Configure mobile policies Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000u984sac&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fconfigure-mobile-policies-1980342180
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Configure mobile policies
Published: Mar 7, 2018   -   Updated: Jun 22, 2018

 

 

okta-doc-source

Configure mobile policies


Mobile policies allow you to manage the use of your company resources on mobile devices enrolled in Okta Mobility Management (OMM). Policies are comprised of platform-based rules that allow you to enforce: 

  • The platforms you support (iOS, OS X, Android)
  • The device passcode requirements for each platform. More
  • If you support Android for Work, you can also set passcode requirements for managed apps, in addition to – or instead of – passcode requirements for devices (Android 7.0+ only). For details, seeConfigure a Work profile passcode policy.

  • How data is shared between managed and unmanaged apps

You can create multiple mobile policies and apply them to specific groups of people in order to tailor access to your organization's resources. Unless another policy applies, all end users are subject to the read-only Default Policy, which denies enrollment to all devices. Changes to policies do not deprovision users.

Add a Device Policy

Users and their devices are processed in priority order when it comes to participation in OMM. They are subject to the first active policy (and then the first rule) that applies based on their group memberships. To change the priority of a policy, click and drag the choice using its dotted handle.

MobileAdmin

To create a device policy, do the following:

  1. Go to Devices > Mobile Policies, or click the Configure Okta Mobility Management button on the Devices overview page.
  2. Click Add Device Policy.
  3. Specify the following:
    • Policy name - A unique name for your policy.
    • Description – An optional description.
    • Assign to groups – The groups of users to which this policy will apply.
    • User Agreement – Optional. Select this box, then enter a brief custom user agreement in the text field. This agreement then appears on your end users' devices and must be acknowledged prior to proceeding with OMM enrollment. As part of the OMM enrollment process, end users are warned that enrolling in OMM gives admins certain controls over their devices. This User Agreement is an opportunity to provide additional custom terms and conditions you may want your end users to acknowledge.
  4. Click Save and Add Platform Rule to continue.

Important: All new policies are inactive by default. To activate your new policy, select Activate from the Inactive drop-down menu.

Add a Platform Rule

Rules are written and applied based on their platform. Select a platform, either iOS, OS X (EA), or Android. The resulting available options depend upon the platform you selected.

Configure an iOS Platform Rule

Allow enrollment?

Your selection determines whether users are allowed to enroll their iOS devices through Okta Mobile.

  • Allow devices - If you select this option, click Next to further define the rule.
  • Deny devices - If you select this option, there are no further options; clickSave to finish rule creation.

iOS Passcode Requirements

Required or optional - Check this box if you want to make a device passcode required. If required, you need to specify the following:

Allow simple value - Check this box if you want to allow end-users to use repeating or increasing/decreasing characters (such as 123 or CBA).

PIN minimum length - Minimum number of required characters (from 4 to 30).

Characters - You can specify whether passcodes must contain at least one letter, and/or at least one symbol.

Expiration - Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of new passcodes a user must create before reusing one (History limit).

Failed attempts before wipe – Specify the maximum number of times end users can enter the wrong passcode before their device is wiped. Note the following:

  • Select Unlimited attempts if you never want to wipe out a device because of failed passcode attempts.
  • Devices are not wiped if users enter the wrong passcode less than 4 times.
  • You can allow up to 10 attempts before a wipe occurs.

iOS Lock Timing

Turn display off - Use the drop-down menu to specify the amount of time between the last user activity and when the device display gets turned off.

Then require passcode - Use the drop-down menu to specify the amount of time between the device display being turned off (either via the auto-lock, or manually by the user) and a passcode being required.

iOS Data Separation

Use these check boxes to specify whether or not Okta-managed apps can access and share data with other unmanaged apps (and vice versa) on a device.

Managed to personal - Check this if you want Managed apps to be able to transfer data to personal apps.

Personal to managed - Check this if you want Personal apps to be able to transfer data to managed apps.

Configure an OS X Platform Rule - EA

This is an Early Access feature. To enable it, please contact Okta Support.

Allow enrollment?

Your selection determines whether users are allowed to enroll their devices through Okta Mobile.

  • Allow devices - If you select this, click Next to further define the rule.
  • Deny devices - If you select this, there are no further options; click Save to finish rule creation.

OS X Passcode Requirements

Required or optional - Check this box if you want to make a device passcode required. If required, you need to specify the following:

Allow simple value - Check this box if you want to allow end-users to use repeating or increasing/decreasing characters (such as 123 or CBA).

Minimum length - Minimum number of required characters (from 4 to 30).

Characters - You can specify whether passcodes must contain at least one letter, and/or at least one symbol.

Expiration - Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of new passcodes a user must create before reusing one (History limit).

Failed attempts before lock – Specify the maximum number of times end users can enter the wrong passcode before their device is locked out. Note the following:

  • Select Unlimited attempts if you never want to lock out a device because of failed passcode attempts.
  • Devices are not locked if users enter the wrong passcode less than 4 times.
  • Important: Disallowing attempts of 4 times or more requires that the OS X device have both a user and admin account.
  • You can allow up to 10 attempts before lock out.
Configure an Android Platform Rule

Allow enrollment?

