This version also includes as standard the python packages required by the Okta Device Trust script, this further avoids the need to run the Okta written script which would run the pip tool to add these python packages. This means a bigger slower download and install process and means all your Macs will have compilers and other tools installed even for none developer users.įortunately it should be possible to avoid this.Ī group of leading macadmins including Greg Neagle of Walt Disney Animation Studios have contributed to providing a pre-built version of Python3 as a standard Mac installer pkg. Okta have issued a newer 1.3.x version of their script which uses/requires Python3 but Okta are not themselves providing or including a copy of Python3 and instead provide a script which first installs Xcode Command Line Tools and then uses the copy of Python3 included in that. I cannot see how this could be considered to 'improve' security. Personally I think this was a bad mistake on Apple's part as now an enterprise Mac is likely to have several separate copies of Python installed each of which is likely to be a different version and not being kept up-to-date. ![]() As Apple warned for some time they did not replace it with Python3 but now require developers and admins to organise installing or including their own copy of the Python runtime. The 1.2.x version of this script uses Python2, this is no longer included in macOS as of macOS 12.3. The following is a link to Okta's documentation on this. Okta Device Trust therefore uses a script to enrol the Mac and make it 'trusted'. ![]() ![]() This later aspect could be considered as equivalent to 'binding' the device to Okta like one might bind to AD. It is however also possible to enforce device trust so that this can be further restricted to approved devices. The basic setup involves systems being configured to redirect logins via Okta usually using SAML so that Okta handles who is allowed to login to that system and also to enforce MFA. Okta is an identity and access management platform and whilst not identical it can be considered as an alternative to Active Directory.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |