If you’re deploying Okta Verify for macOS to unlock features such as Okta FastPass or integrations with XDR tools like Crowdstrike, you’re going to need to deploy some Custom Settings payloads with VMware Workspace ONE UEM to get that done.
In this blog I will cover off the main Custom Settings payloads that are required for setting up the ‘Org URL’ for your Okta Tenant, so your users dont need to remember it.
I won’t be covering how to deploy the Okta Verify application in this post, or any smart ways chining the deployment of the profile to the installation of the app via scripts. Thats for another post!
First of all, references for you.
- The different config plist’s made available by Okta. Managed app configurations for macOS devices | Okta
- SSO Extension configuration options. Configure an SSO extension on macOS devices | Okta
Prepare your Custom Settings payloads
According to the Okta docs, we need to target 2 preference domains, com.okta.mobile and com.okta.mobile.auth-service-extension
The main Okta keys are below for reference:
NOTE: The settings for silent enrolment and report diagnostics, I was unable to get deployed (UEM kept giving me formatting errors). Still trying to see how I can deploy these.
<dict>
<key>OktaVerify.OrgUrl</key>
<string><<your-okta-org>>.oktapreview.com|okta.com</string>
</dict>
You need to use the URL used to access your Okta dashboard. If thats a custom URL, use that here.
You can replace the content in the block in the below settings blocks, one for each preference domain.
These need to be entered in the Custom Settings payload on a macOS User targeted profile.
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.mobile</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>OktaVerify.OrgUrl</key>
<string><<your-okta-org>>.oktapreview.com|okta.com</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>MCXToProfile.53D4D13B-FAD1-49F7-A341-59A5AB2CCCA8.alacarte.customsettings.e018cb09-de75-4195-ae80-b4cc25c02a76</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>53D4D13B-FAD1-49F7-A341-59A5AB2CCCA8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.mobile.auth-service-extension</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>OktaVerify.OrgUrl</key>
<string><<your-okta-org>>.oktapreview.com|okta.com</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>MCXToProfile.3BFF8DA4-0B59-4D90-A145-CFFC315440AF.alacarte.customsettings.e018cb09-de75-4195-ae80-b4cc25c02a76</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>3BFF8DA4-0B59-4D90-A145-CFFC315440AF</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
Set up a SSO Extension Payload
In the same profile, you can set up the SSO extension payload. The settings needed for this are included on this page Configure an SSO extension on macOS devices | Okta.
Extension Type | Generic |
Extension Identifier | com.okta.mobile.auth-service-extension |
Type | Credential |
Team Identifier | B7F62B65BN |
Realm | Okta Device |
Hosts | <<your-okta-org>>.oktapreview.com|okta.com |
Everything else in the payload can be left as is.
Finally, assign and deploy
All should deploy to your devices correctly. If done, when your users first launch you should see something like the below.
Common errors
If you get the above, try and see if you’re text is correct on the custom settings payload.
If you get the above, you can use terminal “uuidgen” command to get a new UUID for your payloads.
Any issues please feel free to reach out to me, or leave a comment!
Solutions Engineer @ Okta. Former SE at VMware for Workspace ONE. All things Identity, MDM and Mac. Occasionally takes photos of Bands at adammatthews.photography, and blogs at adammatthews.co.uk.
Week 12-2023 VMware Enduser Computing Updates – Julius Lienemann
March 24, 2023[…] Adam Matthews: Preconfigure Okta Verify for macOS with VMware Workspace ONE UEM […]
ASd
July 11, 2023For win it is possible to push configs via installation command
OktaVerifySetup-x.x.x.x-yyyyyyy.exe -q EnrollmentOptions=Enabled EnableZTAPlugin=TRUE OrgUrl=yourdomain.okta.com