Unleash the Power of Okta Agent (Auto) Updates

Authored by Scott Dewar.

What are Okta Agents?

Okta Active Directory (AD) agents are software that allows organizations to synchronize their on-premises Active Directory with the Okta cloud-based Identity and Access Management (IAM) platform. The Okta AD agents provide a secure and efficient way to connect an organization’s on-premises AD environment with Okta’s cloud-based identity management services.

The main function of the Okta AD agents is to sync user and group data between the on-premises Active Directory and the Okta cloud service, including user attributes, group memberships, and passwords. The Okta AD agents also provide a way to authenticate users against the on-premises Active Directory using Okta as the identity provider. This allows organizations to use Okta’s cloud-based identity management services while still maintaining control over their on-premises AD environment.

Additionally, Okta AD agents provide a way to perform single sign-on (SSO) and multi-factor authentication (MFA) for on-premises resources, such as applications and network resources. This allows organizations to secure access to their on-premises resources, while still providing a seamless user experience for their employees.

In summary, Okta AD agents provide a way for organizations to synchronize their on-premises Active Directory with the Okta cloud-based Identity and Access Management (IAM) platform, allowing them to benefit from the scalability, security and ease of management offered by the cloud, while still maintaining control over their on-premises AD environment.

Pros and Cons to auto-updating

Updating your Okta agents can help ensure the security, stability, and functionality of your environment, as well as provide access to new features and compatibility with other Okta products. Some reasons to keep your Okta agents up to date:

1. Security: Newer versions of the Okta AD agent often include security fixes and patches to address known vulnerabilities. Updating your agents ensures that your environment is protected against potential security threats.
2. Bug fixes: Newer versions of the Okta AD agent often include bug fixes for known issues. Updating your agents can help resolve any problems you may be experiencing with your current agents.
3. Feature enhancements: Okta regularly releases new features and enhancements to the AD agent. Updating your agents will ensure that you have access to the latest functionality and can take full advantage of the capabilities of the Okta platform.
4. Performance: Occasionally Okta makes performance improvements which speed up authentication and searches.
5. Compatibility: Updating your Okta agents to the latest version can ensure compatibility with other Okta products and features you may be using.
6. Support: Running the latest version of the Okta AD agent can also ensure that you will continue to receive support from Okta’s customer support team.

Every organisation has a different appetite to risk. Here are a few reasons why an organization may not want to keep the Okta AD agents up to date:

1. Compatibility issues: Updating the Okta AD agents may cause compatibility issues with existing on-premises systems or applications that are integrated with the agents. It’s important to thoroughly test the compatibility of the updated agents with existing systems before deploying them in a production environment.
2. Impact on existing configurations: Updating the Okta AD agents may change existing configurations and settings, which could impact the overall functionality and stability of the system. It is essential to have a plan in place to ensure that the configuration changes are thoroughly tested and that the necessary adjustments are made.
3. Impact on end-users: Updating the Okta AD agents may affect the end-users’ experience, especially if the update causes an interruption in service or changes the way users access applications or resources. It’s important to communicate the update and its impact to the end-users in advance, and to provide them with clear instructions on how to access resources during and after the update.
4. Cost and resources: Updating the Okta AD agents may require additional time, resources, and cost to deploy and test the updated agents, which could be a significant consideration for some organizations.

Updating the Okta AD agents is generally recommended to ensure the security and stability of the system, it’s also important to carefully consider any potential compatibility issues, configuration changes, user impact, and cost before proceeding with the update. Here is an example of a brief update plan for Okta Active Directory (AD) agents:

1. Verify the current version of your AD agents: Check the version number of the agents installed on your network to determine if an update is necessary.
2. Review release notes: Review the release notes of the latest version of the Okta AD agent to understand the changes and improvements included in the update.
3. Test the update: Before deploying the update in a production environment, test the update in a non-production environment Okta Preview environment to ensure compatibility with existing systems and applications. If you don’t have a preview environment yet, you can ask Okta for one by submitting a support ticket.
4. Communicate with end-users: Notify end-users of the upcoming update and its potential impact on their access to resources. Provide them with clear instructions on how to access resources during and after the update.
5. Schedule the update: Schedule the update during a maintenance window when the impact on end-users will be minimal.
6. Perform the update: Follow the instructions provided by Okta to install the updated agent software. Verify that the agent is updated successfully.
7. Monitor the update: Monitor the update to ensure that the agents are functioning correctly and that there are no unexpected issues.
8. Document the update: Document the update, including the version number, date and time of the update, and any issues that were encountered.

