Platform compatibility
| macOS | Windows | Linux | iOS / iPadOS | Android |
|---|---|---|---|---|
| ✅ |
How to set it up
Connect your Okta organization
Before deploying the control, connect Primo to your Okta organization:
- Go to Settings > MDM > Integrations.
- Select Okta and follow the authorization flow.
- Grant the required permissions to allow Primo to manage device-bound credentials.
If you already use Okta for SCIM or SAML, you can reuse the existing connection. Check your current integration settings before creating a new one.
- An active Okta organization (Okta Workforce Identity Cloud).
- Primo MDM deployed on the target Mac devices.
- macOS 13 (Ventura) or later.
Modifying or removing the control
Disable the control from the profile settings. Disabling stops enforcement but does not remove existing configurations from devices.How it works
Primo uses macOS Platform Single Sign-On (Platform SSO), introduced in macOS 13, to integrate the login window with Okta. When a user logs in:- macOS contacts Okta to validate the credentials.
- On success, the user’s local session is created or unlocked.
- The Okta token is stored securely in the macOS Keychain for subsequent SSO to browser and app sign-ins.
The first login after enabling this control requires an active internet connection to establish the Okta binding on the device.
Troubleshooting
Users cannot log in after the control is deployed- Ensure the device has internet access to reach Okta during the first login.
- Verify the user’s Okta account is active, not locked, and not subject to an MFA policy that blocks device login.
- Check that the Okta integration is correctly configured in Settings > MDM > Integrations.
- Confirm the MDM profile was successfully delivered (check the device panel in Primo).
- On macOS, Platform SSO requires macOS 13 or later. Verify the device OS version.
- Re-enroll the device if the profile delivery shows an error.