Configure Okta Mobility Management Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Configure Okta Mobility Management
Published: Jan 31, 2018   -   Updated: Jun 22, 2018




Configure Okta Mobility Management

Okta Mobility Management (OMM) allows you to manage your end users' mobile devices, applications, and data. Your end users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Concur. As an administrator, you can remove managed apps and associated data from end users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps.

Before you begin
  1. Make sure end user devices are running the required OS version:
    • iOS – iOS 10.0 and later
    • Android – Android 4.4 and later
  2. Make sure Okta Mobile is installed on end user devices.
  3. For the Okta Mobility Management enrollment process to succeed, Okta Mobile must be installed on end user devices.

    Note the following:

    • iOS – Following OMM enrollment, any security policies that you configure remain active even if end users delete Okta Mobile from their device.
    • Android – Android device users cannot delete Okta Mobile from their devices unless they unenroll from OMM.
  4. (iOS devices only):
  5. Make sure groups are created in your org before you configure mobile policies. You can create groups in Okta or import them from your directory. For more information, see Add and Use Groups below.

Enable OMM enrollment
  1. Go to Devices > Mobile Policies.
  2. Click the appropriate button for the type of OMM enrollment you want to enable:
Android for Work Setup

AfW setup instructions are documented in Okta Mobility Management with Android for Work. For Samsung SAFE and Native Android devices, no additional setup is necessary.

To configure Okta Mobility Management for your Apple iOS devices, you must first configure the Apple Push Notification Service (APNS) certificate. This process requires downloading a Certificate Signing Request (CSR) from Okta, uploading the CSR to Apple for digital signature, and finally uploading the signed certificate to the Okta org; as follows:

  1. Examine the Apple Certificate Setup button:

    • A Yellow exclamation mark indicates a push certificate has not yet been configured.

    • A Green check mark indicates a valid push certificate has already been configured.

    • A Red exclamation mark indicates your current push certificate has either expired, or is close to expiring.

  2. Follow the instructions in the Apple Certificate Setup dialog box:


    Download the Certificate Signing Request

    Click Download to obtain your Certificate Signing Request (okta-apns-CSR.dat) from Okta.

    Obtain Apple Push Notification Service Certificate
    1. Navigate to the Apple Push Certificates management portal using the link provided (

      Note that you will need an Apple ID to log into this portal.

    2. If this is the first time you are setting up a certificate, you are prompted to accept Apple's terms and conditions. If you have configured one or more certificates already, they are listed in the portal.


    3. Click Create a Certificate.
    4. Click Choose File and navigate to the CSR file you downloaded previously for Apple to sign (okta-apns-CSR.dat), then click Upload. Once the request has been successfully uploaded, a confirmation screen appears.


    5. Click Download on the confirmation screen to download the APNS MDM certificate.

      Note that APNS certificates have an expiration date. Log in to the Apple Push Certificates Portal to Renew or Revoke certificates in the Certificates for Third-Party Servers section.

    Upload the Apple Push Certificate

    Return to the Apple Certificate dialog box, click Browse to locate the APNS downloaded in the previous step, then click Upload to complete the CSR signature process.

Once you have configured the Apple Push Notification Service (APNS) certificate, your users must then download and install the Okta Mobile app from the Apple App Store. They should search for Okta Mobile and proceed through the download and installation process.

Manage/Renew your Apple Push Notification (APNS) Certificates


Your Apple ID.

Manage APNS Certificates

Navigate to the Apple Push Certificates Portal, here: (you need your Apple ID to log into this portal).

If you have previously configured one or more certificates, they will be listed in the portal, as shown below. You can Renew, Download, and Revoke APNS certificates from this portal.

Important: We recommend you do not use the Revoke option. If you revoke a certificate, all your end users will subsequently need to re-enroll in Okta Mobility Management.


You can click the information (i) icon to view details (highlighted in yellow below) about each certificate. Use this information to compare certificates in this portal to the one in Okta.


Renew APNS Certificates

It's important that you renew APNS certificates in a timely manner; once an APNS certificate expires, you can't send commands to currently-enrolled devices, and new devices can't enroll. To reduce the likelihood of a certificate expiring, we:

  • Expose the certificate expiration date when you first create the certificate.
  • Send you an email notification 30 days, then 7 days, before expiration.
  • Add an error icon to the Apple Certificate Setup button on the Mobile Policy page when the certificate is within 30 days of expiration.

It's not possible to overwrite an existing certificate in Okta – don't worry about accidentally renewing the wrong certificate. However, you can avoid the hassle of reloading the same certificate by carefully following the instructions below.

APNS certificates expire after one year. If you need to renew your certificate you need to first download a new Certificate Signing Request (CSR) from Okta, as follows:

  1. From your Admin Dashboard, select Devices > Mobile Policies.

  2. Click the Apple Certificate Setup button.


    Note that a green check box on the Apple Certificate Setup button indicates that a push certificate has already been configured, while a red exclamation point indicates the configured certificate has either expired or is close to expiring.

    The Apple Certificate Setup dialog appears:


    Note that step 2 on this screen displays information (highlighted in yellow, above) about your current APNS certificate, expired or not. Use this information to identify the certificate in the portal that you want to renew.

  3. Click Download to obtain your Certificate Signing Request (okta-apns-CSR.dat) from Okta.

  4. Navigate to the Apple Push Certificates Portal, here: (your Apple ID is required to log into this portal).

  5. Locate the certificate that has expired/is expiring, and click Renew.

    Note that you can find information about each certificate by click the information (i) icon. Use this information to compare your certificates.

  6. Click Choose File, then navigate to the CSR file you previously downloaded for Apple to sign (okta-apns-CSR.dat), then click Upload.


