The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note that additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. This article explains how to resolve an upgrade blocker for the Okta Identity Engine (OIE). Configurations using client-based or Security Assertion Markup Language (SAML)-based Mobile Device Trust for iOS and Android are incompatible with OIE and must be reconfigured. After upgrading to OIE, device trust is managed through Okta Verify, which replaces the functionality previously handled by Okta Mobile.

• Device Trust
• Okta Mobile
• Okta Verify

The Classic Engine method of establishing device trust through client-based or SAML-based integrations is not compatible with the Okta Identity Engine (OIE) architecture. OIE uses Okta Verify and a different policy framework to register and trust devices.

Follow the steps below to reconfigure Mobile Device Trust and prepare for the OIE upgrade.

1. Address the Upgrade Blocker

Two paths are available depending on the specific configuration.

• • For Workspace ONE Users

    • As of June 11, 2024, a migration path is available for SAML-based Mobile Device Trust. Before upgrading to OIE, navigate to Settings > Features in the Admin Console and enable the self-service feature Migration Support for Workspace ONE Device Trust for Android and iOS.

  • For All Other Configurations 

    • The Mobile Device Trust feature must be disabled manually.

• • NOTE: Disabling iOS or Android Device Trust is a destructive action. Once disabled in the admin console, the secret key is deleted and cannot be recovered. Perform this step only when ready to schedule the OIE upgrade.
    1. Navigate to Security > Device Trust and ensure that Mobile Device Trust for iOS and Android is disabled.
    2. The following related features may also need to be disabled:
       • WORKSPACE1_DEVICE_TRUST_ANDROID_DEVICE
       • WORKSPACE1_DEVICE_TRUST_IOS_DEVICE
       • SAML_DEVICE_TRUST_ANDROID_DEVICE
       • SAML_DEVICE_TRUST_IOS_DEVICE
    3. If the checkboxes to disable these features are not selectable, first enable the following features, then attempt to disable them again:
       • THIRD_PARTY_DEVICE_TRUST_IOS_DEVICE
       • THIRD_PARTY_DEVICE_TRUST_MAC
       • THIRD_PARTY_DEVICE_TRUST_WINDOWS

Example of NOT ELIGIBLE for Upgrade:

Example of ELIGIBLE for Upgrade

2. Prepare for Post-Upgrade Configuration (Recommended)

To reduce downtime after the upgrade, use the Bring Your Own Secret (BYO Secret) feature. This allows a new secret key to be deployed to end-user devices before the upgrade.

1. 1. Create a new secret key that meets the following criteria:
      • The key has 8-256 alphanumeric characters.
      • The key contains a mix of uppercase letters, lowercase letters, and symbols.
   2. Using the Mobile Device Management (MDM) solution, deploy this new secret key to the Okta Verify application on all end-user devices before performing the OIE upgrade.

3. Complete Post-Upgrade Steps

After the organization is upgraded to OIE, Device Trust must be re-enabled using the new framework.

1. 1. Enable Okta Verify Managed Devices in the OIE organization.
   2. Navigate to Settings > Features and enable the Early Access (EA) feature named Configure management attestation for mobile devices with pre-existing security key.
   3. Follow the instructions to [suspicious link removed] using the same secret key that was deployed to devices before the upgrade.
   4. After the configuration is active, end users must open their Okta Verify account and enable FastPass to complete the device registration.

Related References

• Configure Managed Mobile Devices on OIE
• Setup FastPass on iOS Devices
• Setup FastPass on Android Devices