Configuring Okta and Jamf Pro for Mobile Device Trust

Configuring Okta and Jamf Pro for Mobile Device Trust involves the following steps:

  1. Enable Mobile Device Trust in Okta for Jamf Pro

  2. Configure managed app settings in Jamf Pro for Okta Mobile

General Requirements

To configure Okta and Jamf Pro for Mobile Device Trust, you need the following:
  • User-initiated enrollment enabled for iOS devices in Jamf Pro

  • Okta Device Trust enabled on the Okta instance

  • Apps utilizing SAML or WS-FED

In addition, apps must be configured to only allow access with Device Trust. This requires removing display of the app from Okta Mobile.

Step 1: Enable Mobile Device Trust in Okta for Jamf Pro

  1. Enable Device Trust on the Okta instance.
  2. Configure Mobile Device Trust in Okta. For more information about configuring Mobile Device Trust in Okta, see the following Okta product documentation: https://help.okta.com/en/prod/Content/Topics/Mobile/Okta_Device_Trust_Native_Apps_Safari_MDM_Devices.htm
  3. When configuring settings on the Enable Mobile Device Trust dialog box, do the following:
    1. In Trust is established by, select Other.
    2. In the Enrollment link field, enter your Jamf Pro enrollment URL. The enrollment URL is the full URL for the Jamf Pro server followed by "/enroll".
      Example:
      • https://myjamfinstance.jamfcloud.com/enroll (hosted on Jamf Cloud)

      • https://jss.mycompany.com:8443/enroll (hosted on-premise)

Step 2: Configure managed app settings in Jamf Pro for Okta Mobile

  1. Log in to Jamf Pro.
  2. Click Devices at the top of the page.
  3. Click Mobile Device Apps.
  4. Add a new App Store app for Okta Mobile or edit the existing app if already added to Jamf Pro. For more information, see Apps Purchased in Volume in the Jamf Pro Administrator's Guide.
  5. On the General pane, ensure that the Make App managed when possible checkbox is selected, and then select the Make app managed if currently installed as unmanaged checkbox.
  6. Click the App Configuration tab.
  7. Copy the following key/string combination and paste it in the Preferences field, replacing Okta generated token goes here with the Secret Key Value that was generated when setting up Okta Device Trust:
    <dict>
    <key> managementHint</key>
    <string>Okta generated token goes here</string>
    </dict>
  8. Use the Scope, Self Service, and VPP panes to configure app distribution settings as needed. For more information, see Apps Purchased in Volume in the Jamf Pro Administrator's Guide.
  9. Click Save.