Can users enroll in OMM if they already have Okta Mobile installed?
Yes. Users will be prompted to enroll their device in OMM the next time they access Okta Mobile.
Is there a minimum version of mobile operating systems required for Okta Mobility Management?
Yes. iOS devices need to be iOS 7 or higher, and Android devices need to be Android v4 or higher.
How should users prepare their mobile device for OMM enrollment?
Users do not have to do anything to prepare their devices for OMM enrollment. Okta recommends users remove any applications and exchange activesync (EAS) profiles that will be managed through OMM prior to device enrollment. Existing instances of applications and EAS profiles cannot be managed unless they are installed through OMM provisioning. If users enroll in OMM before removing existing applications and profiles they simply need to delete the unmanaged version and re-install the app or profiles through the OMM Mobile App Store. Please note, EAS profiles are automatically pushed to the device and do not need to be installed through the Okta Mobile App Store.
What happens if a user backs up and restores data from iCloud that has been deprovisioned, to either an existing or a new device?
The Okta Mobility Management MDM profile is backed up as part of the phone\tablet iCloud data. If a user attempts to restore the backed up phone data to their existing device, when the device data is restored the phone will automatically check in with the Okta Mobility Management server and remove any data that has been deprovsioned. If the user attempts to restore the phone data to a new device, the MDM profile and all associated applications and EAS accounts will not be restored to the new device.
Are there are any non-optional security policies required on the user PIN?
Yes. Okta does not allow sequential or repeating numbers to be used as the device PIN. This setting cannot be disabled for security reasons.
If Okta Mobility Management requires a passcode complexity or length that exceeds the current passcode on the device how are users prompted to change their passcode?
Users are prompted to update their passcode upon exit from the Okta Mobile app, and have up to 60 minutes to enter a new passcode that meets the minimum requirements. If users don't comply within the 60 minute notification window then they are forced to change their passcode by the mobile operating system before taking any further actions on the device.
If multiple policies apply to a group how are policies applied?
MDM policies are applied in-order based on the precedence list defined in the Okta admin console. If a user's group memberships result in multiple policies being applicable either through the same group or different group memberships only the first and highest priority policy will apply.
Is Managed Open In a bi-directional restriction, or only a one-way control?
Managed open in only restricts outbound sharing of managed data. It will prevent a managed file from being opened in an unmanaged application, however, it will not prevent an unmanaged application from opening a file in a managed application.
Will un-installing Okta Mobile remove managed applications and EAS profiles?
Different mobile platforms support different functionality. On iOS devices, removing Okta Mobile will not remove the MDM policy managing applications, EAS profiles, or security policies on the device. On Android devices, Okta Mobile is required for managing data. Only Samsung SAFE devices will automatically de-provision the enterprise managed data. Other Android devices will not automatically remove the enterprise data.
Can users remove the Okta MDM policy on iOS devices from their General settings?
Yes, users can remove the Okta MDM policy. Removing the MDM policy warns the user they are un-enrolling their device from Okta Mobility Management and provides them a list of all the data and applications that are about to be de-provisioned. Once the user confirms and removes the policy, all managed data and applications are removed.
Will de-provisioning a device return it to the exact same state as it was before enrollment?
De-provisioning a device will remove all the managed applications and data. Any new apps or data downloaded onto the device post enrollment (including photos, personal email and contacts, as well as personal apps) are not removed. Because Okta does not capture the pre-enrollment passcode, if the user was asked to re-enter a compliant passcode, de-provisioning will not revert the passcode back. The user will need to reset the passcode manually.
Does management of Android devices require an Apple Push Notification Services (APNS), or equivalent, certificate?
Not at this time. Currently Google Android does not have an equivalent requirement for management of Android devices.
Does de-provisioning an app from a user in the Okta Admin console automatically de-provision the mobile app from the user's phone or tablet?
Not currently. However, de-provisioning the user in Okta and deactivating their SaaS account in most cases will revoke the OAuth token on the device and prevent the user from further accessing the app data via the mobile app or the Okta Mobile dashboard.
Can Okta Mobility Management provision paid apps?
Yes. Users are asked to authenticate to iTunes using their account and then to pay for the app.
Can Okta Mobility Management automatically provision apps to mobile devices?
Users can install all the applications listed in their app store by clicking the "Install All" button in the upper right hand corner of the Okta Mobile App Store.
What happens if a user already has an app installed on their phone that is published to the Okta Mobile App Store?
The Okta Mobile App Store has two sections: "New" apps and "Installed" apps. If a user has a pre-existing version of an app it will appear in the "Installed" app list. Both iOS and Android are architected such that apps that are not installed through the Okta Mobile App Store are not managed through Okta Mobility Management - only apps installed directly from the Okta Mobile App Store are registered as managed enterprise apps. Non-managed apps are not de-provisioned through Okta Mobility Management, but are also not eligible for data sharing if Managed Open In is enabled.
Can Okta take over management of existing applications on the mobile device?
Both iOS and Android do not allow policy providers to manage pre-existing applications or configuration on mobile devices. Policy providers can only manage applications and data the provider provisions onto the device. Okta Mobility Management is designed to encourage end users to re-install the managed version of an application through enforcement of managed open in policies and device aware access management. Managed Open In will only users to share data between managed versions of applications, and device aware access management will only allow Office 365 users to connect to their enterprise Office 365 tenant from a managed device with a managed EAS account.
What email platforms can be managed through Okta Mobility Management?
OMM currently can provision and manage credentials for Office 365, Google Apps, and on premise Exchange environments. Contact Okta support for additional details around configuration options for specific environments.
Can Okta detect any AD or email password change and update the Exchange ActiveSync profile on an end user device?
Yes. If users reset their AD password through the Okta User Dashboard the new password is immediately sent to the mobile device. If users update their credentials using external channels (such as using Ctrl+Alt+Del from the Windows workstation) the new password is updated and sent the mobile device the next time the user logs into Okta. Customers can use the Okta AD Password Sync agent to accelerate the update without requiring users to log into Okta first.
Can OMM manage an existing iOS EAS profile?
Unfortunately iOS rules do not allow policy providers to assume management rights over existing applications and configuration. End users will have to remove any existing EAS profiles and have their EAS profile re-provisioned by OMM in order to share data via managed open in with other enterprise applications and have their email, calendars, and contacts removed during de-provisioning.
Can the description of the managed EAS profile that is provisioned to the device through OMM be changed?
Yes, the default description is the name of the integration in the Okta admin console. Changing the integration name will also modify the EAS profile description on the mobile device.
Can OMM manage multiple EAS profiles on a device?
Yes. So long as each integration is configured within the Okta admin console and EAS provisioning enabled for the integration then multiple EAS profiles can be managed on the device. Each integration should be uniquely named so the profiles are uniquely named on the mobile device.
Can users remove managed email accounts from their device?
No. Managed accounts can not be manually removed by end users. Users can rename the account on their device, modify the historical sync settings, and which elements of the EAS profile are synced (Mail, Contacts, Calendars, Reminders, and\or Notes). Users can also modify select advanced settings such as how discarded messages are handled (archived vs. deleted). Users are unable to modify SSL or S/MIME settings.
Original Author: Arturo HInojosa, Sr. Technical Marketing Manager, Okta