Okta Device Trust for Windows allows you to prevent unmanaged Windows computers from accessing corporate SAML and WS-Fed cloud apps. It works with any browser or native app that can access the certificate store when performing the federated authentication flow to Okta. This includes Edge, Internet Explorer, Chrome, and Microsoft Office clients that support Modern Authentication. Show
Okta Device Trust for Windows provides these key benefits:
PrerequisitesClient workstations
Active Directory and IWA serversSee Manage your Active Directory integration and IWA agent documentation. IWA agentDevice Trust-capable version of the Okta IWA web agent. For installation details, see IWA documentation. Note: Device Trust enrollment in multi-forest environments requires IWA web app version 1.12.2+. An IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Device Trust for Windows. Supported browsers
Before you begin
ProceduresThese procedures have three main steps: Step 1. Enable the global Device Trust setting for your orgDo not disable the Windows Device Trust setting on the Security > Device Trust page if you have also configured an app sign-on policy that allows trusted Windows devices. Otherwise, your Device Trust configuration will be in an inconsistent state and users with untrusted devices won't be shown the security message advising them to contact their administrator, nor the Learn more link to more information (if configured; see Enable the global Device Trust setting for your org).
Step 2. Enroll the Device Trust certificate on domain-joined Windows computersPerform the four sub-procedures in this section to ensure that the Device Trust certificate is installed successfully on domain-joined Windows computers. 2.1 Install a Device Trust-supported version of the Okta IWA web app in your AD domainOkta Device Trust for Windows uses the IWA web app to confirm the security posture of Windows computers and users by validating that both are joined to your Active Directory domain. (Enrollment is also supported in multi-forest environments. See Prerequisites.) Okta then issues a certificate to the Windows computer enabling Device Trust flows to Okta-federated apps. Private keys associated with the Okta certificate never leave the Windows computer. Certificates are renewed automatically once a year, approximately 30 days before they expire. The role of the IWA web app is limited to the certificate enrollment and renewal process. Once the certificate is installed, the Device Registration Task no longer needs to communicate with the IWA web app in order for end users to access apps. Desktop SSO doesn't need to be On in Security > Delegated Authentication for Okta Device Trust for Windows desktop to function.
https://<org>.<okta/oktapreview>.com/static/agents/iwa/OktaSsoIwa-x.x.x.exe Where: For example, a link for downloading version 1.11.0 to the org example.oktapreview.com would look like this: https://example.oktapreview.com/static/agents/iwa/OktaSsoIwa-1.11.0.exe 2.2 Obtain and install the Device Registration TaskImportant to know before you beginTrusted Platform Module (TPM)To leverage the security benefits of TPM, see Enhance Windows Device Trust security with Trusted Platform Module (TPM). Schedule the Registration Task to run when end users are on the corporate networkOnce installed on domain-joined computers, the Registration Task runs:
It is important that you configure your management tool to schedule the Registration Task to run when end users are on the corporate network. When the Registration Task runs, it triggers the certificate enrollment flow and creates a Scheduled Task that will run every 24 hours and whenever the user logs on to the computer. This retry behavior helps both certificate enrollment and renewal scenarios. Automatic certificate renewal can only occur when end users are on the corporate networkCertificates are valid for one year and are renewed automatically sometime within 30 days before expiration. In order for automatic renewal to succeed, end users must be logged on to the domain-joined computer and connected to your corporate network. Manually force certificate renewalYou can manually force certificate renewal to try to fix the following problems (requires Device Registration Task 1.3.1 or later):
