Okta Desktop Password Sync uses Apple's Platform Single Sign-On (Platform SSO) to keep a user's local macOS password in sync with their Okta password. Once configured, users sign in at the macOS login window with their Okta credentials.
This guide walks through setting up Okta Platform SSO 2.0 in Addigy.
Before You Begin
Okta
- Okta Identity Engine (OIE) org with the Device Access SKU enabled
- Okta Verify authenticator configured in your org
- Platform Single Sign-on app visible in your App Catalog
Addigy
- Addigy account with MDM enrollment
- Ability to upload Custom Profiles
Devices
- macOS 14 Sonoma or later (required for Platform SSO 2.0)
- Physical Mac hardware — virtual machines are not supported
What You Will Create
By the end of this guide you will have deployed five items to your Addigy policy:
| Item | What It Does |
|---|---|
| Okta Verify app | The SSO extension that handles registration and authentication |
| Extensible SSO profile | Tells macOS which SSO extension to use and configures Platform SSO behavior |
| Associated Domains profile | Links the Okta Verify app identifiers to your Okta org |
| Managed App Configuration profile | Gives Okta Verify the org URL, Client ID, and protocol version |
| SCEP Certificate profile | Enrolls a device certificate required for Platform SSO 2.0 |
Step 1 — Add the Platform Single Sign-on App in Okta
- In the Okta Admin Console, go to Applications > Applications.
- Click Browse App Catalog.
- Search for Platform Single Sign-on for macOS and select it.
- Click Add Integration, then click Done.
- On the Sign On tab, copy the Client ID. You will need this later.
- On the Assignments tab, assign the app to your target users or groups.
Step 2 — Generate SCEP Credentials in Okta
- In the Okta Admin Console, go to Security > Device Integrations.
- Click the Device Access tab.
- Click Add SCEP configuration.
- Select Static SCEP URL and click Generate.
- Copy the SCEP URL and the Secret Key. You will need both later.
- Click Save.
The secret key is shown only once. Store it somewhere secure before leaving this page.
Step 3 — Deploy Okta Verify
There are two ways to deploy Okta Verify in Addigy: via Prebuilt Apps or by creating a Smart Software.
Prebuilt Apps
- In your policy navigate to Software > Prebuilt Apps.
- Search for Okta Verify.
- Click on the empty box > Actions > Add to Policy.
- Set the App Settings > Assign.
Smart Software
- In the Okta Admin Console, go to Settings > Downloads.
- Download Okta Verify for macOS.
- In Addigy, go to Catalog > Smart Software.
- Upload the Okta Verify
.pkgand assign it to your target policy. - Confirm that Okta Verify installs to
/Applicationson the device before continuing.
You must use the package from the Okta Admin Console. The Apple App Store version does not include the SSO extension required for Platform SSO.
Step 4 — Create the Extensible SSO Profile
Navigate to Catalog > Device Settings > New > select Extensible SSO
Replace <your-org> with your Okta ORG ID
| Key | Value |
|---|---|
| Extension Identifier | com.okta.mobile.auth-service-extension |
| SSO Type | Redirect |
| Team Identifier | B7F62B65BN |
| URLs | https://<your-org>.okta.com/device-access/api/v1/nonce |
https://<your-org>.okta.com/oauth2/v1/token |
|
https://<your-org>.okta.com/v1/auth/device-sign |
Platform SSO section of the same profile:
| Key | Value |
|---|---|
| AuthenticationMethod | Password |
| Enable Authorization | true |
| TokenToUserMapping > AccountName | macOSAccountUsername |
| TokenToUserMapping > FullName | macOSAccountFullName |
| Use Shared Device Keys | True |
Optional — macOS 15 Sequoia and later:
| Key | Value |
|---|---|
| FileVaultPolicy |
AttemptAuthentication or RequireAuthentication
|
| LoginPolicy |
AttemptAuthentication or RequireAuthentication
|
| UnlockPolicy |
AttemptAuthentication or RequireAuthentication
|
Optional — macOS 26 Tahoe:
| Key | Value |
|---|---|
| EnableRegistrationDuringSetup |
true (Apple silicon only) |
Step 5 — Create the Associated Domains Profile
Navigate to Catalog > Device Settings > New > select Associated Domains
Replace <your-org> with your Okta ORG ID
| Application Identifier | Associated Domains |
|---|---|
B7F62B65BN.com.okta.mobile.auth-service-extension |
authsrv:<your-org>.okta.com |
B7F62B65BN.com.okta.mobile |
authsrv:<your-org>.okta.com |
After entering the Application Identifier enter the Domains, click Add, then click Add Configuration. You will need to follow these steps once per Application Identifier.
