In the modern cybersecurity environment, the network perimeter is becoming increasingly blurred and difficult to maintain. Countless workers are remote and require access to resources outside the traditional office environment. This renders the traditional security method of not allowing outsiders within the network perimeter obsolete. Read here how SecureW2 client secured their remote VPN connections with a foundation of device trust.
As a result, maintaining strict device trust is of utmost importance. If the only users able to access your network are using trusted devices, it greatly reduces the risk of outside attacks.
Okta Device Trust is designed to ensure only trusted users are able to connect to the network, and below we’ll show how it can be easily configured with the most used device OS’s.
What Is Okta Device Trust?
The concept of device trust is creating a network authentication environment where you confirm that both the user and the device are trusted by the organization. Once trust is established, users are able to access the resources they need. With an Okta identity provider, you can ensure both device and user are authenticated accurately because both will need to be verified by the Okta IDP when authenticating.
Okta Device Trust also gives admins the ability to enforce device management capabilities on managed devices. Through the admin console, they can confirm that every device is managed by an endpoint management tool before users are able to access the network and Okta-managed apps.
Okta Device Trust is supported by any SAML-based apps and can be configured to work with Windows, Android, MacOS, and iOS. Below we will detail a high-level look at the configuration process for each OS.
Setting Up Okta Device Trust With Windows
In the admin console, enable Windows Device Trust and enroll the Device Trust certificate on a Windows device. Here you will use the IWA web app to confirm the security posture of Windows devices and users by validating that they are joined to the Active Directory Domain. Okta will then issue a certificate to the device to enable device trust to Okta apps.
Next, admins will install the Device Registration task that sets the rules for certificate issuance, renewal, and revocation. Then they can verify the trusted option for apps. This provides assurance that certificates are installed in the certificate store of devices and have enabled the Trusted setting. This allows users to safely authenticate to apps. An optional step is to enable GPO to automatically select the device trust certificate.
Finally, the SSO policy rules that the organization will follow can be configured in Okta to allow for streamlined and secure authentication of all Windows devices.
Setting Up Okta Device Trust With Android
Beginning in the admin console, enable the Android Device Trust setting and update your MDM provider. Your MDM should be able to support managed app configuration and the Android device should already be enrolled in your MDM provider with Okta Mobile installed.
Next, configure your key pairs through your MDM’s managed app configuration to ensure a secure connection when authenticating. Then you simply configure the application Sign On policy rules. These rules will determine policies such as:
- Which users belong to which groups
- Determining whether they are on or off network or within a defined network zone
- Which platform the device is using
- Whether or not a device is trusted
Once you have configured the trust settings for signing into apps, users are ready to authenticate their trusted Android devices.
Setting Up Okta Device Trust With MacOS
First, admins should enable Device Trust in the MacOS device trust section and verify that devices that will be connected are managed by Jamf Pro. Then you will need to modify the Okta Device Registration Task to ensure that you can complete the certificate exchange with Okta.
To modify, admins will need to install Python 3 and Device Trust Dependencies. The Okta Device Registration Task should be switched to Jamf Pro and allow the admin to complete the final steps:
- Register the device with Okta to obtain the Device Trust certificate
- Configure Chrome, Safari, and tested native apps to present the certificate automatically when gaining access
- Schedule a lightweight task to check whether a certificate is expired and attempt to renew the certificate before expiration
- Check whether the device is trusted before issuing a certificate
The last step is to configure application Sign On policies (as seen in Android configuration section).
Setting Up Okta Device Trust With iOS
Admins should first enable the global Device Trust setting for your organization in the iOS Device Trust section of the admin console. You should then integrate Okta into your MDM provider to allow devices to be managed and tracked by Okta.
Then you simply have to configure the app Sign On policies (as seen in Android Configuration section) and allow users to begin onboarding their trusted devices.
Stronger Okta Device Trust With SecureW2
SecureW2 works with Okta to enable efficient and accurate MDM configuration, management, and security. By replacing credentials with certificate-based, EAP-TLS authentication and providing a world-class onboarding software, SecureW2 can easily prepare every managed device for a trusted connection to the network.
By using SCEP and WSTEP gateways, SecureW2 can configure managed devices for EAP-TLS with no interaction from the end user. The most common cause of support tickets is human error, so we simply removed the end user from the configuration equation.
Certificates offer countless benefits compared to credentials, but above all they provide stronger security than credentials can ever offer. When a user is distributed a certificate, it is imprinted with the identity of both the user and the device. As a result, there is instant device trust! So when a user authenticates with a certificate, admins can rest assured that the user and device are trusted. No outside actors would be able to maneuver their way into obtaining a certificate.
Additionally, SecureW2 provides the capability for dynamic RADIUS authentication. This allows the Cloud RADIUS to communicate directly with the IDP during authentication. If a user needs their network permissions updated, they no longer have to revoke and replace every certificate; simply update their IDP permissions and they can be authenticated and applied updated settings in real time.
Okta Device Trust offers the opportunity for admins to provide stronger security by authenticating the identity of both device and user. When every network user is properly authenticated, it greatly reduces the risk of an outside attack. Check out SecureW2’s pricing page to see if our MDM solutions can work with your Okta network.