See Force certificate renewal in some circumstances. Automatic certificate selectionBy default, the Registration Task configures registry keys on domain-joined Windows computers to allow supported Chrome, Edge, and IE browsers to automatically select the Device Trust certificate that will be presented to Okta. If appropriate for your environment, you can disable this behavior by adding the flag SkipBrowserSetup=true to the installation command. See Obtain the registration task. For example, this would be necessary if you want to configure automatic certificate selection using a Group Policy Object (GPO) tool. If you opt not to configure automatic certificate selection — either through the Registration Task or a GPO — end users are prompted to select the certificate when accessing the app. In that case, to make the selection easier for end users, only the Okta Device Trust certificate will be shown to them. Proxy server environmentIf your organization routes internet traffic through a proxy server, note the following:
Certificate revocationYou may need to revoke an end user's Device Trust certificate(s) from the Okta Certificate Authority. This is recommended if the computer is lost or stolen. To re-secure an end user's computer with Device Trust after revoking their certificate(s), you need to remove the Device Trust certificate from their computer before you enroll a new certificate. Certificate revocation doesn't remove existing certificates from managed Windows computers. See Revoke and remove Device Trust certificates. Use an appropriate Setting Type in SCCM to verify Device Registration Task installationAfter installing the Device Trust client on your managed Windows computers, SCCM runs a script to verify that installation was successful. Make sure to specify either File System or Registry in your Detection Rule. Do not use the Windows Installer setting type to detect the installation, as SCCM cannot detect the Device Trust client using that setting. Obtain the Registration TaskTo obtain an Early Access (EA) version of the Registration TaskUnlike the GA version, EA versions of the Device Registration Task are not available from the Downloads page in the Okta Admin Console. To obtain an EA version, you must configure a link as follows: https://<org>.<okta/oktapreview>.com/static/devicetrust/OktaDeviceRegistrationTaskSetup-x.x.x.<msi/exe> Where:
For example, a link for downloading .msi Registration Task version 1.4.0 to example.oktapreview.com would look like this: https://example.oktapreview.com/static/devicetrust/OktaDeviceRegistrationTaskSetup-1.4.0.msiFor version history, see Okta Device Trust for Windows Desktop Registration Task Version History. To obtain a Generally Available (GA) version of the Registration TaskThe latest GA version of the Registration Task is available from the Downloads page in .msi and .exe formats. For version history, see Okta Device Trust for Windows Desktop Registration Task Version History.
Install the Registration TaskInstall the Registration Task in using either of the following methods: Method 1: Distribute the Registration Task using a management tool (SCCM)Follow your organization's procedure for distributing software to domain-joined workstations. If your organization uses SCCM, you may want to refer to the Microsoft article How to Deploy Applications in Configuration Manager. Execute the appropriate command for *.exe or *.msi installation. About the Device Registration Task and proxy serversIf your organization routes internet traffic through a proxy server, you must do the following: Use a command line to install the Device Registration Task and include parametersInstall Device Registration Task version 1.2.2+ through a command line and append the appropriate HttpProxy parameter to the installation command. This is necessary because the Registration Task installer installs these two scheduled tasks:
Include the parameter appropriate for your environment: Proxy server environmentsHttpProxy=http://<your proxy http url>:<port number> For example, the installation command that includes the proxy server parameter would look similar to this for: MSI installation: msiexec /i OktaDeviceRegistrationTaskSetup-1.x.x-xxxxxxx INSTALLDIR="c:\Program Files\Okta\DeviceTrust" EXEOPTIONS="/q2 OktaURL=https://<your Okta org>/ HttpProxy=http://<your proxy http url>:<port number>" EXE installation: OktaDeviceRegistrationTaskSetup-1.0.0-XXXX.exe /q2 OktaURL=https://<your-okta-org-url>.com HttpProxy=http://<your proxy http url>:<port number> Make sure to add a space if you are also adding the parameter to disable automatic certificate handling. Proxy Auto-Configuration (PAC) environmentsA. Specify the PAC location HttpProxyPacLocation=http://mypacfile.url.location For example, the installation command that includes the PAC location parameter would look similar to this for: MSI installation: msiexec /i OktaDeviceRegistrationTaskSetup-1.x.x-xxxxxxx INSTALLDIR="c:\Program Files\Okta\DeviceTrust" EXEOPTIONS="/q2 OktaURL=https://<your Okta org>/ HttpProxyPacLocation=http://mypacfile.url.location" EXE installation: OktaDeviceRegistrationTaskSetup-1.0.0-XXXX.exe /q2 OktaURL=https://<your-okta-org-url>.com