Extension Attributes for Okta Device Trust

cainehorr
Contributor III

LAST UPDATED: 2020-OCT-16

If you are an Okta customer and you also manage Jamf Pro, then I'm certain that you've heard of, been looking at, or have been using Okta Device Trust.

OVERVIEW: OKTA DEVICE TRUST
If you are not familiar with Okta Device Trust, here's a brief description:

Okta Device Trust for Jamf Pro-managed macOS devices allows you to prevent unmanaged macOS devices from accessing corporate SAML and WS-Fed cloud apps. Okta Device Trust ensures that only known and secured devices can access your Okta-managed applications.

Setting Okta Device Trust up in Jamf Pro is a fairly easy process, but once you have Okta Device Trust up and running, you might need to keep tabs on certain Okta Device Trust attributes within your Jamf Pro environment.

Visit https://help.okta.com/en/prod/Content/Topics/device-trust/device-trust-landing.htm for more information regarding Okta Device Trust.

OVERVIEW: JAMF PRO EXTENSION ATTRIBUTES
Jamf Pro Extension Attributes provide an easy method by which to gather and report specific pieces of information. Furthermore, Jamf Pro Groups, Policies, Configuration Profiles, Advanced Searches, etc. can be scoped to results gathered by Jamf Pro Extension Attributes. This ability within Jamf Pro makes it extremely powerful for the Jamf Pro Admin to extend the capabilities well beyond the baseline capabilities of Jamf Pro.

OVERVIEW: JAMF PRO EXTENSION ATTRIBUTES FOR OKTA DEVICE TRUST
I have written three Jamf Pro Extension Attributes to gather specific information about Okta Device Trust as it exists in your Jamf Pro environment.

I use these Jamf Pro Extension Attributes to indicate which version of Okta Device Trust is present on any given user's device as well as to the integrity of the Okta Device Trust installation on any given user's device.

Jamf Pro Extension Attributes for Okta Device Trust

  • Okta Device Trust - Version
  • Okta Device Trust - File Path to the Okta Device Trust Keychain DB
  • Okta Device Trust - File Path to the Okta Device Trust Python Script

I won't go into the "How To" with regards to installing and configuring Jamf Pro Extension Attributes. You can find this information in the Jamf Pro Administrator's Guide.

DISCLAIMER
The scripts were written by me, Caine Hörr in my own free time. These scripts were not written by Okta and are not supported by Okta. If you call your Okta Customer Support representative, they will most likely not provide any technical support with regards to these Jamf Pro Extension Attributes. YMMV!

JAMF PRO EXTENSION ATTRIBUTES

OKTA DEVICE TRUST - VERSION
This particular Jamf Pro Extension Attribute returns the Okta Device Trust version number as found on an Apple Macintosh device with Okta Device trust installed.

#!/bin/sh

# Using "sh" to support bash and zsh

##############################################################################
#
# SCRIPT FILENAME:
#   Okta_Device_Trust-Version.sh
#
#
# DESCRIPTION:
#   Jamf Pro Extension Attribute to identify Okta Device Trust version
#
#
# CHANGE LOG:
#   v1.2 - 2020-10-06
#       Updated by Caine Hörr
#           * Removed support for Okta Device Trust versions prior to 1.2.1
#   v1.1 - 2019-04-16
#       Updated by Caine Hörr
#           * Updated for native Okta Device Trust 1.2.1+ version check
#   v1.0 - 2019-03-11
#       Written by Caine Hörr
#       https://github.com/cainehorr
#           * Initial Script Creation
#
##############################################################################

##############################################################################
#
# MIT License
#
# Copyright (c) 2020 Caine Hörr
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to 
# deal in the Software without restriction, including without limitation the 
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
#
##############################################################################

# Acquire currently logged in user details
currentUser=$(/usr/bin/stat -f "%Su" "/dev/console")

# Define the path to the Okta Device Trust installation directory
okta_device_trust_python_script_path=/Users/${currentUser}/Library/Okta

# Define the Okta Device Trust python script
okta_device_trust_python_script_filename="okta_device_trust.py"

if [[ -d ${okta_device_trust_python_script_path} ]]; then
    # Acquire the Okta Device Trust version as installed
    okta_device_trust_version="$(${okta_device_trust_python_script_path}/${okta_device_trust_python_script_filename} version)"
    echo "<result>${okta_device_trust_version}</result>"
else
    echo "<result>Unknown</result>"
fi

exit

OKTA DEVICE TRUST - FILE PATH TO THE OKTA DEVICE TRUST KEYCHAIN DB
This particular Jamf Pro Extension Attribute returns the path to the Okta Device Trust Keychain Database file.

This is a clear indicator that the Okta Device Trust Keychain Database file is present on the user's device.

