Okta Production – Release 2016.30 Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Okta Production – Release 2016.30
Published: Aug 2, 2016   -   Updated: Jun 22, 2018

Okta Preview Sandbox (oktapreview.com) features from 2016.29 and 2016.30 have been combined and pushed to Production (okta.com). This deployment began on August 1. For the latest information on our release schedule, see Current Release Status.

Check the version number at the bottom of your Okta Administrator page to see your current version. Clicking the version number takes you directly to the folder containing the release notes.

User-added image

Version numbers indicate the year and week of the year that releases are pushed to orgs. For example, release 2016.02 was pushed the second week of 2016. The week numbers follow the ISO Week Date convention. 

Important Notice for AD Integrations Using Federated Profiles

If your Okta Active Directory (AD) integration uses Federated Profiles, you should update to the latest GA version of the Okta AD agent. Beginning April 21, 2016, Okta automatically migrated all orgs that use the Federated Profiles option to the Okta enhanced AD integration, which requires agent version 3.0.8 or higher. If your Okta AD agent is earlier than version 3.0.8, following the migration your organization may experience inconsistent behavior, including loss of groups and group memberships.

To identify orgs running Federated Profiles, see Determining Your AD Integration Type.

For download and installation instructions, see Installing and Configuring the Active Directory Agent.

Note: If you run multiple Okta AD agents, upgrade all agents on your domain servers to the same version. Running different versions of the AD agent can cause all of them to function at the level of your oldest agent.

What's New

Unless otherwise noted, these features are available for all organizations with release 2016.30.

  • The Access Request Workflow feature is now available. It is a complete, multi-step approval workflow through which end users can request access to apps. Admins can select approvers who have the ability to grant access for self-service applications. Access Request Workflow features group and individual approvers, customized notifications, commenting, notes, and customizable timeout rules. All setup is accessed from the Okta Admin Dashboard and requires no programming or configuration files. For more information, see Access Request Workflow.

    Note: This is an Early Access (EA) feature that requires either the Enterprise Plus or Provisioning Product editions. Contact Okta Support to enable it.

    User-added image

  • We have increased the character limit of the SAM Account name field in the Push Groups to Active Directory modal from 20 to 256 characters. This allows admins to create long samaccountnames in Okta that match their Active Directory (AD) naming convention. Push Groups is an Early Access (EA) feature.

    User-added image

  • The feature that allows admins to auto-launch a specific app for all end users at sign in is now Generally Available (GA). Previously, this option was only available to end users. Now, admins can access this option from the specific <App> page > General tab > App Settings, as detailed in Using the Okta Applications Page. Note: Selecting this option only affects end users who are newly assigned to the app. Previously-assigned users must manually choose auto-launch by accessing the app chiclet <App> Settings button.

    User-added image

  • As an alternative to sending notifications to everyone in your org, you can now specify individual users and groups. For more information, see About Your Administrator Dashboard.

    User-added image

  • In the app settings of supported apps, you can now toggle between Reveal Password and Hide Password to control password visibility.

    User-added image

  • When you define a SAML IdP, you can select a user profile attribute to match against the IdP username. More attributes are now available for selection in the Match against dropdown. For details, see Configuring Inbound SAML with Universal Directory Options.

    User-added image

  • Support for the Czech language for the end user experience is now available to all customers in Beta format. You can select the default language preference for your entire org, and your end users can select a different language preference for their own experience. The end user's preference overrides the language set for the org. For more information, see Setting Language Preferences.
  • Now, when turning provisioning or profile push updates on or off, the setting for pushing from Okta to an app is not reset and the current values are retained.
  • Okta Mobility Management (OMM) now supports the MacOS (OS X) platform. OMM for MacOS enables customers to apply lightweight management and security controls on MacOS devices with easy self-enrollment for end users.

    For a matrix of features supported by each platform including MacOS, see Okta Mobility Management Features Matrix. For enablement and enrollment information, see OMM – MacOS Management.

    User-added image

    This is an Early Access (EA) feature; contact Okta Support to enable it.

  • We have improved how Apple Push Notification Service (APNS) certificates for OMM are managed. Once the certificate expires, you can't send commands to currently enrolled devices, and new devices can't enroll. To reduce the likelihood of a certificate expiring, we now:

    • Expose the certificate expiration date when you first create the certificate.