HttpProxyPacLocation=http://mypacfile.url.location Make sure to add a space if you are also adding the parameter to disable automatic certificate handling. B. Optional. Allow your Okta org If you implement a PAC file in your proxy environment, consider allowing your Okta org by adding an exception to the PAC file like this: if(localHostOrDomainIs(host,"*.okta.com")) { return "DIRECT"; } Ensure clients can complete the MTLS handshakeThe Mutual TLS certificate exchange (handshake) in this Device Trust flow occurs on Okta URLs that are separate from your Okta org URL (indicated by the wildcard character (*) in the following example). Make sure to configure proxy servers/proxy clients, as well as any endpoint protection software you may implement, in a way that does not block your clients from completing the certificate exchange with Okta. For example, if your organization uses an allowlist to limit outbound traffic, add these exact URLs to the allowlist, including the wildcard character (*): *.okta.com *.okta-emea.com *.okta-gov.com With automatic certificate challenge handling: MSI installation msiexec /i OktaDeviceRegistrationTaskSetup-1.x.x-xxxxxxx INSTALLDIR="c:\Program Files\Okta\DeviceTrust" EXEOPTIONS="/q2 OktaURL=https://<your Okta org>" EXE installation OktaDeviceRegistrationTaskSetup-1.0.0-XXXX.exe /q2 OktaURL=https://<your-okta-org-url>.com Without automatic certificate challenge handling: MSI installation msiexec /i OktaDeviceRegistrationTaskSetup-1.x.x-xxxxxxx INSTALLDIR="c:\Program Files\Okta\DeviceTrust" EXEOPTIONS="/q2 OktaURL=https://<your Okta org>/ SkipBrowserSetup=true" EXE installation OktaDeviceRegistrationTaskSetup-1.0.0-XXXX.exe /q2 OktaURL=https://<your-okta-org-url>.com/ SkipBrowserSetup=true Method 2: Manually install the Registration TaskThis procedure is provided in case you want to install the Registration Task manually during the testing or Proof of Concept phase of your implementation.
2.3 Verify certificate enrollment before you configure the Trusted option in app sign-on policy rulesBefore you configure the Trusted option for apps in app sign-on policy rules, you must make sure that certificates are installed in the certificate store on the domain-joined computers you have targeted for this Device Trust solution. If certificates are not installed and the Trusted setting is enabled, users are denied access to the app and are redirected to a security message advising them to contact their administrator. (You can configure the message to include a Learn more link to more information. See Enable the global Device Trust setting for your org). To verify certificate enrollment, Okta recommends that you use your management tool to parse the Windows Event Viewer, or use a command line to query the user certificate store directly. Look for Okta MTLS certificate. If an end user is deactivated, all Device Trust certificates installed on their domain-joined Windows computer(s) are revoked (but not removed) automatically. To remove revoked certificates, see Revoke and remove Device Trust certificates. Though you will probably use a management tool to verify that certificates are installed on multiple domain-joined computers, here are two ways to check enrollment on a single computer: Verify with Windows Event Viewer
Verify with Microsoft Management Console
>2.4. Optional. Use GPO to configure browsers to select the certificate automatically.If appropriate for your environment, you can use a Group Policy Object (GPO) tool instead of the default capability of the Device Registration Task to configure browsers to automatically select the Device Trust certificate. If you use a GPO tool, make sure that you have added the flag SkipBrowserSetup=true to the Registration Task installation command. See Install a Device Trust-supported version of the Okta IWA web app in your AD domain. If you don't configure automatic certificate selection — either through the Registration Task or a GPO — end users are prompted to select the certificate when accessing the app. To make the selection easier for end users, only the Okta Device Trust certificate will be shown to them in this case. Depending on the refresh interval, changes you make using GPO may not be seen immediately on Windows client computers. For more information, see the Microsoft article Group Policy refresh interval for computers. To configure Chrome to select the Device Trust certificate automatically
