and click Create. 
   - The imported template will now appear in the list of available imported administrative templates. Wait for the "Upload status" to show "Available". 
4. Repeat the above steps to import OktaODA.admx ADMX file and OktaODA.adml ADML file. 

CREATING A CONFIGURATION PROFILE USING IMPORTED ADMX 
Once the ADMX/ADML files are successfully imported, you can create a configuration profile to deploy these settings: 

1. Navigate to Configuration: 
   - Go to Devices > Manage Devices -> Configuration. 
2. Create Policy: 
   - Click Create -> New Policy. 
   - Platform: Select Windows 10 and later. 
   - Profile type: Select Templates. 
   - In the template list, choose Imported Administrative templates (Preview). 
   - Click Create. 
3. Basic Information: 
   - Name: Provide a descriptive name for the profile (e.g., "Okta_ODA_Intune"). 
   - Description: (Optional) Add a description for the profile. 
   - Click Next. 
4. Configuration Settings: 
   - The settings defined in your ADMX file will be displayed, categorized as "All Settings", "Computer Configuration”, "User Configuration". 
   - Browse to "Computer Configuration" and "Okta", "Okta Device Access" to configure. 
   - For each setting: 
	 ▪ Select the setting. 
	 ▪ Choose Enabled, Disabled, or Not Configured. 
	 ▪ If Enabled, configure any associated values (e.g., text input, dropdown selection) as defined in the ADMX. 
	 ▪ Example: 
			▪ To configure “AllowedFactors," double-click on “AllowedFactors" and select “Enabled.” 
			▪ In the settings below, enter * in the text box 
			▪ Click OK 
   - Click Next after configuring all desired settings. 
5. Scope Tags (Optional): 
   - Assign scope tags if your organization uses them for role-based access control. 
   - Click Next. 
6. Assignments: 
   - Included groups: Click Add groups and select the Azure AD user or device groups to which this policy should apply. 
	 ▪ Computer Configuration settings should be assigned to device groups. 
   - Click Next. 
7. Review + Create: 
   - Review all the settings and assignments. 
   - Click Create to deploy the profile. 

VERIFYING ADMINISTRATIVE TEMPLATE CHANGES ON CLIENT MACHINES 
After the policy has been assigned and client devices have synced with Intune, you can verify the changes using the following methods. The default Intune policy sync cycle for Windows devices is approximately every 8 hours. However, a sync can be manually initiated to expedite policy application. 

1. Manually Initiating an Intune Sync: 
   - From the Company Portal App (if installed): 
	 ▪ Open the Company Portal app on the Windows device. 
	 ▪ Go to Settings (often represented by a gear icon or found in a menu). 
	 ▪ Look for a Sync button or option and click it. This will initiate a check-in with Intune. 
   - From the Windows Settings App: 
	 ▪ Open Settings on the Windows device (Windows Key + I). 
	 ▪ Go to Accounts. 
	 ▪ Select Access work or school. 
	 ▪ Click on the account connected to Azure AD/Intune (e.g., "Connected to <YourOrganization>'s Azure AD"). 
	 ▪ Click the Info button. 
	 ▪ Scroll down to the "Device sync status" section and click the Sync button. 
2. Once the sync is complete (which may take a few minutes), proceed with the verification methods below.
   - Event Viewer 
	 ▪ Intune uses the DeviceManagement-Enterprise-Diagnostics-Provider event log to record MDM policy application. 
	 ▪ Open Event Viewer: On the client machine, press Windows Key + R, type eventvwr.msc, and press Enter. 
	 ▪ Navigate to the Log: 
		- Go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin. 
	 ▪ Look for Relevant Events: 
		- Filter for events related to policy application. Event ID 813, indicates a policy (like an ADMX setting) is successfully applied. Event ID 814 indicates a successful Set command for a policy.
   - Registry Editor 
	 ▪ Since ADMX settings configure registry keys, you can directly verify them in the Registry Editor. 
	 ▪ Open Registry Editor: On the client machine, press Windows Key + R, type regedit, and press Enter. 
		- Caution: Be extremely careful when navigating and modifying the registry. Incorrect changes can cause system instability. 
	 ▪ Verify Registry Changes:  
		- On a client machine, you can verify that the policy settings have been applied by checking the corresponding registry entries i.e., HKLM\Software\Policies\Okta\Okta Device Access. 
		- The specific registry keys modified will depend on the policy configured. 
		- Example: 
			▪ Navigate to HKLM\Software\Policies\Okta\Okta Device Access and verify whether "AllowedFactors" is enabled.  
	 ▪ Check if the registry key and value exist and if the data matches the configuration you set in the Intune policy. 
3. Keys under HKLM\Software\Policies\Okta\Okta Device Access Backend are for service purposes, do not modify these registry settings. 

By utilizing these Administrative Template files, you can effectively manage and deploy Okta Device Access configurations, leading to a more consistent, secure, and user-friendly device sign-in experience across your organization. 