      User-added image

    • Create an admin task to remind you to renew the certificate. The task remains until you renew or create a new certificate.

      User-added image

    • Send you an email notification 30 days, then 7 days, before expiration.

    • Add an error icon to the Apple Certificate Setup button on the Mobile Policy page when the certificate is within 30 days of expiration.

    For more information, see Renewing Apple Push Notification Service Certificates and Configuring Okta Mobility Management.

  • We now support Device Identity Certificate renewal for iOS/MacOS (OS X) devices. During enrollment to OMM, we provision devices with an Identity Certificate, issued by Okta, and valid for two years. We now renew this certificate silently, 60 days before expiry, without any impact on you or your end users.

  • We have extended the number of orgs that can benefit from the Import Safeguard feature. Orgs with a minimum of 100 app assignments can now take advantage of the safeguard. Previously, Okta required at least 1000 app assignments before a warning could be triggered.

  • We have enhanced our Netsuite integration to support the following:

    • Netsuite as Profile Master

    • Token-based Authentication

    • Universal Directory

    These are Early Access (EA) features; contact Okta Support to enable them.

    For more details, see the Netsuite Provisioning Guide

  • We have enhanced our JIRA integration to support Import Groups and Memberships.

  • Browser plugin version 5.70 for Internet Explorer is now GA. We have also updated the Internet Explorer plugin for EA users to version 5.6.5. Both updates provide performance and security enhancements. For plugin version history, see Browser Plugin Version History.

  • We have enhanced the BambooHR integration to allow authentication and provisioning of non-employees using the Bamboo API.

Agent Update

The latest On-Prem MFA agent, version 1.3.2, is a proxy server option. This EA agent allows for proxy configuration with your RADIUS-enabled on-prem MFA server, including RSA Authentication Manager for RSA SecurIDs. For details, see Using the On-Prem MFA Agent with Proxy (Early Access).

Platform Release Notes

Changes to the platform for this release are published in the Platform Release Notes on http://developer.okta.com.

Incremental Features Summary

There are no incremental features to announce this week.

Discontinued Support

Note: This notice was modified August 19 after initial publication of these release notes.

Microsoft has updated the sync functionality of their OneDrive application, and have replaced the OneDrive for Business Client (groove.exe) with the OneDrive for Business Next Generation Sync Client (onedrive.exe). Consequently, Okta has discontinued support for the OneDrive for Business Client (groove.exe). Users are now prompted to upgrade to the OneDrive for Business Next Generation Sync Client (onedrive.exe). For more information, see Upgrading to OneDrive for Business Next Generation Sync Client.

Application Updates

We've implemented SAML for the following Okta Verified applications:

  • Directly (OKTA-94261)

  • Ingeniux CMS (OKTA-92230)

  • IPfolio - Staff (OKTA-98059)

  • Sage Live (OKTA-94119)

  • SinglePointHCM (OKTA-87629)

  • Wake (OKTA-86175)

  • Zinc (OKTA-92161)

  • Zscaler Private Access

We've implemented SAML for the following Community Created application:

  • Confer (OKTA-93105)


We've implemented SWA for the following Okta Verified applications:

  • Unitrax by L&T Infotech

  • Zapier Wizard (OKTA-95412)

We've added the following Mobile applications for use with Okta Mobility Management (OMM):

  • AxurePortal (OKTA-76597)

  • Pivotal Tracker (OKTA-95249)

We've changed Signature/Digest algorithms from SHA1 to SHA256 for the following SAML apps:

  • Asset Bank (OKTA-95811)

  • BlueJeans (OKTA-94761)

  • BMC AppZone (OKTA-95981)

  • Casper.aero (OKTA-96091)

  • Clarizen (OKTA-94637)

  • CustomPoint (OKTA-96249)

  • DocuSign (OKTA-95063)

  • Egnyte (OKTA-95065)

  • Expensify SAML (OKTA-94643)

  • GoToMeeting (OKTA-95068)

  • HackerRank For Work (OKTA-96391)

  • Join.Me SAML (OKTA-95381)

  • OpenDNS (OKTA-94639)

  • Salesforce Customer Portal

  • Salesforce.com (OKTA-94562)

  • Sugar CRM (OKTA-94653)

  • ThousandEyes (OKTA-94674)

  • Veeva (OKTA-95482)

  • Xactly (OKTA-94661)

  • ZScaler (OKTA-95053)

Bug Fixes

Bug numbers ending with an H are hotfixes. Hotfixes are generally deployed after the initial release.

