VLT-Website-Heading

How to set up Microsoft Intune MDM integration with Okta

Sep 20, 2021 10:46:35 AM / by Vu Long Tran

This is a step by step guide on how to set up Microsoft Intune MDM integration with Okta.
 

What is Microsoft Intune MDM?

Microsoft Intune is an MDM (Mobile Device Management) / EMM (Enterprise mobility management) provider, and this solution allows companies to administrate and manage mobile devices, such as smartphones, tablet computers and laptops. These devices can be a managed company device, unmanaged company device and/or their own device.
 

How Microsoft Intune MDM works with Okta

  • Microsoft Intune works with Okta by sending Okta a trust signal once Microsoft Intune has validated and enrolled a user's device onto their platform.
  • From there, in Okta, we can prompt users and check the user for MFA (multifactor authentication), and then allow them access to the resources that they should have access to.

What does a user journey look like?

This is an example of a user's journey with Microsoft Intune integration with Okta.

  1. User signs into Okta End User Dashboard.
  2. Okta checks for MFA (multifactor authentication), based on a Sign On Policy (no changes required).
  3. User clicks on application.
  4. Okta checks for MFA, based on an Application Sign On Policy.
  5. User passes MFA, and is allowed access to the application.
 
The key steps we will be going through will be:

Prerequisites

Before you can start setting up Microsoft Intune integration with Okta, we need to check the following:

 

1. Add Microsoft Intune to your Okta instance

Log in to your Okta account as an administrator (with administrator access).

Go to Security> Device Trust.

Enable Device Trust for your device type

Click "Edit" on the applicable device type that you want to enable Device Trust for. 

  • Windows devices
  • Apple iOS/ Android devices

Windows devices

To configure and enable Device Trust for your Windows devices, we will need to configure these settings.
  • Device Trust - "Enable Windows Device Trust"
  • Learn more link (optional) - You can leave blank, please a link here if you would like. 

 

Apple iOS/ Android Devices

To configure and enable Device Trust for Android and/or Apple devices, we will need to configure these MDM Provider settings.

Click "Edit".

  • Select Mobile device management provider - Microsoft Intune
  • Enrolment link - https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc For other MDM, you would enter a web address for redirecting end users with unenrolled devices. For example, you may want to redirect these users to a page with enrolment instructions or the enrolment page of your selected MDM (assuming the MDM provider supports web-based enrolment).

Copy "Secret Key value".

intune-secret-key

 

2. Set up settings on Microsoft Endpoint Manager

Log into your Microsoft Endpoint Manager account

In a new browser tab, log in to your Microsoft Endpoint Manager account as an administrator (with administrator access). https://endpoint.microsoft.com/#home 

Your Microsoft Intune settings will be managed within the Microsoft Endpoint Manager

We will be doing two key things:

  1. Adding Okta Mobile application
  2. Create an app configuration policy

1. Adding Okta Mobile application

In Microsoft Endpoint Manager Admin Console, go to Apps > App.

Under Apps> Apps.

Click +Add

Select "Managed Google Play app" from the drop down menu.

Once you have selected "Managed Google Play app", click "Select".

Search for "Okta Mobile", and click Approve and Approve

You should then see it available for you in the Apps> Apps summary page. 

We can now create an app configuration policy that will refer to our "Okta Mobile" app. 


2. Create an app configuration policy

In Microsoft Endpoint Manager Admin Console, go to Apps > App configuration policies > Add > Managed devices.

Click "+ Add" and select "Managed devices". 

intune-add-app-config-policy2

Fill in your "Create app configuration policy" details and click Next.

  • Name - Give your policy a name, for example "Android Policy".
  • Description - You can fill in something here or leave it blank.
  • Platform - Android Enterprise
  • Profile type - All Profile Types (or one of the other options if you like)
  • Targeted app - Select your Managed Google app as "Okta Mobile". 

add-intune-app-config1

Click Next.

You can now set your "Configuration Settings". 
  • Permission - You have the option to set the Permission state for each permission. You can choose from Prompt, Auto grant, or Auto deny.
  • Configuration settings format -  Select"Use configuration designer" or "Enter JSON data" from the dropdown menu.

intune-add-app-config-policy4

Select "Use configuration designer" from the dropdown menu and click Next.

json-or-editor

On the pop up that pops up on the right of your screen, tick each of the checkboxes and OK.

select-all-conf-keysadd-intune-managed-app7-png-1

Then you will see options available for you to populate. 

add-intune-app-config2

Please replace the text boxes "configuration value" with your Okta details. 

