This article explains why a FastPass login is required for a device to be considered managed and outlines the distinction between a registered device and a managed one.

• Okta Identity Engine (OIE)
• Okta Verify
• Multi-Factor Authentication (MFA)

The initial setup of FastPass does not pass the device state. Devices will not be shown as managed until another successful authentication is performed using FastPass from the device itself.

After setting up Okta Verify FastPass on a device, the end user must perform another successful authentication using FastPass for the device state to be correctly reported as managed. 

A registered device vs. a managed device:

• Registered Device
  • Okta Verify is installed on the device.
  • The device is registered (enrolled in Okta Verify).
  • The device is managed (it is managed by a device management solution configured for device management in Security Device Integrations, and the user successfully authenticated with Okta FastPass on that device).
  • Secure hardware is present (Trusted Platform Module (TPM), Secure Enclave).
  • Proof of possession key is hardware-protected.

If the probe is successful, user.authentication.auth_via_mfa is logged in the System Log, and the end user is able to proceed with their task. Otherwise, they are unable to proceed.

• Managed Device
  • Okta Verify is installed on the device.
  • The device is registered (enrolled in Okta Verify).
  • A user profile associated with the device is managed by a device management solution.
  • The device is configured for device management in Security > Device Integrations.
    NOTE: Ensure this is completed before the end user initiates a FastPass login, as it will not be effective otherwise.
  • The end user successfully authenticated from that device using Okta FastPass.
  • The user authenticated with Okta FastPass from the managed device at least once.

To test the new implementation without risking locking users out of any important resources, create a new Authentication Policy for a test Bookmark app:

1. Create a Temporary Bookmark Application:
   1. Navigate to the Okta Admin Dashboard: Applications > Applications > Browse App Catalogue.
   2. Search for and select Bookmark.
   3. Click Add Integration.
   4. Provide a name for this temporary bookmark (for example, "Managed Device Check").
   5. Enter any working URL (this is temporary and for policy enforcement).
   6. Click Assign and assign this bookmark app to the specific user whose device is not yet showing as managed.
2. Create an Authentication Policy Requiring Managed Status for the Bookmark App:
   1. Go to the Okta Admin Dashboard > Security > Authentication Policies.
   2. Click Add Policy.
   3. Enter a name for this temporary policy (for example, "Require Managed Device").
   4. Click Save.
   5. On the policy page, navigate to the Applications tab and click Add App.
   6. Select the Bookmark app created and click Done.
   7. Go back to the Rules tab for this new policy.
   8. Edit the Catch-All Rule: 
      1. Click Actions > Edit next to the Catch-All Rule.
      2. Scroll down to THEN Access is and select Denied.
      3. Click Save.
   9. Add a new Rule: 
      1. Click Add Rule.
      2. Give the rule a name (for example, "Managed Device Allowed").
      3. Under IF User is, leave the default (Any user assigned to the app).
      4. Under AND Device state is, select Registered.
      5. Under AND Device management is, select Managed.
      6. Under AND Authentication methods, ensure Okta Verify - FastPass is listed as an available option.
      7. Under When to prompt for authentication, choose Every time user signs in to resource.
      8. Click Save.
3. Have the user authenticate:
   • Instruct the affected user to attempt to access the Managed Device Check bookmark using the device that is not yet showing as managed.
4. Interpret the results:
   • Successful Authentication: If the user can authenticate using Okta Verify - FastPass, their device's status in Okta should now be updated to Managed.
   • Authentication Failure (Denied by Catch-All): If the user is denied access by the Catch-All Rule, the logs generated by this authentication attempt will provide valuable information for further troubleshooting the underlying issue preventing the device from being recognized as managed. Please collect these logs for analysis: 
     • Collect Okta Verify Logs from Desktop (macOS / Windows)
     • How to Collect Okta Verify Logs on an iPhone Device
     • How to Collect Okta Verify Logs on an Android Device

Related References

• Okta FastPass General Info (for Admins)
• Sign In with FastPass on Windows Devices (for End Users)
• Sign In with FastPass on macOS Devices (for End Users)
• Set up Okta FastPass on iOS devices
• Set up Okta FastPass on Android devices
• Device Registration
• Managed Device