Thanks for your interest here. Just this past August at Oktane, our user conference, we announced a beta for our Device Trust feature which is just one facet of our Contextual Access Management capability. You can read more about it on this blog post (https://www.okta.com/blog/2016/08/contextual-access-management-innovating-across-sso-adaptive-mfa-and-mobility-management/) or this one (https://support.okta.com/help/blogdetail?id=a67F0000000TWJpIAO). Okta's Device Trust functionality works with certificates, whether distributed to the device with Okta Mobility Management or another third party. You can tell Okta which root(s) to look for and we will consider certificates issued by that to be trusted. Again, this functionality is in beta currently, but we're getting a lot of interest from our customers about it and look forward to fleshing out the feature set to meet the needs we're hearing about before bringing it to you more broadly.
The one tricky thing you'll need to consider is EAS, since there's no real way to do MFA with EAS. O365 recently announced support for certificate authentication to Exchange Online, so we're also going to be investing in certificate based EAS profiles that are pushed via OMM, if you're interested in that scenario. That way, you could more easily guarantee that a device is trusted, rather than the user just knew how to configure their password in an EAS profile.