This article provides a deeper understanding of how Okta evaluates authentication policy rules in the context of device settings, as certain configurations may inadvertently cause users to be evaluated by the wrong policy rule.

• Device Management
• Okta Identity Engine
• Device Probing

If at least one of the Authentication rules has the requirement for the device to be "Registered", Okta will do a silent probing of the device if Okta Verify is installed on that device, or if the user logs in with the "Sign in with FastPass", the authentication will respond with the device context as well.

The device context can be seen in the extended system log "Authentication of user via MFA" event with FastPass and in the "Evaluation of sign-on policy" when the device is in the Target section ((UDDevice)).

An example of a device context is shown below:

The device context is evaluated with the authentication policy rules, starting with rules with a higher priority until the authentication requests match one of the authentication policy rules.

The authentication rules and restrictions must be strict, and they do not act as minimal requirements.

Common misconfigurations occur when the device must be "Registered" and "Not managed". If the device is "Registered" and "Managed", it will not be evaluated by that policy rule.