NOTE: This does not indicate if the okta keychain exists within Keychain Access.app. To identify if the user's Keychain Access.app has the okta keychain and/or the Okta MTLS Certificate, you must manually open Keychain Access.app or have the currently logged in user run the "/usr/bin/security" command. To verify installation from a terminal: Show keychain info security show-keychain-info okta.keychain Show the certificate security find-certificate -a -c 'Okta MTLS' -Z -p okta.keychain Show the password security find-generic-password -l device_trust -w Unfortunately, this command doesn't return the expected values when run with "sudo -u ${currentUser}" or "su -u ${currentUser}". I also read up on a variation using "launchctl" but that didn't pan out either. If someone figures out how to make this work via Jamf then please, reply to this thread with the secret sauce!
#!/bin/sh

# Using "sh" to support bash and zsh

##############################################################################
#
# SCRIPT FILENAME:
#   Okta_Device_Trust-File_Path_to_the_Okta_Device_Trust_Keychain_DB.sh
#
#
# DESCRIPTION:
#   Jamf Pro Extension Attribute to identify the existence of the 
#   ~/Library/Keychains/okta.keychain-db file.
#
#
# CHANGE LOG:
#   v1.0 - 2019-03-11
#       Written by Caine Hörr
#       https://github.com/cainehorr
#           * Initial Script Creation
#
##############################################################################

##############################################################################
#
# MIT License
#
# Copyright (c) 2020 Caine Hörr
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to 
# deal in the Software without restriction, including without limitation the 
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
#
##############################################################################

# Acquire currently logged in user details...
currentUser=$(/usr/bin/stat -f "%Su" "/dev/console")

# Define the path to the Okta Device Trust Keychain Database File
okta_keychain_db_path=/Users/${currentUser}/Library/Keychains/okta.keychain-db

if [ -f ${okta_keychain_db_path} ]; then
    /bin/echo "<result>${okta_keychain_db_path}</result>"
else
    /bin/echo "<result>N/A</result>"
fi

exit

OKTA DEVICE TRUST - FILE PATH TO THE OKTA DEVICE TRUST PYTHON SCRIPT
This particular Jamf Pro Extension Attribute returns the path to the Okta Device Trust Python Script.

This is a clear indicator that the Okta Device Trust python script is present on the user's device.

#!/bin/sh

# Using "sh" to support bash and zsh

##############################################################################
#
# SCRIPT FILENAME:
#   Okta_Device_Trust-File_Path_to_the_Okta_Device_Trust_Python_Script.sh
#
#
# DESCRIPTION:
#   Jamf Pro Extension Attribute to identify Okta Device Trust Python Script
#   saved in ~/Library/Okta/okta_device_trust.py
#
#
# CHANGE LOG:
#   v1.0 - 2019-03-11
#       Written by Caine Hörr
#       https://github.com/cainehorr
#           * Initial Script Creation
#
##############################################################################

##############################################################################
#
# MIT License
#
# Copyright (c) 2020 Caine Hörr
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to 
# deal in the Software without restriction, including without limitation the 
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
#
##############################################################################

# Acquire currently logged in user details...
currentUser=$(/usr/bin/stat -f "%Su" "/dev/console")

# Define the path to the Okta Device Trust Python Script
okta_device_trust_python_script_path=/Users/${currentUser}/Library/Okta/okta_device_trust.py

if [[ -f ${okta_device_trust_python_script_path} ]]; then
    echo "<result>${okta_device_trust_python_script_path}</result>"
else
    echo "<result>N/A</result>"
fi

exit

I hope you find these Jamf Pro Extension Attributes for Okta Device Trust useful.

Cheers!

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

2 REPLIES 2

lukasindre
New Contributor III

Hey @cainehorr ,

What do you mean when you say

Unfortunately, this command doesn't return the expected values when run with "sudo -u ${currentUser}" or "su -u ${currentUser}". I also read up on a variation using "launchctl" but that didn't pan out either.

Do you mean that running the security command isn't running as that actual user? If so, that can be done like

su -l $CURRENT_USER -c "${YOUR_COMMAND_HERE}"

So you can craft an extension attribute like you would any other prefixing su -l $CURRENT_USER -c to give you some output

I'm implementing these right now, and I'm looking forward to seeing how they work. Thanks for posting them!

cainehorr
Contributor III

@lukasindre

Gave it a go. Not getting the expected output...

I created and ran the following script to simulate running the commands as another user (ie, running as root)

#!/bin/sh

expected_keychain="okta.keychain"
currentUser=$(/usr/bin/stat -f "%Su" "/dev/console")
sudo /usr/bin/su -l ${currentUser} -c "/usr/bin/security show-keychain-info ${expected_keychain}"

Output received...

security: SecKeychainCopySettings okta.keychain: User interaction is not allowed.

As you can see, that is NOT what we are looking for.

I then created and ran this next script to simulate running the commands as the currently logged in user...

#!/bin/sh

expected_keychain="okta.keychain"
currentUser=$(/usr/bin/stat -f "%Su" "/dev/console")
/usr/bin/security show-keychain-info ${expected_keychain}

Here is the proper, expected output...

Keychain "okta.keychain" no-timeout

As you can see, running as the user works but "simulating" the user from root (the way the Jamf user account does) rejects the command.

That being said, @tlarkin suggested (via Mac Admins Slack) that I run this command via a launchctl as the user. I'm working on that angle now... If that works, I'll post my findings.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!