Your selection determines whether users are allowed to enroll their devices through Okta Mobile.

  • Allow devices — If you select this option, you must specify which types of devices are supported:
    • Android for Work. If this option is unavailable, click Set Up AfW.

    • Samsung SAFE

    • Native Android

Enrollment options are ordered by priority. If you select more than one, Okta first attempts to enroll a device using the top-most selected option. If the device doesn't support a selected option, the next selected option is attempted.

  • Deny devices — If you select this, there are no further options; click Save to finish rule creation.

Click Next to proceed to the next screen.

General Android Device Passcode Requirements

Prompt for device passcode — Select this option if you want to require users to enter a device passcode, then specify the passcode requirements.

PIN minimum length — Minimum number of required characters (from 4 to 30).

Characters — You can specify whether passcodes must contain at least one letter, and/or at least one symbol.

Expiration — Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of distinct passwords a user must create before they can reuse a previous password (History limit; prevents users from reusing a previous password for a specified period of time ).

Failed attempts before wipe — Specify the maximum number of times end users can enter the wrong passcode before their device is wiped. Note the following:

  • Select Unlimited attempts if you never want to wipe a device because of failed passcode attempts.
  • On Android for Work, only the Work profile is wiped.

  • Devices are not wiped if users enter the wrong passcode less than 4 times.
  • You can allow up to 10 attempts before a wipe occurs.

Device lock timeout — Use the dropdown menu to specify how long after the device display is turned off that a passcode is required to unlock the device.

Note: Only supported on Android devices running Okta Mobile 2.8 or higher.

Android Data Separation

Work profile to personal — Select this option to allow apps in the personal profile to open files in the work profile.

Important: Regardless of how you configure the Data Separation option above, Okta recommends that you deploy at least the following types of apps to your users:

  • Browser (such as Chrome)
  • PDF reader (such as Adobe Acrobat Reader)
  • Image viewer (such as Google Photos)
  • Music player (such as Google Play Music)

For details, see Managed Application Configurations.

Optional: Android 7.0+ Work Passcode Requirements

Note: This section appears only if you have selected Android for Work under Allow Devices on the previous page.

Prompt for work passcode — Select this option if you want to require Android 7.0+ users to enter a passcode to open any managed application on their device, then specify the passcode requirements.

PIN minimum length — Minimum number of required characters (from 4 to 30).

Characters — You can specify whether passcodes must contain at least one letter, and/or at least one symbol.

Expiration — Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of distinct passwords a user must create before they can reuse a previous password (History limit; prevents users from reusing a previous password for a specified period of time ).

Failed attempts before wipe — Specify the maximum number of times end users can enter the wrong passcode before their device is wiped. Note the following:

  • Select Unlimited attempts if you never want to wipe a device because of failed passcode attempts.
  • On Android for Work, only the Work profile is wiped.

  • Devices are not wiped if users enter the wrong passcode less than 4 times.
  • You can allow up to 10 attempts before a wipe occurs.

Device lock timeout — Use the dropdown menu to specify how long after the device display is turned off that a passcode is required to unlock the device.

Note: Only supported on Android devices running Okta Mobile 2.8 or higher.

Important: When this option is selected, general Android device passcode requirements no longer apply to Android 7.0+ devices. If you want your Android 7.0+ users to lock their entire device in addition to their work profile, select this option and the option below.

Prompt for device passcode on 7.0+ — Select this option if you want to require Android 7.0+ users to enter a passcode to unlock their device. If this is selected, you must also specify the passcode requirements.

PIN minimum length — Minimum number of required characters (from 4 to 30).

Characters — You can specify whether passcodes must contain at least one letter, and/or at least one symbol.

Expiration — Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of distinct passwords a user must create before they can reuse a previous password (History limit; prevents users from reusing a previous password for a specified period of time ).

Failed attempts before wipe — Specify the maximum number of times end users can enter the wrong passcode before their device is wiped. Note the following:

  • Select Unlimited attempts if you never want to wipe a device because of failed passcode attempts.
  • On Android for Work, only the Work profile is wiped.

  • Devices are not wiped if users enter the wrong passcode less than 4 times.
  • You can allow up to 10 attempts before a wipe occurs.

Device lock timeout — Use the dropdown menu to specify how long after the device display is turned off that a passcode is required to unlock the device.

Note: Only supported on Android devices running Okta Mobile 2.8 or higher.

Known Issue: (Applies to Android devices running versions 7.1 or 7.1.1; fixed in 7.1.2) After an admin strengthens a group's work profile passcode policy, end users are prompted to update their passcode to comply with the updated policy. However, when end users respond to the prompt, their device passcode is updated instead of their work profile passcode. If the end user's Security settings allow different device and work profile passcodes, they are prompted continually to update their work profile passcode until they change it in their device settings.

Manage Platform Rules

Once created, all platform rules appear as a list under Platforms. Click the platform icon to display the rules currently configured for the platform. To change rules, click the pencil icon.

Note: The list of rules are similar for Android and iOS devices. Here is a typical Android rules list:

Mobile_TypicalRulesList_Android

Top