This plan is brief and non-specific and should be tailored to the specific needs of your organization. Reviewing the release notes is a step I believe few organisations do well. It is essential to determine if (and when) you should apply the update. Communicating with end-users does not have to be much more than an email with the time and date of change, a quick rundown if things are different and who to contact if something goes wrong – most users will probably skip reading it and only find it when something goes wrong! Keep it concise.

Updating.

From version 3.8, there is a pre-release feature that allows for scheduling or self-service automatic Okta agent updates from within Okta. Before version 3.8, or for a particular reason within your setup, it might be necessary to update the agents manually.

Manual Update (works any version).

1. Check the current version of the Okta AD agents by logging into the Okta admin portal and navigating to the “System Log” page. This will show the version of each agent currently in use.
2. Download the latest version of the Okta AD agent from the Okta website.
3. Stop the Okta AD agent service on each machine where the agent is installed. This can be done by going to the services panel and finding the service named “Okta AD Agent” and stopping it.
4. Replace the old version of the agent with the new version by running the installer on each machine where the agent is installed.
5. Restart the Okta AD agent service on each machine.
6. Verify that the agent version has been updated by checking the “System Log” page in the Okta admin portal.
7. Once all agents have been updated to the latest version, you can turn on the scheduling feature for automatic updates. This can be done by logging into the Okta admin portal and navigating to the “Settings” page. Under the “Active Directory” tab, you will find the option to schedule updates.
8. It’s also a good practice to change the Okta AD agent user password.

Okta Resources:

• Okta AD Agent download page: This is where you can download the latest version of the Okta AD agent. https://support.okta.com/help/s/article/Active-Directory-Agent-Download-Page
• Update the Okta Active Directory agent: This page provides detailed instructions on how to update the Okta AD agent. https://support.okta.com/help/s/article/Update-the-Okta-Active-Directory-Agent
• Change the Okta Active Directory agent user: This page provides instructions on how to change the password for the Okta AD agent user. https://support.okta.com/help/s/article/Change-the-Okta-Active-Directory-Agent-User

Updating Manually from within Okta (version 3.8+).

These are the instructions to update manually from within Okta:

1. Log in to the Okta Admin Console.
2. Navigate to the Security > Network > Active Directory page.
3. Click the name of the AD agent you want to update.
4. Click the Update button.
5. Follow the on-screen instructions to install the updated agent software.
6. Once the updated agent software is installed, click Next to proceed.
7. Review the changes and click Update.
8. Verify that the agent is updated successfully.

Setting up automatic scheduling (version 3.8+).

A moderate risk automatic schedule for Okta agents would be one that balances the need to keep the agents up-to-date with the need to minimize disruption to end-users. Here is an example of such a schedule:

1. Schedule the update for a release+14 days after release on a day at a time of your choosing, e.g. 7pm on a Thursday. So when a new version of the Okta AD agent is released on a Monday, the update would be scheduled for the following Thursday at 7pm.
2. Verify that there are at least two working agents on the network before scheduling the update. This ensures that there is redundancy in case one agent fails during the update process.
3. Monitor the update closely to ensure that there are no unexpected issues. If any issues are encountered, roll back the update immediately.
4. Notify end-users of the update in advance and provide them with clear instructions on how to access resources during and after the update.
5. After the update, verify that the agents are functioning correctly and that there are no issues. Document the update, including the version number, date and time of the update, and any issues that were encountered.

This schedule strikes a balance between keeping the agents up-to-date and minimizing disruption to end-users. It allows enough time for Okta to release an update, release and then monitor, discover, and fix any critical and disruptive bugs. It should be scheduled at a time when the impact on end-users is likely to be minimal.

To set this up:

1. Log into the Okta admin portal and navigate to the “Settings” page.
2. Under the “Active Directory” tab, you will find the option to schedule updates.
3. In the schedule updates section, you can set the schedule by selecting “Custom” and inputting the desired schedule. E.g. 2 weeks after release, on a Thursday at 7pm AEST.
4. Click the “Save” button to save the schedule.
5. Once the schedule is set, the Okta AD agents will automatically update to the latest version every 2 weeks after release, at 7pm AEST on Thursdays.

