The initial setup of Okta FastPass does not automatically pass the device management state to Okta, causing managed devices to initially display only as registered. An end user must complete a successful authentication using Okta FastPass from the local device to resolve the issue. A test Bookmark application provides a safe verification method to confirm the managed state without impacting production resources.

• Okta Identity Engine (OIE)
• Okta Verify
• Multi-Factor Authentication (MFA)

During the initial enrollment of Okta Verify, the device does not transmit the management configuration state to the Okta tenant. Consequently, the device does not display as Managed in the Okta Admin Console until the user performs a subsequent authentication using Okta FastPass from that device.

What is the difference between a registered device and a managed device?

Review the following criteria to understand how Okta evaluates the differences between a basic registered device and a fully managed device.

Registered Device

• Okta Verify Enrolled: The device has Okta Verify installed, and the user successfully registers the profile.
• Hardware Protection: Secure hardware is present on the endpoint (such as a Trusted Platform Module (TPM) or Secure Enclave).
• Key Protection: The device's secure hardware protects the cryptographic proof-of-possession key.
• Management Probe: When an Authentication Policy requires a managed state, Okta probes the client during login. If the device is only registered and fails the management check, Okta denies access. If the management probe succeeds, Okta records user.authentication.auth_via_mfa in the System Log and allows the user to proceed.

Managed Device

• Prerequisites Met: The device has Okta Verify installed and successfully registers.
• MDM Enrollment: A mobile device management (MDM) or enterprise mobility management (EMM) solution actively manages the local user profile associated with the device.
• Admin Integration: An administrator configures the MDM vendor under Security > Device Integrations within the Okta Admin Console.
  NOTE: The admin configuration must be fully completed before the end user initiates the Okta FastPass login; otherwise, Okta cannot validate the management state.
• State Verification: The end user successfully authenticates from that specific device using Okta FastPass at least once after the MDM integration is established.

How is a new implementation tested without risking locking users out of any important resources?

Create a temporary Bookmark application and a new Authentication Policy from the Okta Admin Console to safely force a FastPass authentication check without risking locking users out of production resources by following these steps:

1. Go to the Okta Admin Console and navigate to Applications > Applications.
2. Select Browse App Catalog.
3. Search for and select Bookmark.
4. Select Add Integration.
5. Enter a name for the temporary bookmark (for example, Managed Device Check).
6. Enter a valid, working URL (this is temporary and used purely for policy enforcement).
7. Select Assign and assign the bookmark application specifically to the test user whose device is not yet showing as managed.

How is an Authentication Policy created requiring managed status for the Bookmark application?

Configure a new Authentication Policy in the Okta Admin Console to enforce managed device requirements for the temporary Bookmark application by following these steps:

1. Go to the Okta Admin Console and navigate to Security > Authentication Policies.
2. Select Add Policy.
3. Enter a name for the temporary policy (for example, Require Managed Device).
4. Select Save.
5. Navigate to the Applications tab on the policy page and select Add App.
6. Select the created Bookmark application and select Done.
7. Navigate to the Rules tab for the new policy.
8. Modify the default Catch-All Rule:
   1. Select Actions > Edit next to the Catch-All Rule.
   2. Scroll down to THEN Access is, change the setting to Denied, and select Save.
9. Select Add Rule to establish the successful management path:
   1. Enter a name for the rule (for example, Managed Device Allowed).
   2. Leave the default setting under IF User is (Any user assigned to the app).
   3. Select Registered under AND Device state is.
   4. Select Managed under AND Device management is.
   5. Ensure Okta Verify - FastPass is listed as an available option under AND Authentication methods.
   6. Choose Every time user signs in to resource under When to prompt for authentication.
   7. Select Save.

How are the authentication results interpreted?

Instruct the affected user to log in to the Okta End-User Dashboard and attempt to access the temporary Managed Device Check bookmark application on the unmanaged device. Review the results as follows:

• Successful Authentication: If the user successfully authenticates via Okta Verify FastPass and gains access, Okta collects the management signal. The device status instantly updates to Managed in the Okta Admin Console.
• Authentication Failure: If the Catch-All Rule denies access, the management signal fails to pass. Review the Okta System Log and collect the local client logs for deeper troubleshooting using the following resources: 
  • Collect Okta Verify Logs from Desktop (macOS / Windows)
  • How to Collect Okta Verify Logs on an iPhone Device
  • How to Collect Okta Verify Logs on an Android Device

Related References

• Okta FastPass General Info
• Sign In with FastPass on Windows Devices
• Sign In with FastPass on macOS Devices
• Set up Okta FastPass on iOS devices
• Set up Okta FastPass on Android devices
• Device Registration
• Managed Device