Preconfigure Okta Verify for macOS with VMware Workspace ONE UEM

If you’re deploying Okta Verify for macOS to unlock features such as Okta FastPass or integrations with XDR tools like Crowdstrike, you’re going to need to deploy some Custom Settings payloads with VMware Workspace ONE UEM to get that done.

In this blog I will cover off the main Custom Settings payloads that are required for setting up the ‘Org URL’ for your Okta Tenant, so your users dont need to remember it.

I won’t be covering how to deploy the Okta Verify application in this post, or any smart ways chining the deployment of the profile to the installation of the app via scripts. Thats for another post!

First of all, references for you.

• The different config plist’s made available by Okta. Managed app configurations for macOS devices | Okta
• SSO Extension configuration options. Configure an SSO extension on macOS devices | Okta

Prepare your Custom Settings payloads

According to the Okta docs, we need to target 2 preference domains, com.okta.mobile and com.okta.mobile.auth-service-extension

The main Okta keys are below for reference:

NOTE: The settings for silent enrolment and report diagnostics, I was unable to get deployed (UEM kept giving me formatting errors). Still trying to see how I can deploy these.

<dict>    
    <key>OktaVerify.OrgUrl</key>
    <string><<your-okta-org>>.oktapreview.com|okta.com</string>
</dict>

You need to use the URL used to access your Okta dashboard. If thats a custom URL, use that here.

You can replace the content in the block in the below settings blocks, one for each preference domain.

These need to be entered in the Custom Settings payload on a macOS User targeted profile.

<dict>
	<key>PayloadContent</key>
	<dict>
		<key>com.okta.mobile</key>
		<dict>
			<key>Forced</key>
			<array>
				<dict>
					<key>mcx_preference_settings</key>
					<dict>
						<key>OktaVerify.OrgUrl</key>
						<string><<your-okta-org>>.oktapreview.com|okta.com</string>
					</dict>
				</dict>
			</array>
		</dict>
	</dict>
	<key>PayloadEnabled</key>
	<true/>
	<key>PayloadIdentifier</key>
	<string>MCXToProfile.53D4D13B-FAD1-49F7-A341-59A5AB2CCCA8.alacarte.customsettings.e018cb09-de75-4195-ae80-b4cc25c02a76</string>
	<key>PayloadType</key>
	<string>com.apple.ManagedClient.preferences</string>
	<key>PayloadUUID</key>
	<string>53D4D13B-FAD1-49F7-A341-59A5AB2CCCA8</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>

<dict>
	<key>PayloadContent</key>
	<dict>
		<key>com.okta.mobile.auth-service-extension</key>
		<dict>
			<key>Forced</key>
			<array>
				<dict>
					<key>mcx_preference_settings</key>
					<dict>
						<key>OktaVerify.OrgUrl</key>
						<string><<your-okta-org>>.oktapreview.com|okta.com</string>
					</dict>
				</dict>
			</array>
		</dict>
	</dict>
	<key>PayloadEnabled</key>
	<true/>
	<key>PayloadIdentifier</key>
	<string>MCXToProfile.3BFF8DA4-0B59-4D90-A145-CFFC315440AF.alacarte.customsettings.e018cb09-de75-4195-ae80-b4cc25c02a76</string>
	<key>PayloadType</key>
	<string>com.apple.ManagedClient.preferences</string>
	<key>PayloadUUID</key>
	<string>3BFF8DA4-0B59-4D90-A145-CFFC315440AF</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>

Set up a SSO Extension Payload

In the same profile, you can set up the SSO extension payload. The settings needed for this are included on this page Configure an SSO extension on macOS devices | Okta.

Everything else in the payload can be left as is.

Finally, assign and deploy

All should deploy to your devices correctly. If done, when your users first launch you should see something like the below.

Common errors

If you get the above, try and see if you’re text is correct on the custom settings payload.

If you get the above, you can use terminal “uuidgen” command to get a new UUID for your payloads.

Any issues please feel free to reach out to me, or leave a comment!

Adam Matthews

Solutions Engineer @ Okta. Former SE at VMware for Workspace ONE. All things Identity, MDM and Mac. Occasionally takes photos of Bands at adammatthews.photography, and blogs at adammatthews.co.uk.

adammatthews.co.uk/