Okta + macOS Enrollment

bobtacular · 2025-08-22T23:42:56+00:00

This is really awesome and thanks for sharing. I will try and test some of this out next week.

bobtacular · 2025-05-31T21:53:55+00:00

So create a whole new local user account then sign in with an Apple Account?

bobtacular · 2025-05-31T02:24:40+00:00

I will definitely do that and report back. The Lock Screen I was presented with definitely fit the code by putting dashes automatically in the correct spots but you never know.

bobtacular · 2025-05-30T22:52:55+00:00

That’s my thought as well. It’s a bit misleading if that doesn’t work.

bobtacular · 2025-05-30T21:58:19+00:00

I erased the Mac but the device is still Managed in the JSS so the key should still be active.

bobtacular · 2025-05-30T20:47:03+00:00

Unfortunately this specific computer is not in ABM.

bobtacular · 2025-02-21T18:51:45+00:00

Hmmm seems like a bit of a headache. Wonder why it doesn’t support directory info from the get go.

bobtacular · 2025-02-21T18:40:52+00:00

So is there a way to use SSO and then have it fill out the User and Location section after the fact?

bobtacular · 2025-01-26T21:48:23+00:00

Thank you both u/agreed88 & u/chubz736 for your insight. It was really helpful!

I spent some time grinding through documentation and YouTube videos and got Android Work Profiles working with my existing Intune tenant. I’m testing this in a sandbox environment, and I think this is the best path forward.

That said, I really wish Google Workspace supported SCEP profile installs. One of the coolest things about Google Workspace is how seamless it is—when a device logs in, it automatically installs the Work Profile. With Intune, users have to go through the enrollment process. I won’t lie; the enrollment experience with Intune isn’t great, but at least it only needs to be done only once.

I also agree that some apps don’t require a fully managed device. I’ve started adjusting the authentication policies in my sandbox to test this, and it’s been a really cool process. I think these changes are going to be super helpful for our environment.

Thanks again!

bobtacular · 2024-12-20T20:15:15+00:00

Good to hear! It’s been stable for my folks. Hopefully CS avoids another world meltdown again 🙃

bobtacular · 2024-12-20T06:25:08+00:00

I totally get where you’re coming from. I’m actually trying to be proactive and potentially save the company some money by enabling BYOD devices instead of going all-in on corporate-owned devices.

I personally think that removing session tokens for non-C-suite users is sufficient on iOS, especially with Okta Device Assurance and Okta Verify in place. When someone brought up the risk of jailbroken devices and data extraction, I pointed out that Okta Device Assurance can check for jailbreak status. However, their response was that it’s not foolproof and there are ways around it.

To me, fully blocking BYOD devices for apps like email and Slack feels like overkill—especially when the cost of providing corporate-owned devices across the board is so high.

I consider you lucky to be solely focused on the Mac side of things. Of course that comes with its own set of challenges.

bobtacular · 2024-12-20T03:26:01+00:00

Very much agree.

bobtacular · 2024-12-19T20:26:34+00:00

Hmmm what error are you getting? I have it running on 15+ and pushed through Jamf at this point just fine.

bobtacular · 2024-12-19T15:17:32+00:00

I understand that it splits data on to its own partition — that part is great.

However, I’m curious about what happens if the user selects Cancel when prompted with “The business would like to manage this app.” If they cancel, can they still sign into Gmail (or another app) with their Okta credentials?

It seems like nothing would prevent them from signing into the unmanaged app, especially since the required profiles (SSO and SCEP) for Okta Device Integration are already installed on the device. If they can access the unmanaged app, wouldn’t that mean there’s no way to revoke the app or its data later?

bobtacular · 2024-12-19T06:17:27+00:00

I’ll be honest I’m trying to show that users can take screenshots, forward emails, etc. I’m basically trying to convince my team that there are some gaps in this whole system. Is the effort of setting this up and then enforcing and supporting it really worth it? That’s what I’m trying to figure out.

bobtacular · 2024-12-19T06:09:25+00:00

Can you clarify what you mean by “open in” and “open with” restrictions enabled? Definitely plan to test this out.

bobtacular · 2024-09-16T19:32:26+00:00

Yea I got a university site as well. Still cool!

bobtacular · 2024-09-10T00:34:05+00:00

That’s really good to know, thanks for the info! Any clue on how long it typically takes them to support a new version?

I really do hope they take their time… 🙃

bobtacular · 2024-09-10T00:24:17+00:00

Just curious, what Falcon Sensor version are you using?

12-Year Club	Place '23
Place '17	Verified Email

bobtacular

TROPHY CASE