Setting Up Device Trust with Kandji & Okta

SaaS Security Enhanced with Okta & Kandji

By leveraging the strengths of Okta's identity management and Kandji's device management capabilities, businesses can achieve a more secure environment for their SaaS applications. This partnership ensures that only compliant and secure devices can access company resources, reducing the risk of unauthorized access and data breaches. As a result, organisations can confidently embrace digital transformation while maintaining a strong security posture.

This start-to-finish guide shows you exactly how to setup Okta Device Trust with Kandji for Apple devices, in less than an hour.

Don't want to read - just follow along with our simple guide video:

Pre-requisites

• Okta Identity Engine Tenant (Get a free trial HERE)
• Kandji MDM Tenant (Contact us to get a FREE TRIAL)
• Apple Business Manager with Apps & Books Configured
• About an hour to spare and desire to improve your security posture

Step 1 - Configure the Okta Verify App in ABM and Kandji

Once you have your tenants basic config complete, you are ready to begin. Let's start by adding the Okta Verify App license to your ABM location:

• Login to ABM with an admin account
• Navigate to Apps -> Search for Okta Verify 
• Select your preferred location, and number of licenses (it's free, just add a number that will ensure you don't need to come back and add again)
• Select Get

Your new app should now be available in your Kandji tenant (if you don't have Apple Books setup in Kandji, see THIS GUIDE)

Step 2 - Assign the Okta Verify App to your Apple Devices

All devices that will be required to enrol and use device trust will need to have Okta verify pushed to them. Adding it manually on the device will not work as there is a certificate that Kandji uses to ensure the app is authentic and the device is managed by that Kandji tenant.

First - check the Library Item:

• Login to Kanji as an Administrator
• Select Library on the left menu
• You should see Okta Verify under the App Store Apps (if you don't, you may need check your Apple books configuration is working (Settings -> Apple Integrations -> Apps & Books)

Now add the Library Item to your Devices

• Navigate to Blueprints -> Select your Blueprint/Assignment Map
• Click Edit Assignments
• Drag Okta Verify onto the map
• Click Save

Note the infinity sign in the app tile - this shows us the app is continually updated and kept in sync. If this is not there, edit the library item to have Install & continuously enforce set.

That's it for assigning the required app to the devices. They should auto-install quite quickly if they are online.

Setup FastPass in Okta

The foundation of device trust is Okta FastPass (and later it can also enable Passwordless). In order to set this up, we simply need to update some Okta policies:

• Global Session Policy
• Authenticators
• Authentication Policies

The Global Session Policy

• First, login to Okta as a Super Admin
• Navigate to Security -> Global Session Policy
• 
  The important setting is Establish session with any factor that meets Authentication policy requirements. This passes the control to the authentication policies.
• Ensure the rest of the settings meet your requirements

Configure the Enrolment Policy

Enrolment policies ensure that the correct users are prompted to enrol the correct types of authenticators - in this test environment, I want everyone to use passwords and Okta Verify, so let's make sure the enrolment policy requires both:

• Navigate to Security -> Authenticators
• Select the Enrolment Tab
• In the default policy, ensure that Password AND Okta Verify are Required:

Note - you can create new polices and assign to user groups if you want to rollout in a staggered fashion, which is advisable to ensure users don't lose access to apps.

Configure the Okta Verify Authenticator

• Still in Authenticators, select the Setup tab
• Select Action | Edit on Okta Verify

Ensure that under Verification Options Okta FastPass (All Platforms) is checked. This is the key to fastPass working correctly.

• Click on Save

Create Your Emergency Backdoor

All too many times you're sure you have configured everything right on ly to lock yourself out completely. It only takes 1 wrong click! So I like to create a temporary user that can access in the top policy without worry that the new policies will affect it.

• Create a new Emergency user - activate and set a strong password
• Add that user to the Super Admins group 
• Add a top rule in any authentication policy that you will update that allows this user with only Password. You can of course add multi-factors too, but this account only exists during the change window.

For my trial tenant - I am jsut have the first rule to be password only and the emergency user is a member of the !FastPass group. No other users will get this policy applied unless you add them to this group.

