Okta Conditional Access Based on Device Security Posture
Last Updated:
Overview
Okta Identity Engine (OIE) evaluates device context in incoming requests to make application access decisions. Administrators configure authentication policy rules to deny or allow access based on device states, assurance policies, and platforms.
Applies To
- Okta Identity Engine (OIE)
- Okta Verify
- Device Management
Solution
How does Okta evaluate device context for conditional access?
Okta Identity Engine (OIE) makes application access decisions based on the device context in an incoming request. Device states, device assurance policies, and platforms serve as conditions in each application's authentication policy. Review the following example of an authentication policy rule configured to evaluate device state and platform conditions.
Okta Verify Facilitates Device Registration and Management
Okta requires Okta Verify installation on the device to register it or register and manage it. This allows administrators to view details such as the device name, platform, manufacturer, model, and Unique Device Identifier (UDID) in Universal Directory. Administrators can Suspend, Un-suspend, or Deactivate a device. Review the Device lifecycle documentation for more details. The User-Agent in the authentication request determines the device platform.
How are signals from EMM and EDR solutions utilized?
Okta integrates with major Enterprise Mobility Management (EMM) and Endpoint Detection and Response (EDR) solutions to capture additional device signals when Device Trust is active. Administrators use custom expressions to make access decisions in the authentication policy based on these signals.