  • Domain (string) – Enter the URL of your Okta org. https://yourdomain.okta.com
  • Username (string) – Enter your username for your Okta org. yourdomain
  • Management Hint (string) – Enter the Secret Key value that you saved from Okta "Device Trust" page. This secret key token will indicate that Okta Mobile is managed by an MDM (Mobile Device Management) Provider.

If you prefer to "Enter JSON data" from the dropdown menu and click Next.

json-or-editor

intune-add-app-config-policy5

If you selected "Enter JSON data", then you will now be able to enter XML data.

For Android, you will use this xml format.

{
"kind": "androidenterprise#managedConfiguration",
"productId": "app:com.okta.android.mobile.oktamobile",
"managedProperty": [
{
"key": "siteName",
"valueString": https://yourdomain.okta.com
},
{
"key": "username",
"valueString": yourdomain
},
{
"key": "managementHint",
"valueString": secret-key-goes-here
}
]
}

For Apple, you will use this xml format.

<?xml version=“1.0” encoding=“UTF-8"?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” http://www.apple.com/DTDs/PropertyList-1.0.dtd>

<plist version=“1.0">

<dict>

<key>Domain</key>

<string>https://yourdomain.okta.com</string>

<key>managementHint</key>

<string>“secret-key-goes-here”</string>

</dict>

</plist>

Under the "included groups" section, click on "Add all users" (or your preferred groups). 

You will then be presented a "Review + create" page, review the details and then click on "Create".

Once you have saved your app configuration policy. You should get a summary page like this:

We can now start enrolling devices onto Microsoft Intune to test.

If you have not already, we will need to first configure Microsoft Intune with Android and/or Apple enrolment, as that will allow us to manage devices through their operating system platforms. 

I have detailed this optional section at the end of this article which walks you through enrolment for Android, Apple and Windows 10 devices. 

 

     

3. Enroll a device with Microsoft Intune

Assuming you have done configured Google and/or Apple to allow us to manage devices on their operating systems, then we can start enrolling a device to test with Microsoft Intune. 

  • Add users to Microsoft Intune to manage
  • Install Company Portal on our mobile device

If you need help enrolling your device, I have also written a guide to share how you can enroll your devices into Microsoft Intune here

Add users to Microsoft Intune to manage

If you have not already added users. You can add users to Microsoft Intune to manage.

You will notice in my environment that my users are stored in Azure Active Directory, as these are also my Microsoft Office 365 users. This may be the case for you as well, as that is perfect, as we can use one of those users as our test user to log into Microsoft Intune on our mobile device later on. 

 

Install Company Portal on our mobile device

On your Android mobile device, open Google Play store.

Search for "Intune Company Portal" by Microsoft and install this on your Android phone device. 

Click "Install".

Once installed, we can sign into our device. Click "Sign in"

We will be asked to sign in with our Microsoft credentials. 

We will use one of our test users from our Microsoft Azure Active Directory here. 

It will inform me to sign into my organisation's sign in page. 

install-intune-android20-jpg

As I configured my Okta to be the Identity Provider for Microsoft Office 365 via WS-Federation Single Sign On (SSO) integration, it will prompt me for my Okta username and password. I will log in with the corresponding test user that I have in Okta and Microsoft Azure Active Directory. 

install-intune-android19-jpg

After entering my username and password successfully, I may be prompted for multifactor authentication (MFA), based on the Sign On policy in Okta. 

I will complete my multifactor authentication (MFA) step. In this example, I will press "Yes" on my Okta Verify mobile application.

install-intune-android17-jpginstall-intune-android18-jpg

(Optional) You will notice that if I click on the arrow, I have some multifactor authentication factor options to choose from if I preferred to use another multifactor form factor that I may have more accessible to me. 

I will wait for Microsoft to connect and sign me in now. 

install-intune-android16-jpginstall-intune-android15-jpg

I will be then asked to:

  • OK work profile permissions, and
  • Encrypt my device

Click "Next".

install-intune-android14-jpg

It will then advise me that it is creating a "work profile" on my phone.

