Manage endpoint security integration plugins for macOS
Endpoint security integration plugins extend the functionality of the Okta endpoint security integration feature.
To enable plugins on macOS devices, you need to configure and deploy a managed app configuration using your device management solution. The configuration enables Okta Verify to collect trust signals from your EDR client running on the same device.
Currently, Okta EDR integration for macOS only supports CrowdStrike ZTA. Support for other EDR solutions is planned for the future.
- Before you begin
- Managed app configuration
- Start this procedure
- Verify managed app configuration deployment
- Disable the EDR integration plugin
- Next steps
Before you begin
Verify that:
- EDR integration is enabled for your org
- macOS devices are:
- Registered with Okta
- Managed by a device management solution that supports managed app configuration
- Are running:
- macOS version 10.15 (Catalina) or later
- Okta Verify 1.9.0 or later
- CrowdStrike Falcon Agent 6.20 or later
- You are familiar with these Jamf Pro documents:
Managed app configuration
The managed app configuration contains information that Okta Verify uses to create the EDR integration plugin. Entries in the configuration correspond to the EDR vendors that you integrate with Okta. When users try to access a protected resource, Okta Verify reads the entry to collect signals from the EDR. For example, the entry for CrowdStrike looks like this:
{
"name": "com.crowdstrike.zta",
"description": "File based EDR integration between Okta Verify and the Crowdstrike Falcon agent.",
"location": "/Library/Application Support/Crowdstrike/ZeroTrustAssessment/OVSignals.zta",
"type": "FILE",
"format": "JWT"
}Currently, as shown in the example entry, this EDR integration supports only "type": "FILE" and Crowdstrike.
Jamf Pro-specific example
This example shows how to deploy a managed app configuration using Jamf Pro, but any device management solution that supports deploying a managed app configuration to Apple devices should work.
In this example, you upload the managed app configurations and two distinct Preference Domains (bundle IDs) to Jamf Pro. The configuration must have the following properties:
- Identical entries but different names that correspond to their distinct Preference Domain (bundleID) in Jamf Pro.
- The configuration must include an entry with an array of all the integration names attached to:
- Key: OktaVerify.Plugins
- All other entries in the PLIST must be keys corresponding to dictionaries formatted as shown in the CrowdStrike entry example. The key should match the ”name” entry in the dictionary. For example, "OktaVerify.Plugins" = ["com.crowdstrike.zta"].
Start this procedure
- In Jamf Pro, go to Computers > Configuration Profiles > + New.
- In the left pane, scroll down and select Application & Custom Settings.
- Choose a method for uploading the PLIST files to Jamf Pro:
- External Applications. Choose Custom Schema. See Managing Settings for Computer Applications using JSON Schema and Jamf Pro.
- Upload. See Computer Configuration Profiles.
- In your chosen upload method, enter two identical PLIST payloads. Each payload must have a distinct Preference Domain:
- First payload Preference Domain: com.okta.mobile
- Second payload Preference Domain: com.okta.mobile.auth-service-extension
- PLIST payload. For example, here's a payload for integrating with CrowdStrike ZTA using Jamf Pro:
Copy<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<managedAppConfiguration>
<dict>
<key>OktaVerify.Plugins</key>
<array>
<string>com.crowdstrike.zta</string>
</array>
<key>com.crowdstrike.zta</key>
<dict>
<key>description</key>
<string>description</string>
<key>format</key>
<string>JWT</string>
<key>location</key>
<string>/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta</string>
<key>name</key>
<string>com.crowdstrike.zta</string>
<key>type</key>
<string>file</string>
</dict>
</dict>
</managedAppConfiguration>
</plist> - Go to the Scope tab and assign the configuration profile to the relevant end-user devices.
Currently the description field in the PLIST is not used. You can use it to show a message to end users about the signals Okta collects and the benefits of this feature.
Verify managed app configuration deployment
There are a few ways to verify that the managed app configuration was deployed successfully to a given device.
Option 1: Check System Preferences
- On the macOS device, click the System Preferences icon on the dock and hold it.
-
Click Profiles.
-
Under Device (Managed), verify that there's an entry for the profile you created in Jamf Pro is listed. For example, an entry may contain the information similar to this:
- Description: deploy app config to macOS Okta Verify shared container.
- Signed: JSS Built-In Signing Certificate
- Installed: April 1, 2021 at 11:55 AM
- Settings: Custom Settings
Option 2: Look in /Library/Managed Preferences
Make sure to open Library/Managed Preferences and not Users Library folder.
-
On the macOS device, go to /Library/Managed Preferences.
-
Verify that the PLIST file is present in these locations:
-
Managed Preferences folder
-
The User subfolder within Managed Preferences.
-
Disable the EDR integration plugin
If you want to disable the EDR integration plugin for a particular EDR vendor, remove the EDR-specific entry from the PLIST files and then upload them again to Jamf Pro as described in Start this procedure.