With the increase of companies allowing users the ability to access cloud applications, it is imperative that a company know these applications are being accessed via trusted devices. Okta offers a solution called Device Trust that ensures that these devices are fully trusted. This solution has the ability to be configured against Windows, MacOS, Android, and iOS devices. This article will focus on the prerequisites for configuring Device Trust against client workstations in a Windows environment.
The requirements for a Windows environment are workstations that are Active Directory domain-joined, a .NET version of 4.5.2 or higher, and updated IWA agent (v1.12.3), a device registration task that is installed on all client machines, and a supported browser.
The first step in Device Trust for Windows pre-configuration is to update .NET to version 4.5.2 or higher on the server containing the current IWA installation. The .NET install can be downloaded from Microsoft, installed, and will require a reboot of the IWA server.
Once .NET has been updated, an Okta Admin will need to authenticate into the Okta org and browse to Security > Delegated Authentication. It is preferred that the Okta org be accessed via a browser on the IWA server. In the IWA section, the admin can download the latest version of the IWA agent. Once downloaded, execute the MSI to uninstall the current version and install the Device Trust-enabled version of the agent. Verification of the correct version can be seen in the IWA agent section under Security > Delegated Authentication by clicking Edit then clicking the pencil icon next to the IWA agent that was updated. The popup will include the current version.
Note: It has been verified that if the IWA agent is updated prior to the .NET upgrade, the IWA agent will experience intermittent crashes.
The last requirement for Device Trust pre-configuration is to download the Device Registration Task from Okta Support. This install MSI can be bundled with most major SCCM software in order to be installed on client machines. Note: This task relies on .NET being upgraded to 4.5.2.
After installing the Device Registration Task on domain-joined Windows computers, SCCM needs to run a script to verify that installation was successful. Make sure to specify either File System or Registry in the Detection Rule.
Supported browsers for Device Trust are below:
- Microsoft Internet Explorer versions 10 and 11
- Microsoft Edge (current and previous release)
- Google Chrome (current and previous release)
We hope this article helps as you prep Okta’s Device Trust for Windows. Feel free to reach out to us with any additional questions.