Okta Mobility Management (OMM) allows you to manage your end users' mobile devices, applications, and data. Your end users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Concur. As an administrator, you can remove managed apps and associated data from end users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps.
For the Okta Mobility Management enrollment process to succeed, Okta Mobile must be installed on end user devices.
Note the following:
Android for Work Setup
AfW setup instructions are documented in Okta Mobility Management with Android for Work. For Samsung SAFE and Native Android devices, no additional setup is necessary.
To configure Okta Mobility Management for your Apple iOS devices, you must first configure the Apple Push Notification Service (APNS) certificate. This process requires downloading a Certificate Signing Request (CSR) from Okta, uploading the CSR to Apple for digital signature, and finally uploading the signed certificate to the Okta org; as follows:
Follow the instructions in the Apple Certificate Setup dialog box:
Download the Certificate Signing Request
Click Download to obtain your Certificate Signing Request (okta-apns-CSR.dat) from Okta.
Obtain Apple Push Notification Service Certificate
Upload the Apple Push Certificate
Return to the Apple Certificate dialog box, click Browse to locate the APNS downloaded in the previous step, then click Upload to complete the CSR signature process.
Once you have configured the Apple Push Notification Service (APNS) certificate, your users must then download and install the Okta Mobile app from the Apple App Store. They should search for Okta Mobile and proceed through the download and installation process.
RequirementsYour Apple ID.
Manage APNS Certificates
Navigate to the Apple Push Certificates Portal, here: https://identity.apple.com/pushcert/ (you need your Apple ID to log into this portal).
If you have previously configured one or more certificates, they will be listed in the portal, as shown below. You can Renew, Download, and Revoke APNS certificates from this portal.
Important: We recommend you do not use the Revoke option. If you revoke a certificate, all your end users will subsequently need to re-enroll in Okta Mobility Management.
You can click the information (i) icon to view details (highlighted in yellow below) about each certificate. Use this information to compare certificates in this portal to the one in Okta.
Renew APNS Certificates
It's important that you renew APNS certificates in a timely manner; once an APNS certificate expires, you can't send commands to currently-enrolled devices, and new devices can't enroll. To reduce the likelihood of a certificate expiring, we:
It's not possible to overwrite an existing certificate in Okta – don't worry about accidentally renewing the wrong certificate. However, you can avoid the hassle of reloading the same certificate by carefully following the instructions below.
APNS certificates expire after one year. If you need to renew your certificate you need to first download a new Certificate Signing Request (CSR) from Okta, as follows:
Through mobile policy rules for iOS and OSX devices (Devices > Mobile Policies) you can disable the Wipe All Device Data option located on the Device Attributes page Device Actions menu. The wipe option allows you to wipe all data from iOS and OS X devices newly-enrolled in OMM. The setting to disable the permission is applied during OMM enrollment. Devices that are already enrolled in OMM are not affected by changes to this setting.Screenshot
This is an Early Access feature. To enable it, please contact Okta Support.
You can prevent end users from enrolling compromised iOS and Android devices (jailbroken or rooted ) into Okta Mobility Management (OMM). Compromised devices pose a risk to the security of your org and the sensitive apps that users access from them. You can also restrict enrollment to specified operating system versions.
If you already have imported your users, proceed to the following sections. If not, there are many ways to add users to your org. You can import them as described in Importing People or by individually adding them as described in Adding People. You can import users from your existing directories as well. Refer to Available Directory Integrations for information on importing users from Active Directory, LDAP, and other directories.
Okta Mobility Management security policies are configured and enforced at the group level. You cannot assign policies to individual users. You can add groups in Okta or use groups that you have imported from directories or apps. For more information about adding groups in Okta, refer to the Groups section in Manage People. For a complete overview of using groups in Okta, including detailed descriptions of importing groups from directories, refer to About Groups.
Okta can send pre-configured key-value pairs to all managed apps installed by Okta Mobility Management (OMM).
Mobile admins create a configuration field name, value, and data type when uploading to OMM. These values are sent to the managed apps when end users choose to install them.
Note: Not all apps support configuration of key-value pairs.
Use Expression Language
Managed App Configuration supports light weight Expression Language. To send a user's username instead of a constant string, use appuser.userName. For details about using SpEL with Okta features, see Okta Expression Language.
After you have configured OMM, you must configure one or more Mobile Policies as described in Configuring Mobile Policies.
After you've set up your security policies, your users can sign in to Okta Mobile to enroll. For end-user enrollment instructions, see Okta Mobility Management - End User Setup .
Help end users understand their privacy status
Beginning with Okta Mobile 5.0 for iOS and 2.16.0 for Android, an enhanced enrollment flow helps your end-users understand their device privacy status when their device(s) are enrolled in OMM. This makes it easier for end users to distinguish private data from data that is company-accessible.
The following steps assume that you have enabled OMM and created one or more mobile policies. For details about creating policies for iOS or Android, see Configuring Mobile Policies.
Once you have enabled policies for your end-users, they will immediately be prompted with the following enrollment flow when they sign into Okta Mobile.
End User Configuration
End users have three options to proceed:
If the end user chooses to skip enrollment, they are immediately brought into their Okta App page. Selecting Learn More takes them back into the OMM starting page, allowing them another opportunity to enroll. This can also be accessed from the app Settings section of the app.
Once enrolled, end-users can view their device status from the Settings screen. From here, they can also re-enroll if they have previously un-enrolled from OMM.