Jamf Nation Community

Okta is an identity and access management platform and whilst not identical it can be considered as an alternative to Active Directory.

The basic setup involves systems being configured to redirect logins via Okta usually using SAML so that Okta handles who is allowed to login to that system and also to enforce MFA. It is however also possible to enforce device trust so that this can be further restricted to approved devices. This later aspect could be considered as equivalent to 'binding' the device to Okta like one might bind to AD.

Okta Device Trust therefore uses a script to enrol the Mac and make it 'trusted'. The following is a link to Okta's documentation on this.

https://help.okta.com/en-us/Content/Topics/Mobile/Okta_Device_Trust_Jamf_macOS_Devices.htm

The 1.2.x version of this script uses Python2, this is no longer included in macOS as of macOS 12.3. As Apple warned for some time they did not replace it with Python3 but now require developers and admins to organise installing or including their own copy of the Python runtime. Personally I think this was a bad mistake on Apple's part as now an enterprise Mac is likely to have several separate copies of Python installed each of which is likely to be a different version and not being kept up-to-date. I cannot see how this could be considered to 'improve' security.

Okta have issued a newer 1.3.x version of their script which uses/requires Python3 but Okta are not themselves providing or including a copy of Python3 and instead provide a script which first installs Xcode Command Line Tools and then uses the copy of Python3 included in that. This means a bigger slower download and install process and means all your Macs will have compilers and other tools installed even for none developer users.
Fortunately it should be possible to avoid this.

A group of leading macadmins including Greg Neagle of Walt Disney Animation Studios have contributed to providing a pre-built version of Python3 as a standard Mac installer pkg. This version also includes as standard the python packages required by the Okta Device Trust script, this further avoids the need to run the Okta written script which would run the pip tool to add these python packages. The pip tool itself would have also required the installation of Xcode Command Tools.

So, by using the pre-built version of Python3 from the macadmins group we can avoid completely the need to use Xcode Command Line Tools or homebrew or pip.

We do have to make one very small change to the main Python script provided by Okta which is to change the first i.e. 'shebang' line in their script so that it points to and uses the copy of Python3 we are installing.

The new first line should therefore be as follows -

#!/usr/local/bin/managed_python3

You can download the macadmins Python3 installer from the following link -

https://github.com/macadmins/python