Product Bug Fixes

The following issues are fixed:

  • OKTA-82555 – Provisioning task errors for Veeva Vault could not be cleared from the Okta Dashboard.
  • OKTA-88547 – Admins with the User Admin role could not create users.
  • OKTA-89653 – For some SAML integrations, an SP-init flow that sent an SP's SAML request with `forceAuthn` set to `true` resulted in an HTTP Error 400.
  • OKTA-90247 – In the Okta EMEA environment, the Suggest a Feature link at the bottom of the admin Dashboard redirected users to the Support page on okta.com instead of okta-emea.com.
  • OKTA-90450 – End users were unable to enroll in OMM if they were already signed into Okta via a Safari browser.
  • OKTA-90726 – We have improved the OMM enrollment flow for iOS devices by introducing throttling between enrollment and when profiles are sent out.
  • OKTA-90994 – The list of installed apps on Mobile iOS devices was not updating properly upon enrollment in OMM.
  • OKTA-90995 – After unenrollment from OMM, the list of installed apps on Mobile iOS devices did not properly reset.
  • OKTA-91151 – In SP-initiated flows, app names that contain an ampersand (&) were missing or truncated on the Okta Sign In page in orgs with the New Okta Sign-In Experience enabled.
  • OKTA-92292 – The values of custom Universal Directory fields were not being mapped from the Profile Editor for the Salesforce app.
  • OKTA-92653 – Active Directory users were unable to set up Duo as the 2nd factor authentication during their initial account setup.
  • OKTA-93376 – A new Nevada area code prevented delivery of recovery passwords for Okta end-users.
  • OKTA-93468 – Users in South Sudan were unable to register their country code prefix to receive an SMS message. It was not displayed in the list of countries.
  • OKTA-93475 – The Zendesk app could not be assigned if the Custom Role was left blank.
  • OKTA-93837 – JIT provisioning fails in AD when the change password at next login option is set for the user.
  • OKTA-94471 – The Network Zones feature inadvertently disabled the ability to configure Delegated Authentication settings. This only occurred for orgs that had Desktop Single Sign-On configured.
  • OKTA-94720 – Testing API credentials failed when trying to enable provisioning settings for a SCIM server.
  • OKTA-95030 – Mobile apps could not be secured on Apple devices running iOS 9.3.2.
  • OKTA-95436 – Users were unable to see the complete list of Network Zones when more than 20 zones were added to the configuration.
  • OKTA-95520 – Logging in to O365 from thick clients failed for end users using DUO, SMS, and Okta Verify in orgs with the New Okta Sign-In Experience enabled.
  • OKTA-95547 – The View Log link on the Active Directory page did not link to our new EA System Log (when enabled).
  • OKTA-95574 – An incorrect version of Okta Mobile was listed on the Okta Downloads page.
  • OKTA-95628 – Provisioning users for O365 failed if the user's password contained special characters.
  • OKTA-96310H – De-duplication of groups failed for template-based SAML apps when groups were pushed to other Okta orgs via the Org2Org app.

App Integrations Fixes

The following SWA apps were not working correctly and are now fixed:

  • American Airlines (OKTA-92950)

  • BioCentury (OKTA-94894)

  • Bullhorn (OKTA-95301)

  • Exclusive Resorts (OKTA-95808)

  • HRConnection by Zywave (OKTA-95627)

  • IBM MaaS360 (OKTA-93935)

  • IBM MaaS360 (OKTA-95373)

  • Life Size (OKTA-95664)

  • Microsoft Office 365 (OKTA-92533)

  • Pivotal Tracker (OKTA-94926)

  • Promapp (OKTA-95620)

  • SAP Support Portal

  • The Chronicle of Philanthropy (OKTA-96131)

  • Twitter Developer (OKTA-95140)

  • UBS One Source (OKTA-86824)