Step 3 - Setup Authentication Polices

Now at this point, you are likely to lock yourself and everyone else out if you make any small mistake. It is advisable to leave the existing policies in place and also add an "emergency access" user and rule to ensure you can always get back in.

• Navigate to Security -> Authentication Policies
• Either create a new policy, or edit an existing policy - in this case I have used the dashboard authentication policy. Add the rules as below, where Rule 1 is your existing rule. Leave this at the top to ensure users can still access their apps until you are ready to disable it.

Rules Overview

1. Existing Rule/s - left in to allow the staged rollout

2. Allow Fully Managed Devices

3. Allow Registered Devices 

4. Catch All/Deny

Here we would deny anyone that had not met any of the above rules as best practice.

Note: I have created a group called OKT-FastPass and assigned it to the 2 new policies - this gives me granular control of the rollout.

Setup Okta Kandji Device Trust

After all that - we are finally at the point where we can setup Okta device trust with Kandji!

In reality, if you have done the initial steps well, and tested your rules, this part should be really simple.

Let's Start in Kandji:

• Login to Kandji as an Administrator
• Navigate to Integrations -> Discover Integrations -> Find Okta Device Trust -> Click Add & Configure on the Okta Device Trust tile

• Click on Get Started on the wizard ( you can click to learn more about the integrations here too)
• Enter your full Okta domain in the format xxxx.okta.com - ho https:// prefix or -admin 
• Click on Sign in with Okta and use a super admin account to signin (This account is not tied to the integration so no need to create a service account)
• Click Install & Authorise
• Copy the Client Secret to a safe and secure place -> click Done
• Now copy your Client ID and save safely

Back in Kandji:

• Click Next
• Enter the details you just copied - the integration will validate
• Now select your device platforms - select both and click Next
• You are prompted for several details you dot have yet - first for MacOS Platform

Back to Okta

• Navigate to Security -> Device Integrations
• Under Endpoint Management, Select Add Platform
• Select Desktop -> Next
• Ensure you select Okta as the CA and Dynamic SCEP URL | Generic
• Click Generate 
• Copy the Details to your safe place and hit Save
• Back in Kandji - enter the 4 items you just created from Okta -> Next

Adding iOS:

Back to Okta (Dizzy yet??)

• Click Add Platform -> iOS -> Next

• Click Save

Note: Your enrolment link is your Kanndji URL suffixed with /enroll

• Bck in Kandji - paste in the iOS secret key and click Done
• Click Sync Now to complete the setup

That's the integration set up! We just need to go back to the Okta Verify Library item and ensure Okta Device Trust is turned on!

Turn on Okta Device Trust

• In Kandji still, Click On Library -> Okta Verify Tile
• Click Edit 
• Toggle on Okta Device Trust and accept the pop up warning

• Click on Save

Now we really are done with the setup!

All that's left to do is to add a device to Kandji and Login as a user in the OKT-FastPass Group to see if it becomes managed

Adding a Managed Device

1. Enroll a device in Kandji (if you don't have already)

2. Ensure the device gets the Okta Verify App

3. Add an account that's in the OKT-FastPass Group (or whatever you called your group) to Okta Verify - ensure you enable Biometrics as our policy requires this

4. Sign-in to your Okta dashboard. You should go through your auth flow as per the Authentication Policy you set.

The iOS Okta FastPass Experience (including Hardware Token Auth Flow)

Now - you can see your Managed devices in Okta:

• Open the Okta Admin portal
• Navigate to Directory -> Devices
• You will see all devices that have authenticated against Okta using an Authenticator app

What we want to see here is Active | Managed

Active -  device has Okta verify Installed and it was used to login to Okta

Active | Managed - Device has Okta verify deployed from Kandji and has an okta account setup aligned to the FastPass policy

Active | Not Managed - Device has Okta verify but not deployed from Kandji/ABM/The device is not managed by Kandji

Troubleshooting

The 1 issue I faced during this process was devices not showing up as managed. I spen a long time troubleshooting and trying a lot of different changes - in the end I simply removed and re-added the ODT integration. Worked fine the second time.