What’s the problem?

I wanted a way to have Okta Verify launch at login but with the window for the app appearing only to users who aren’t signed into Okta Verify.

Launch Okta Verify at login

There is some guidance on how to set up Okta Verify to launch at login. For that, Okta recommends using an MDM configuration profile (with Jamf as an example). You could also use Outset.

No window pop-up with Okta Verify launch

But how do you not have the window pop up? There’s a preference for that:

<key>OktaVerify.LaunchOptions</key>
<string>HideMainWindow</string>

That part of an MDM configuration profile would be for the com.okta.mobile and com.okta.mobile.auth-service-extension preference domains.

If you prefer to script the preferences, you can do so via commands:

defaults write com.okta.mobile OktaVerify.LaunchOptions "HideMainWindow" and defaults write com.okta.mobile.auth-service-extension OktaVerify.LaunchOptions "HideMainWindow"

Note: I’ve seen some cases in which a regular defaults write is ignored but one specifically to the /Users/username/Library/Preferences/com.okta.mobile.plist or /Users/username/Library/Preferences/com.okta.mobile.auth-service-extension.plist is honored. Definitely do some testing!

Is the user signed into Okta Verify?

There also doesn’t seem to be an obvious way to detect if a user is signed into Okta Verify or not, but apparently this command will help you differentiate:

defaults read ~/Library/Group\ Containers/B7F62B65BN.group.okta.macverify.shared/Library/Preferences/B7F62B65BN.group.okta.macverify.shared.plist | grep DeviceEnrollment_

If that comes back empty, the user isn’t signed into Okta Verify. If it comes back with anything, the user is signed into Okta Verify.

Acknowledgements

This blog post wouldn’t be at all possible without the help of Andrew and Josh on the MacAdmins Slack. Thanks to you two!