Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getprimo.com/llms.txt

Use this file to discover all available pages before exploring further.

Platform compatibility

macOSWindowsLinuxiOS / iPadOSAndroid

Configure Desktop SSO

1

Create the Desktop MFA app in Okta

  1. Go to Admin Console > Applications > Applications > Browse App Catalog
  2. Search for Desktop MFA for Windows and click Add integration
    If the integration is unavailable, contact your Okta Account Manager — Okta Device Access is a paid add-on. If you already set up Platform SSO with Okta for macOS, it is already enabled.
  3. Open the app and go to the General tab
  4. Note the Client ID and Client Secret — you will need both in Step 4
2

Enable Okta Verify enrollment

  1. Go to Admin Console > Security > Authenticators and confirm Okta Verify is active
  2. Go to Security > Authenticator enrollment and ensure users in scope are required to enroll in Okta Verify
3

Deploy Okta Verify for Windows

Go to the software library and add Okta Verify for Windows to the profile targeting your Windows devices.
Complete this step before pushing the ADMX settings in the next step. Applying the login-screen configuration before Okta Verify is installed will disrupt the Windows login experience.
4

Deploy Okta ADMX settings via Primo CSP Builder

  1. Go to csp-builder.getprimo.com
  2. Load the Okta Device Access ADMX template
    The Okta ADMX will be available directly in the CSP Builder soon. In the meantime, download OktaODA.admx and OktaODA.adml from the Okta Group Policy Templates article and upload them manually.
  3. Configure the following settings:
    • OrgUrl — your Okta domain (e.g. yourorganization.okta.com)
    • ClientId — from the Desktop MFA app
    • ClientSecret — from the Desktop MFA app
  4. Export the generated CSP policy and apply it to the profile targeting your Windows devices
5

Enable Device-Bound SSO

Device-Bound SSO extends the Desktop MFA login into a persistent Okta session, so users access Okta-connected apps without a second sign-in.Enable the feature in Okta:
  1. Go to Admin Console > Settings > Feature Manager and activate Device-Bound Single Sign-On (Early Access)
  2. Go to Security > Device integrations > Device Access tab
  3. Add a Static SCEP certificate authority and note the SCEP URL and SCEP challenge
Deploy the SCEP certificate via Primo: 4. Create a SCEP certificate profile and deploy it to your Windows devices
Apply the profile at Computer level, not User level.
Configure authentication policies in Okta: 5. Go to Admin Console > Security > Authentication Policies 6. Open or create a policy for the Okta-connected apps you want to protect 7. Add a rule for registered, Okta-joined devices:
  • Set Device State to Registered
  • Add the expression: device.provider.deviceAccess.joined == true
  1. Configure the rule to grant access using the device session
Device-Bound SSO requires Okta Verify 6.6.2 or later. Update Okta Verify on your devices before activating this feature — enabling Device-Bound SSO registry settings on earlier versions can lock users out of Windows.

How it works

When a user locks or wakes their Windows device, Okta Verify intercepts the login screen via a Windows Credential Provider installed by the ADMX settings. The user authenticates using Okta Verify — push notification, TOTP, or a FIDO2 key — and Windows unlocks. With Device-Bound SSO enabled, Okta creates a hardware-bound session tied to the device’s secure hardware at login time. When the user opens an Okta-connected app, Okta evaluates the device session against the app’s authentication policy. If the device is Okta-joined and meets the assurance requirements, Okta grants access silently with no additional authentication challenge.