Part of ZeroTek's Okta Device Trust Setup guide
ROLE REQUIRED
ZeroTek Administrator
ZeroTek Technician
and
Microsoft Global Admin
This procedure configures Okta as a certificate authority (CA) using a delegated SCEP challenge to deploy certificates to user devices. Using Okta as the CA simplifies certificate issuance and avoids the complexity and cost of maintaining your own public key infrastructure (PKI).
The procedure covers three phases:
Register the Okta app credentials in Microsoft Azure (Entra ID)
Configure management attestation and generate a SCEP URL in Okta
Download the x.509 certificate from Okta
Once complete, you will use the SCEP URL and certificate in Intune to create trusted certificate profiles for Windows and/or macOS devices.
BEFORE YOU BEGIN
Make sure that:
Okta FastPass is configured according to ZeroTek MSP best practices
Windows and/or macOS devices are enrolled in an Okta-compatible device management solution (Intune, VMWare, or JAMF)
You have an SSL certificate for device trust verification
Steps
Register the Entra ID app credentials for Okta in Microsoft Azure
Log into Microsoft Entra ID for the Azure tenant.
In the left menu, click App registrations, then in the main screen click + New registration.
Type a name for the registration, such as "Okta Device Trust". Keep the default supported account type (Accounts in this organizational directory only) and click Register.
In the ID Essentials area of the main screen, copy and save the Application (client) ID somewhere safe.
In the left menu, click Certificates & secrets, then in the main screen click + New client secret.
Provide a description and expiry time and click Add. ZeroTek recommends 365 days (12 months). For more information on client secret expiration behavior, see the Microsoft Q&A article: Azure App registration Client secret expiration.
Copy and save the Client Secret Value to your password vault. Make sure that you copy the Client Secret Value, not the Secret ID β these are two different fields.
In the left menu, click API Permissions, then click + Add a permission.
Click the Intune tile, then click Application permissions.
Search for scep, select the checkbox for scep_challenge_provider, and click Add permissions.
Click Grant admin consent for... and click Yes to confirm.
Click + Add a permission again, then click the Microsoft Graph banner.
Click Application permissions, search for application, and expand the results.
Select Application.Read.All and click Add permissions.
Click Grant admin consent for... and click Yes to confirm.
Configure management attestation and generate a SCEP URL in Okta
Deep Link to the Okta Admin Console from ZeroTek. Navigate to Security > Device Integrations.
Click Add platform.
Select Desktop (Windows and macOS only) and click Next.
Specify the following, then click Generate:
SCEP URL challenge type = Dynamic SCEP URL and Microsoft Intune (delegated SCEP)
AAD Client ID, AAD tenant, and the AAD secret (Client Secret Value, which you saved earlier) from Entra ID
Copy the generated URL and save it somewhere safe, then click Save.
Download the x.509 certificate from Okta
In the Okta Admin Console, navigate to Security > Device Integrations.
Click the Certificate authority tab.
Click the download icon to download the x.509 certificate.
Navigate to the folder where the certificate downloaded and append .cer to the filename to define the file type.
NEXT STEPS
Proceed to create trusted certificate profiles in Intune:
Create a trusted certificate profile in Intune for Windows (if the environment includes Windows devices)
Create a trusted certificate profile in Intune for Mac (if the environment includes macOS devices)
Need help? Contact ZeroTek Support at support@zerotek.com.