(Optional) It may ask me to "delete existing profile" if I ever had a work profile on my phone before, so click "Delete" if that is the case. 

install-intune-android13-jpginstall-intune-android12-jpg

Once completed, I will be presented with the "Let's set up your work profile" screen. Click "Accept & Continue".

install-intune-android11-jpginstall-intune-android10-jpg

Wait for Google to set up your work profile. Then click "Next". 

install-intune-android9-jpginstall-intune-android8-jpg

Company portal will then be updated so that Microsoft Intune will register your device. 

install-intune-android7-jpginstall-intune-android6-jpg

Microsoft Intune will add your device to Company Portal. 

 install-intune-android5-jpginstall-intune-android4-jpg

Once your device successfully added to Company Portal, you will get a summary with your device listed.

install-intune-android3-jpginstall-intune-android2-png

After a while, your Android phone will be populated with Company Portal's applications. 

So you can check your test user's Android phone device has access to the applications that we assigned to users via Microsoft Intune now.

 
 
The test user's Android phone device is being registered in Microsoft Intune now.
 
 
 
 

3. Set up settings on Okta

In Okta Admin Console, choose an application to set an Application Sign On Policy (App Sign On policy). 

The Application Sign On Policy will allow us to configure more granular access to your app, including looking at Users/ Groups and their Location. However, for our testing, we will focus on the 1) Client types and 2) Device Trust. That is:
  1. Client Type - Mobile (iOS, Android, Other mobile), Desktop (Windows, macOS)
  2. Device Trust - Any, Trusted, or Not Trusted.

Let's create two "Application Sign On Policy" for our "Google Workspace" application, with each one with these goals:

  1. Device Trust = Not Trusted. Check for MFA.
  2. Device Trust = Trusted. No need to check for MFA.

In Okta Admin Console, go to Applications> Applications. 

Scroll down and choose "Google Workspace" application (or your preferred application). 

Click "Sign On" tab.

Scroll down and look for "Sign On Policy" section. This is where we will set our Application Sign On Policy (App Sign On policy). 

Click on "Add Rule".

Let's create our first Application Sign On Policy rule. Then we can create our second Application Sign On Policy rule as well. 

1. Device Trust = Not Trusted. Check for MFA.

We will set a rule here that will do the following logic check.

"IF I am using a Device that is Not Trusted,

THEN check for MFA."

To do this, we can fill in our App Sign On Rule as follows:

  • Rule name - Device Trust = Not Trusted. Check for MFA.
  • Conditions
    • People - Who does this rule apply to? Leave as default, "Users assigned this app".
    • Location - If the user is located: "Anywhere".
    • Client - Leave the defaults, if needed just tick the checkboxes that align to your Device Trust client form factor types configured in Okta (under Security> Device Trust). 
    • Device Trust - Select "Not Trusted"
  • Actions
    • Access - When all the conditions above are met, sign on to this application is "Allowed". 
    • Prompt for factor - Ticked. 
    • Select "Every sign on".

2. Device Trust = Trusted. No need to check for MFA.

We will set a rule here that will do the following logic check.

"IF I am using a Device that is Trusted,

THEN there is no need to check for MFA."

To do this, we can fill in our App Sign On Rule as follows:

  • Rule name - Device Trust = Trusted. No need to check for MFA.
  • Conditions
    • People - Who does this rule apply to? Leave as default, "Users assigned this app".
    • Location - If the user is located: "Anywhere".
    • Client - Leave the defaults, if needed just tick the checkboxes that align to your Device Trust client form factor types configured in Okta (under Security> Device Trust). 
    • Device Trust - Select "Trusted"
  • Actions
    • Access - When all the conditions above are met, sign on to this application is "Allowed". 
    • Prompt for factor - Unticked. 

app-sign-on-trusted1-png

Here's a summary of what we just set up for our Application Sign On Policies.

(Optional) Application Sign On Policy (App Sign On Policy)

For easy reference, this is a summary of how the Application Sign On Policy is structured.

Application Sign On Policy

For Users/ Groups, check:

IF Conditions:

  • Location (Anywhere, In Zone, Not in Zone), OR
  • Client Type - Mobile (iOS, Android, Other mobile), Desktop (Windows, macOS), OR
  • Device Trust - Trusted or Not Trusted

THEN take the following Action:

  • Allowed or Denied access, and
  • Prompt for factor/ MFA
  • Every sign on, Once per session, Once a day, Once a week, Once a month, Once per six months, Only once
 

4. Test that is working

When you are ready, let's test that it works.