Please note that the schedule will only take effect if there are 2 working agents present at the time of the scheduled update. (see the end of the article more some information on agent redundancy). Pro tip: Use an automation tool to scan your emails for Okta AD Agent releases so you can communicate with end-users, monitor the update and setup plans to remediate!

Conclusion

Okta Agent updates have brought several new features and improvements to the platform, including enhanced security and performance, improved user experience, and new integrations with other tools and platforms, plus essential security, and bug fixes. We recommend that you keep these up to date, and, where possible, fall more than one release behind the current version.

Agent Redundancy

By following these best practices, you can ensure that your Okta AD agent setup is robust and can continue to provide access to Active Directory data even in the event of an outage or failure. Here is an example of what this might look like in a cloud scenario:

1. Deploy multiple agents:
   • Deploy an Okta AD agent on a primary server in the main cloud region: This agent can be installed on a virtual machine running in a cloud provider like AWS, Azure, or GCP. This agent can be configured to sync with the on-premises Active Directory and provide access to AD data for users in the main region.
   • Deploy an Okta AD agent on a secondary server in a remote cloud region: This agent can also be installed on a virtual machine running in a different cloud region. This agent can be configured to sync with the on-premises Active Directory and provide access to AD data for users in the remote region.
   • Deploy an Okta AD agent on a tertiary server in a disaster recovery cloud region: This agent can also be installed on a virtual machine running in a different cloud region. This agent can be configured to sync with the on-premises Active Directory and provide access to AD data for users in the event of a disaster.
2. Use a load balancer: Create a load balancer in front of the three agents to ensure that if one agent becomes unavailable, traffic can be redirected to the other available agent, ensuring that users can access Active Directory data.
   • Configuring automatic failover.
3. Monitor agent status: Setting up monitoring and alerts to notify when an agent is down can help ensure that issues are identified and resolved quickly. Some ways you could monitor the agents:
   • Okta Workflows: Okta Workflows allow you to create custom workflows to automate tasks and processes within your organization. You can create a custom workflow that monitors the status of the agents and sends a notification when an agent is down.
   • Inbuilt Notifications: Okta has inbuilt notifications that can be configured to send alerts when an agent is down. This can be set up in the Okta Administration console.
   • Using a third-party monitoring tool like Nagios, AWS CloudWatch, Azure Monitor, etc.
4. Keep agents updated: Keeping agents updated to the latest version can help ensure that they are stable and secure (consider using the auto-update feature available from version 3.8 – referenced above).

Azure Cloud Example:

1. Create three virtual machines (VMs) in Azure, each with the same specifications. These VMs will be used to host the Okta agents.
2. Install the Okta agent on each of the three VMs. You can do this by downloading the agent package from the Okta website and following the installation instructions.
3. Configure load balancing between the three VMs. This can be done using Azure’s built-in load balancer service, or by deploying a third-party load balancer. The load balancer will distribute incoming traffic evenly between the three VMs.
4. Enable high availability for the Okta agents by configuring automatic failover. This can be done by using Azure’s availability sets or availability zones. This ensures that if one of the VMs hosting an Okta agent goes down, the load balancer will automatically redirect traffic to the remaining two VMs.
5. Once the Okta agents are up and running, configure your application to use the load balancer’s IP address or hostname as the target for authentication requests. This will ensure that the requests are distributed evenly among the three Okta agents.
6. Finally, monitor the Okta agents and the load balancer to ensure that they are functioning properly and that there are no issues with connectivity or performance.

Image Credit rawpixel.com on Freepix

Other Okta Resources:

• Okta Active Directory Integration: https://support.okta.com/help/s/integration/Active-Directory-Integration-Guide
• Okta AD Agent Installation and Configuration: https://developer.okta.com/docs/guides/install-the-okta-active-directory-agent/windows/install-the-okta-ad-agent/
• Okta AD Agent User Guide: https://developer.okta.com/docs/guides/okta-active-directory-agent/okta-ad-agent-user-guide/ Okta AD Agent Release Notes: https://developer.okta.com/docs/guides/okta-active-directory-agent/okta-ad-agent-release-notes/