Copy: C:\end users\Administrator\Desktop\policy_templates\windows\admx\en-US\chrome.adml To: C:\Windows\PolicyDefinitions\en-US\ Copy: C:\end users\Administrator\Desktop\policy_templates\windows\admx\chrome.admx To: C:\Windows\PolicyDefinitions\ For example: If your Okta Preview org URL is https://[*.]oktapreview.com, you would enter the following value: {"pattern":"https://[*.]oktapreview.com","filter":{"ISSUER":{"CN":"MTLS Certificate Authority"}}} If your Okta Production org URL is https://[*.]okta.com, you would enter the following value: {"pattern":"https://[*.]okta.com","filter":{"ISSUER":{"CN":"MTLS Certificate Authority"}}} {"pattern":"https://[*.]oktapreview.com","filter":{"ISSUER":{"CN":"MTLS Certificate Authority"}}} You can also confirm settings through the Windows Registry Editor: >HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Google > Chrome > AutoSelectCertificateForUrls To configure IE to select the Device Trust certificate automatically
Step 3. Configure app sign-on policy rules in OktaAbout app sign-on policy rulesBy default, all Client options in the App Sign On Rule dialog box are pre-selected. To configure more granular access to the app, create rules that reflect:
Taking an allow-list approach to sign-on policy rules
For important security information about creating app sign-on policy rules, see About app sign-on policies. Procedure
This example shows Device Trust rules for managing access to Office 365. For other apps, note that the section If the user's client is any of these isn't present. Example AllowlistExample Rule 1: Exchange ActiveSync or Legacy Auth; All platforms; Any Trust; Allow access
Conditions:
Web browser unselected. Modern Auth client unselected. Exchange ActiveSync client or Legacy Auth client is selected. Mobile iOS is selected. Android is selected. Other mobile (e.g. BlackBerry) is selected. Desktop Windows is selected. macOS is selected. Other desktop (e.g. Linux) is selected Trusted and Not trusted options in the Device Trust section are selectable only when all of the following options in the Client section are not selected: Any is selected. Trusted is unselected. Not trusted is unselected. Actions:
Allowed is selected. Example Rule 2: Web browser or Modern Auth; Windows; Trusted; Allow access + MFA
Conditions:
Web browser selected. Modern Auth client selected. Exchange ActiveSync client is unselected. Mobile iOS is unselected. Android is unselected. Other mobile (e.g. BlackBerry) is unselected. Desktop Windows is selected. macOS is unselected. Other desktop (e.g. Linux) is unselected. Trusted and Not trusted options in the Device Trust section are selectable only when all of the following options in the Client section are not selected: Any is unselected. Trusted is selected. Not trusted is unselected. Actions:
Allowed is selected. Prompt for factor is selected. Example Rule 3: Web browser or Modern Auth; All platforms except Windows; Any Trust, Allow access + MFA
Conditions:
Web browser selected. Modern Auth client selected. Exchange ActiveSync client is unselected. Mobile iOS is selected. Android is selected. Other mobile (e.g. BlackBerry) is selected. Desktop Windows is selected macOS is selected Other desktop (e.g. Linux) is selected Trusted and Not trusted options in the Device Trust section are selectable only when all of the following options in the Client section are not selected: Any is selected. Trusted is unselected. Not trusted is unselected. Actions:
Allowed is selected. Prompt for factor is selected. Example Rule 4: Any client; All platforms; Any Trust; Deny access
Conditions:
Web browser selected. Modern Auth client selected. Exchange ActiveSync client is selected. Mobile iOS is selected. Android is selected. Other mobile (e.g. BlackBerry) is selected. Desktop Windows is selected. macOS is selected. Other desktop (e.g. Linux) is selected. Trusted and Not trusted options in the Device Trust section are selectable only when all of the following options in the Client section are not selected: Any is selected. Trusted is unselected. Not trusted is unselected. Actions:
Denied is selected. Example Rule 5: Default sign on rule – Any client; All platforms; Any Trust; Allow accessThe Default sign-on rule is already created and cannot be edited. Note that in this allowlist example, the Default rule is never reached because it is effectively negated by Rule 4. Revoke and remove Device Trust certificatesYou may need to revoke an end user's Device Trust certificate(s) from the Okta Certificate Authority. This is recommended if the computer is lost or stolen, or if the end user is deactivated. To re-secure an end user's computer with Device Trust after revoking their Device Trust certificate(s), you need to remove the revoked certificate from their computer before enrolling a new certificate. Be aware of the following:
TroubleshootingOkta Device Trust for Windows generates a certificate on domain-joined Windows devices and presents it to Okta when a Device Trust-secured WS-Fed or SAML app is launched. The two problems that you are most likely to encounter are:
