Okta Verify configurations for macOS devices

You can use your device management solution (MDM) to deploy Okta Verify configurations to domains.

Configuration options enable different aspects of Okta Verify functionality.

Always deploy managed app configurations to both of these preference domains:

Preference domain 1: com.okta.mobile
Preference domain 2: com.okta.mobile.auth-service-extension

Configuration options

Use the following keys and values to configure Okta Verify:

OktaVerify.DeviceHealthOptions
OktaVerify.EnableOSQueryCustomChecks
OktaVerify.EnrollmentOptions
OktaVerify.LaunchOptions
OktaVerify.OrgUrl
OktaVerify.OSQueryAllowedDomains
OktaVerify.Plugins
OktaVerify.ReportDiagnostics

OktaVerify.DeviceHealthOptions

Hide the Device Health page or hide specific health checks in Okta Verify on user devices.

If you select multiple values, separate them by a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown.

If the value contains Disabled, Okta Verify doesn't display the Device Health page.

By default (when no values are set), Okta Verify displays all device health checks on user devices.

Value [String]	Description
Disabled	Hides the device health page and badge.
HideOSUpdate	Hides the OS version check.
HideDiskEncryption	Hides the disk encryption check.
HideBiometrics	Hides the biometrics check.
HidePassword	Hides the password check.

Example.

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>OktaVerify.DeviceHealthOptions</key>
    <string>HideDiskEncryption;HideBiometrics</string>
</dict>
</plist>

OktaVerify.EnableOSQueryCustomChecks

Specifies whether custom OSQuery checks can be run on this device.

Value [Boolean]	Description
True	You can run custom checks with OSQuery on this device.
False	Custom checks with OSQuery are disabled from running on this device. This is the default.

Value [Boolean]

Description

True

You can run custom checks with OSQuery on this device.

False

Custom checks with OSQuery are disabled from running on this device.

This is the default.

Example:

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>OktaVerify.EnableOSQueryCustomChecks</key>
    <true/>
</dict>
</plist>

OktaVerify.EnrollmentOptions

Configure whether users are prompted to enroll in Okta Verify. You can reduce the number of user prompts or control the rollout of Okta Verify and Okta FastPass in your org.

Value [String]	Description
SilentEnrollmentDisabled	Users who aren't enrolled in Okta Verify (not registered) are prompted to add an Okta Verify account when they attempt to access resources protected by Okta, and they click Sign in with Okta FastPass. This is the default.
Enabled	Users are always prompted to add an Okta Verify account.
Disabled	Users are never prompted to enroll in Okta Verify unless they open the app and click Add an account.

Value [String]

Description

SilentEnrollmentDisabled

Users who aren't enrolled in Okta Verify (not registered) are prompted to add an Okta Verify account when they attempt to access resources protected by Okta, and they click Sign in with Okta FastPass.

This is the default.

Enabled

Users are always prompted to add an Okta Verify account.

Disabled

Users are never prompted to enroll in Okta Verify unless they open the app and click Add an account.

Example

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>OktaVerify.EnrollmentOptions</key>
    <string>Enabled</string>
</dict>
</plist>

OktaVerify.LaunchOptions

Configure whether Okta Verify shows the accounts list upon launch.

If this option isn't configured, Okta Verify shows the account list upon launch.

Value [String]	Description
HideMainWindow	Hides the accounts list on launch.

Example

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>OktaVerify.LaunchOptions</key>
    <string>HideMainWindow</string>
</dict>
</plist>

OktaVerify.OrgUrl

Pre-populate the org URL so that users don't have to enter this value on the First, enter your sign-in URL page.

Value [String]	Description
<your.org.signin.url>	The org sign-in URL.

This option is available in Okta Verify 2.4.1 and later.

Example

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>OktaVerify.OrgUrl</key>
    <string>atko.okta.com</string>
</dict>
</plist>

OktaVerify.OSQueryAllowedDomains

Defines the orgs that can run custom OSQuery checks on this device.

Value [String]	Description
{your.org.signin.url}	Semi-colon-separated list of organization sign-in URLs.

Example

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>OktaVerify.OSQueryAllowedDomains</key>
    <string>my-test-domain.oktapreview.com;my-prod-domain.oktapreview.com</string>
</dict>
</plist>

OktaVerify.Plugins

Enable Okta Verify to collect trust signals from an EDR client that's running on the same macOS device. See Manage endpoint security integration plugins for macOS.

Value [Array]	Description
<com.crowdstrike.zta>	The EDR client.

Example

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<managedAppConfiguration>
<dict>
    <key>OktaVerify.Plugins</key>
    <array>
        <string>com.crowdstrike.zta</string>
    </array>
    <key>com.crowdstrike.zta</key>
    <dict>
        <key>description</key>
        <string>File-based EDR integration between Okta Verify and the CrowdStrike Falcon agent.</string>
        <key>format</key>
        <string>JWT</string>
        <key>location</key>
        <string>/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta</string>
        <key>name</key>
        <string>com.crowdstrike.zta</string>
        <key>type</key>
        <string>FILE</string>
    </dict>
</dict>
</managedAppConfiguration>
</plist>

OktaVerify.ReportDiagnostics

Configure whether Okta Verify diagnostic and crash information is shared with Okta.

If this option isn't configured, end users can set this value on their app. See Share diagnostic information with Okta from your macOS device.

Value [Boolean]	Description
True	Diagnostic and crash information is shared with Okta.
False	Diagnostic and crash information isn't shared with Okta.

Example

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>OktaVerify.ReportDiagnostics</key>
    <true/>
</dict>
</plist>