The second entry is required for macOS 15 and later. Without it, registration will fail silently.
The
authsrv:prefix (nohttps://) is correct here. This is the only profile whereauthsrv:should appear.
Step 6 — Create the Managed App Configuration Profile
Attached at the bottom of the article is a Managed App Configuration .mobileconfig file that you can download, edit, and upload to Addigy as a Custom Profile. Additionally, you can also use a profile editor of your choice to create the .mobileconfig file.
This profile must contain two separate payload entries in a single .mobileconfig — one for each Okta preference domain.
Replace <your-org> with your Okta ORG ID
Payload 1 — com.okta.mobile
| Key | Value |
|---|---|
| PayloadType | com.okta.mobile |
| OktaVerify.OrgUrl | https://<your-org>.okta.com |
| OktaVerify.EnrollmentOptions | Enabled |
Payload 2 — com.okta.mobile.auth-service-extension
| Key | Value |
|---|---|
| PayloadType | com.okta.mobile.auth-service-extension |
| OktaVerify.OrgUrl | https://<your-org>.okta.com |
| OktaVerify.PasswordSyncClientID | <Client ID from Step 1> |
| OktaVerify.EnrollmentOptions | Enabled |
| PlatformSSO.ProtocolVersion | 2.0 |
Both payloads are required. If the
com.okta.mobilepayload is missing, Okta Verify will not receive its org configuration and registration will fail silently with no error.
The OrgUrl here must use
https://. Do not useauthsrv:— that format is only for the Associated Domains profile in Step 5.
Upload to Addigy: Catalog > MDM Profiles > New > Custom Profile.
Step 7 — Create the SCEP Certificate Profile
Navigate to Catalog > Device Settings > New > select SCEP.
The credentials from step 2 will be used in this profile
| Key | Value |
|---|---|
| URL | <SCEP URL from Step 2> |
| AllowAllAppsAccess | true |
| Challenge | <Secret Key from Step 2> |
| Key Usage |
1 (Signing) |
| Key Size | 2048 |
| Retries | 5 |
| RetryDelay | 30 |
| Subject |
CN={{.Fact "serial_number"}} |
Increase the priority from the default of 9 to a smaller number as this profile needs to be installed before the other profiles
Step 8 — Assign Everything to Your Policy
- In Addigy, navigate to your target Policy.
- Add all four Profiles (Steps 4–7) to the policy.
- Confirm Okta Verify (Step 3) is also assigned to the same policy.
- Deploy the policy.
Start with a test policy targeting a single device before deploying to production.
Step 9 — Verify Registration on the Device
- Wait up to 30 minutes for profiles to reach the device, or use GoLive to push immediately.
- A notification will appear: "Registration Required." Click Register and sign in with Okta credentials.
- If the notification does not appear, go to System Settings > Users & Groups > click Edit next to Network account server > click Register. If nothing appears here then make sure it's setup right and deployed to the device.
- Open Terminal and run:
app-sso platform -s
A successful setup shows Registered status with the Password method and an active SSO token.
- You can also confirm in the Okta Admin Console under Directory > People > select the user > Devices tab.
References
Okta
- Desktop Password Sync for macOS
- Configure Device Management Profiles
- Configure for macOS 14
- Configure for macOS 15
- Configure for macOS 26
Apple
Addigy