If you encounter either problem, try to correct it by performing Basic Troubleshooting. If the problem persists, perform Advanced Troubleshooting. Basic TroubleshootingTo perform basic troubleshooting, review the following areas: IWA web app installation and setupVerify the following:
If the problem persists, proceed to Advanced Troubleshooting. EnablementVerify that you have enabled the global Device Trust setting in Security > Device Trust. Registration taskVerify that you have distributed the Device Registration Task to Windows domain-joined workstations. Proxy server environments: For the Registration Task installation to succeed in environments that implement a proxy server, you must install Device Registration Task version 1.2.1 or later using a command line and append the appropriate HttpProxy parameter to the installation command. See Install the Registration Task. CertificateVerify that the certificate is installed
Known Issue – Auth failure caused by blocked Mutual TLS certificate exchangeThe Mutual TLS certificate exchange (handshake) in this Device Trust flow occurs on Okta URLs that are separate from your Okta org URL (indicated by the wildcard character (*) in the following example). Make sure to configure proxy servers/proxy clients, as well as any endpoint protection software you may implement, in a way that does not block your clients from completing the certificate exchange with Okta. For example, if your organization uses an allowlist to limit outbound traffic, add these exact URLs to the allowlist, including the wildcard character (*): *.okta.com *.okta-emea.com *.okta-gov.com Sign-on policyVerify the following: You have configured a sign-on policy that:
System LogReview the System Log to verify the following Device Trust System Log events: Authentication
Enrollment
Issuance
Revocation
Renewal
View unique device IDs in DebugContextDebugData shows the unique ID of the devices associated with Device Trust events and is useful for debugging purposes. This information can also help you verify thatDevice Trust is being enforced on devices in your device inventory, which may be useful prior to rolling out the feature to a large group of users. The information contained in debugContext.debugData is intended to add context when troubleshooting customer platform issues. Note that key names and values are subject to change without notice and should be used primarily as a debugging aid, not as a data contract. See DebugContext Object in Okta Developer documentation.
Advanced TroubleshootingIf Basic Troubleshooting didn't resolve the problem you are experiencing, and the certificate isn't installed on the Windows workstation, check in the following locations: In the Okta Admin ConsoleVerify the following:
(Security > Delegated Authentication > IWA Agents) On the IWA serverCheck IIS settings for the IWA web app
Check for errors in the web.config file
Check for errors in Windows Logs > Applications and Services Logs > Okta Single Sign On
On the domain-joined Windows computerMake sure Okta Device Trust Tasks were installed and successful:
Check for errors in Windows Logs > Applications and Services Logs > Okta Device Trust:
Force certificate renewal in some circumstancesCertificates are valid for one year and are renewed automatically sometime within 30 days before expiration. In order for automatic renewal to succeed, end users must be logged on to the domain-joined computer and connected to your corporate network. You can manually force certificate renewal to try to fix the following problems (requires Device Registration Task 1.3.1 or later):
Open a command prompt and issue the following command: "C:\Program Files\Okta\DeviceTrust\OktaDeviceReg.exe" --user --forceRenewal Run the task in debug mode as the logged-on user
The user token is a set of JWT claims signed by the IWA server. You may be asked to copy the token and provide it to Okta Support for analysis. Known issues
What feature allows Nondomain joined devices to access claims based resources securely?Device registration is a feature that allows nondomain-joined devices to access claims based resources securely.
What type of application is made available via group policy for a user to install by using Programs and Features in Control Panel?IST 165 Midterm. Which option will allow private keys to be locked away and then restored if the user's private key is lost?By using key archival, private keys can be locked away and restored if the user's private key is lost.
What are the three main technical support options for Microsoft users?What are the three main technical support options for Microsoft users? Find It Myself, Ask the Community, Get Live Help.
|