    Once the request has been successfully uploaded a confirmation screen is displayed:


  7. Click Download on the confirmation screen.

  8. Return to the Apple Certificate Setup dialog box in Okta, in the Upload Apple Push Certificate section, click Browse to locate the renewed APNS that was just downloaded, then click Upload to complete the process.

Disable Device Wipe permission

Through mobile policy rules for iOS and OSX devices (Devices > Mobile Policies) you can disable the Wipe All Device Data option located on the Device Attributes page Device Actions menu. The wipe option allows you to wipe all data from iOS and OS X devices newly-enrolled in OMM. The setting to disable the permission is applied during OMM enrollment. Devices that are already enrolled in OMM are not affected by changes to this setting.Screenshot

device wipe edit ox rule_1

  1. Go to Mobile Policies > Edit iOS Rule or Edit OS X Rule.
  2. Select Disable wipe all device data permission.
  3. Click Save.

Restrict OMM enrollment based on device status and OS

This is an Early Access feature. To enable it, please contact Okta Support.

You can prevent end users from enrolling compromised iOS and Android devices (jailbroken or rooted ) into Okta Mobility Management (OMM). Compromised devices pose a risk to the security of your org and the sensitive apps that users access from them. You can also restrict enrollment to specified operating system versions.

  1. Go to Devices > Mobile Policies.
  2. Select an existing – or add a new – Device Policy.
  3. Edit an existing – or add a new – Platform Rule.
  4. Under Enrollment, select Allow Devices.
  5. Configure settings in the Enrollment Exceptions section:
    • Jailbroken/Rooted
      • Deny new jailbroken or rooted devices
      • Wipe company data from existing jailbroken or rooted devices
    • OS Version
      • Deny new device if OS version – specify the OS version(s) running on new devices you want to deny access to.
      • Wipe company data from existing device if OS version – specify the OS version(s) running on existing devices you want to wipe company data from.
  6. Click Next to continue.
  7. To configure passcode requirements and data separation, see Okta Mobility Management with Android for Work.
  8. When you are finished, click Save.


  • If you do not select Deny new device but do select Wipe company data from existing device and specify one OS version to be wiped, end users with devices running that version are able to enroll but their device will be desprovisioned when Okta detects it.
  • If Okta Mobile Android end users are restricted from enrollment but then you change the policy to allow them to enroll, end users must sign out of Okta Mobile and then sign back in to be allowed to enroll.

Add users

If you already have imported your users, proceed to the following sections. If not, there are many ways to add users to your org. You can import them as described in Importing People or by individually adding them as described in Adding People. You can import users from your existing directories as well. Refer to Available Directory Integrations for information on importing users from Active Directory, LDAP, and other directories.

Add and use Groups

Okta Mobility Management security policies are configured and enforced at the group level. You cannot assign policies to individual users. You can add groups in Okta or use groups that you have imported from directories or apps. For more information about adding groups in Okta, refer to the Groups section in Manage People. For a complete overview of using groups in Okta, including detailed descriptions of importing groups from directories, refer to About Groups.

Pre-configure Managed Application Configuration

Okta can send pre-configured key-value pairs to all managed apps installed by Okta Mobility Management (OMM).

Mobile admins create a configuration field name, value, and data type when uploading to OMM. These values are sent to the managed apps when end users choose to install them.

Note: Not all apps support configuration of key-value pairs.

  1. From the Dashboard, select Applications > Application-name > Mobile.

  2. Click the Edit icon next to the application you want to preconfigure.

  3. In the Preconfigure section, click the Add keys (iOS) or View Keys (Android).

    Note: For Android for Work apps, keys have already been pre-populated; you can still view them as described later in this article.

    Screen Shot 2017-02-07 at 5.57.35 PM_536x463

  4. Enter the following (for Android for Work, these fields are read-only):

    • Key: The name of the key you want to pre-configure for the selected app.

    • Data Type: Either string, integer, boolean, or *multi (*Android for Work only).

    • Value: The value you want to pre-configure for that key. The value must match the Data Type.

      Screen Shot 2017-02-07 at 5.59.13 PM_599x254

    • Click Add Another to add more key / value pairs (iOS only).

    • Click Save.

Use Expression Language

Managed App Configuration supports light weight Expression Language. To send a user's username instead of a constant string, use appuser.userName. For details about using SpEL with Okta features, see Okta Expression Language.

End User Setup

After you have configured OMM, you must configure one or more Mobile Policies as described in Configuring Mobile Policies.

After you've set up your security policies, your users can sign in to Okta Mobile to enroll. For end-user enrollment instructions, see Okta Mobility Management - End User Setup .

Help end users understand their privacy status

Beginning with Okta Mobile 5.0 for iOS and 2.16.0 for Android, an enhanced enrollment flow helps your end-users understand their device privacy status when their device(s) are enrolled in OMM. This makes it easier for end users to distinguish private data from data that is company-accessible.

Admin Configuration

The following steps assume that you have enabled OMM and created one or more mobile policies. For details about creating policies for iOS or Android, see Configuring Mobile Policies.

Once you have enabled policies for your end-users, they will immediately be prompted with the following enrollment flow when they sign into Okta Mobile.

End User Configuration


End users have three options to proceed:

  • Get Started begins the end user enrollment of OMM.
  • Learn how we protect your privacy provides a list of admin accessible data on the end-user’s device, once connected, as shown below.
  • Skip allows users to come back later.


If the end user chooses to skip enrollment, they are immediately brought into their Okta App page. Selecting Learn More takes them back into the OMM starting page, allowing them another opportunity to enroll. This can also be accessed from the app Settings section of the app.


Once enrolled, end-users can view their device status from the Settings screen. From here, they can also re-enroll if they have previously un-enrolled from OMM.