we have setup a LDAPS connection from our OKTA instance to Jamf. The reason for this is to have users to authenticate during first iOS enrollement.
This works fine so far, with one minor blocker. Our Okta SSO uses MFA authentication. When the user has setup okta verify push, he will receive a push notification on his other device and the login will complete successfully.
Unfortunately there is no indication on the iphone that a push notifcation is beeing sent, and also there is no way to enter any one time password.
this means if the user doesn't use Okta verify push, but Google Authenticator (our second MFA option), he won't be able to enter the code and therefore sign in and setup will fail.
Without using okta verify push, the iphone setup is not possible.
Hope this makes sense to you. do you have any idea on what we can do in this situation? Should this be a feature request?
If you are using jamfcloud you need to add those IPs as a network zone in okta and exempt that range from MFA. If you are on Prem, you need to use the IP Range of your jamf instance as a network range instead. We do this for our enrollment and works like a charm! Happy to chat more. Feel free to let me know if you need more specific instructions.
Yes you will need to whitelist the jamfcloud IPs, or if you don't want to do this I believe you can instruct your users to use the MFA code in their Okta Verify app (or whatever MFA verify app they use) to type in the <password,MFAtoken> to login. Okta supports that kind of MFA authentication for LDAP.