If you have read my previous blog on configuring Okta Device Trust for Workspace ONE you will know that Okta has not yet implemented device trust for Windows and MacOS. I also mentioned in the previous blog that if you want to leverage device trust for Windows and MacOS that you will need to use the original method with just routing rules.

 

In my previous blog I didn't go into the details on how you would configure device trust for both IOS/Android and Windows/MacOS. Its not really as straight forward as you would think because once you have configured an Identity Provider in Okta to use device trust, it will always send the device trust authentication context which will always result in an authentication failure for Windows and MacOS (assuming its being evaluated for Certificate and Device Compliance - AirWatch).

 

Note: This blog will not go into steps to configure Workspace ONE UEM or Workspace ONE Access to perform Certificate Based Authentication. We will assume that this has already been done.

 

There are a couple extra steps you will need to do.  Lets walk through the steps.

 

Create a New Identity Provider

 

First you will need to create another Identity Provider for Workspace ONE.

 

  1. Log into the Okta Administration Portal and go to Security -> Identity Providers
  2. Click Add Identity Provider -> Add SAML 2.0 IDP
  3. Configure this Identity Provider exactly as you've configured the previous one
  4. Click on Show Advanced Settings
  5. Make sure the Request Authentication Context is set to None
  6. Click Add Identity Provider
  7. Expand the Identity Provider you just created and download the metdata

 

Create a new Workspace ONE Application for Okta

 

  1. In Workspace ONE Access, got to Catalog and Click New
  2. Provide a name for this application (ie. Okta Device Trust for Windows/MacOS)
  3. Paste the metadata you downloaded in the previous step.
  4. Click Next, Next, Save
  5. Click Edit for the application you just created
  6. Click Configuration
  7. Modify to the username value to match the username format in Okta.
    Screen Shot 10-02-19 at 12.35 PM.PNG
  8. Click Access Policies
  9. Select the same policy you assigned to the Okta Application Source
    Screen Shot 10-02-19 at 12.36 PM.PNG
  10. Click Next - Save
  11. Assign the application to your users.
  12. Click on Identity and Access Management -> Policies
  13. Edit your Okta Policy
  14. Create a Policy Rule for MacOS to use Certificate and Device Compliance.
    Screen Shot 10-02-19 at 12.38 PM.PNG

 

Modify your Routing Rules in Okta

 

Finally, we can now add this new configuration into the routing rules in Okta

 

  1. Log into the Okta Admin Console
  2. Click on Security -> Identity Providers
  3. Click on Routing Rules
  4. Click Add Routing Rule
  5. Add a rule that will evaluate Windows and MacOS for your required applications and select the new "Workspace ONE - No Device Trust" identity provider we created in the first step.
    Screen Shot 10-02-19 at 12.52 PM.PNG
  6. Verify that there are no other rules that will take precedence over your newly created rule.