Jamf Nation Community

lukasindre · ‎02-02-2021

Hey All,

We have pretty successfully deployed the Okta Device trust with little to no hiccups. As with all technology, there are bound to be some failures, and I have a specific one that I haven't been able to diagnose.

I had deployed the script to a new endpoint, and it worked fine and the Device Trust worked as expected with Okta. The user then changed their password, which messed up the keychain info and things like that. After doing that, I was able to run the device trust script on the device passing the uninstall argument on the endpoint, which ran successfully. Upon trying to deploy the enrollment script to the endpoint again I receive an error ERROR: Failed to configure Device Trust : list index out of range (full script output to be posted below).

The user does not have an Okta keychain on their device, nor a device_trust password on their login keychain. Has anyone else had this issue?

Script result: Keychain "/Users/kielsaunders/Library/Keychains/login.keychain-db" no-timeout
security: SecKeychainCopySettings okta.keychain: The specified keychain could not be found.
security: SecKeychainDelete: The specified keychain could not be found.
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
2021-02-01 18:53:58.302 system_profiler[5225:57841] Terminating '/usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full' because it did not respond.
2021-02-01 18:53:58.304 system_profiler[5225:57839] Non-zero termination status from '/usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full', termination status: 15
password has been deleted.
keychain: "/Users/kielsaunders/Library/Keychains/login.keychain-db"
version: 512
class: "genp"
attributes:
    0x00000007 <blob>="device_trust"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="device_trust"
    "cdat"<timedate>=0x32303231303230313233353035375A00  "20210201235057Z�00"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>=<NULL>
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303231303230313233353035375A00  "20210201235057Z�00"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="device_trust"
    "type"<uint32>=<NULL>
Okta Device Trust returning ERROR.INFO: Running Okta Device Registration task version : 1.2.1
INFO: Registering trusted device with Okta, for user : kielsaunders
INFO: Using home directory : /Users/kielsaunders
DEBUG: Running main()
INFO: default keychain info: /Users/kielsaunders/Library/Keychains/login.keychain-db
INFO: Configuring Okta keychain.
DEBUG: Okta keychain does not exist.
INFO: Creating new keychain.
INFO: Creating new keychain password
INFO: Okta keychain added to the keychain search list.
INFO: Configuring certificate.
ERROR: Failed to configure Device Trust : list index out of range
DEBUG: cert exists: False, password exists: True
INFO: Clean up Okta keychain, isForce: False

cainehorr · ‎02-03-2021

Have you reached out to Okta Customer Support?

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

lukasindre · ‎02-03-2021

I have not reached out to Okta Customer Support, as this seemed to be more of a macOS thing so i figured i'd start here

lukasindre · ‎03-19-2021

@caine.horr I've reached out to okta support and they suggested resetting default keychain. Upon doing that, users get this

I tried having them repair their disk via disk utility and trying a reset again and it does not work still. Have you ever seen this before?

vcparra · ‎07-16-2022

@lukasindre I see that you have successfully implemented Okta Device Trust using Jamf Pro. If possible, could you provide some assistance/information/advice?

Using the Enforce Okta Device Trust for Jamf Pro managed macOS devices guide, I am a bit confused on Step 3. I created a policy with all 3 scripts (Python 3 install, Device Trust Dependencies install, and Okta Device Registration Task) in that order. Received the following errors (see below), which indicate that although the Python 3 script did not fail, it did not install the Apple Developer Tools either - causing the subsequent scripts to fail. I believe the scripts provided in the guide are not working? What methods did you use to successfully implement ODT on Jamf Pro? Any help would be very much appreciated. Thank you!

Executing Policy Install Okta Device Trust via Script
Running script A_Python 3...
Script exit code: 0
Script result: Checking for the existence of the Apple Command Line Developer Tools
xcode path is which xcode-select
Apple Command Line Developer Tools not found.
Installing 
2022-07-16 23:35:22.101 softwareupdate[11912:7233487] XType: com.apple.fonts is not accessible.
2022-07-16 23:35:22.102 softwareupdate[11912:7233487] XType: XTFontStaticRegistry is enabled.
: No such update
No updates are available.
Software Update Tool
Finding available software

Running script B_Device Trust Dependencies...
Script exit code: 1
Script result: Running pip3 install --upgrade pip
xcode-select: error: no developer tools were found at '/Applications/Xcode.app', and no install could be requested (perhaps no UI is present), please install manually from 'developer.apple.com'.
Running pip3 install pyobjc-framework-SystemConfiguration
xcode-select: error: no developer tools were found at '/Applications/Xcode.app', and no install could be requested (perhaps no UI is present), please install manually from 'developer.apple.com'.
Error running script: return code was 1.

Running script C_Okta Device Trust...
Script exit code: 1
Script result: xcode-select: error: no developer tools were found at '/Applications/Xcode.app', and no install could be requested (perhaps no UI is present), please install manually from 'developer.apple.com'.
Error running script: return code was 1.

Jamf Nation Community

Okta Device Trust Failing Enrollment