I will be testing on my mobile phone and on my Windows 10 computer.

On my Android mobile phone with Intune installed

1. Log into your Okta End User dashboard, that is https://yourdomain.okta.com

2. Sign in as our test user

3. Click on a "Google Workspace" application. This can be "Google Workspace Mail", "Google Workspace Calendar", "Google Workspace Keep".

4. Based on our App Sign On Policy, our test user should be allowed to progress to the next step (with no prompt for multifactor authentication (MFA).

5. Our test user should then be able to access our "Google Workspace" application. 

 

On my Windows 10 with no Intune installed

1. Log into your Okta End User dashboard, that is https://yourdomain.okta.com

2. Sign in as our test user

3. Click on a "Google Workspace" application. This can be "Google Workspace Mail", "Google Workspace Calendar", "Google Workspace Keep".

4. Based on our App Sign On Policy, our test user should be prompted for Multifactor Authentication (MFA). 

5. Our test user should then be able to access our "Google Workspace" application. 

 

(Optional) Check our Systems Log (Syslog)

An additional way to check is by reviewing our Systems Log, so we can search the following phrase in our testing timeline to see the system logs. 

Search for:

Authentication of device

Then it should give you the following System Log event outputs. 

If you click on the "down arrow" on any of the System Log rows, you will be able to see more details about the event. 

Android mobile phone with Intune installed

You will notice that my testing on my mobile device showed an "Authentication of user via MFA success" and Client > Device = Mobile. 

This is expected, as I install Microsoft Intune Company Portal software on my mobile phone . So it could find any certificate that validates that my device is in a "trusted" device status state. 

Windows 10 with no Intune installed

You will notice that my testing on my Windows 10 computer showed an "Authentication of device via certificate failure: NO_CERTIFICATE" and Client > Device = Computer. 

This is expected, as I did not install any Microsoft Intune Company Portal software on my Windows 10 computer. So it cannot find any certificate that validates that my device is in a "trusted" device status state. 

You're all set! 

 

 


 

Troubleshooting:

Intune Device Certificate installed on Windows 10 device?

If you are not too sure if your Intune Device Certificate has been installed on your Windows 10 device, go to  your Windows 10 computer, go to "Certificate Manager".

In Certificate Manager, go to Certificates> Intermediate Ceritfication Authorities> Certificates folder.

Then you should see "Microsoft Intune MDM Device CA" listed as a row there. 

 

MDM Management endpoint error

If you get the error:

"We couldn't auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it".

Solution:

Set your management endpoint/ MDM Server URL/ MDM discovery URL as the following - https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc 

You will also find this detail under Windows> Windows enrolment > Automatic enrolment.

 

Compliance and security policies

This device does not meets company compliance and security policies. You can access resources like company email with this device.

 

Solution:

Create a Compliance policy in Microsoft Endpoint Manager

Make sure that there Compliance policy set to the Windows device in Microsoft Endpoint Manager Intune.

That is, as Administrator, go to Microsoft Endpoint Manager> Devices> Windows> Compliance policies> Create Policy.

You will notice that I have set one up, so you can see "Windows 10/11 compliance policy" there. I selected the default settings and assigned to "All users". 

 

On Windows 10 device, recheck "Device status"

On the end user's Windows 10 device, you can ask the user to:

  1. Open "Company Portal" application on Windows device
  2. Click on "Devices" tab. 
  3. Click on "Check access"
  4. Wait for Microsoft Intune to update advise on where there is a compliance policy in place. It should say something like the following, once it has completed its check. It may take 5-10 minutes or more to process.

This device meets company compliance and security policies. You can access resources like company email with this device.

Once it says that you "Can access company resources". 

Then if you click on the "Apps" tab in the "Company Portal" application.

Then you will see the applications (apps) that have been assigned to you.

Here is an example below:

 

More information:

Topics: microsoft, okta, sso

Vu Long Tran

Written by Vu Long Tran

Solutions Engineer APAC. ex-@Forrester consultant. Writing on #cloud #howto guides and #tech tinkering!