An Okta device may change to an unmanaged state due to certificate issues, policy changes, or Okta Verify application errors. End users observe that their previously managed desktop or mobile device no longer grants access to required resources, and Administrators see that the device in question shows as "Unmanaged" in the System Log and within the Universal Directory (UD). Administrators resolve this by identifying the specific cause and prompting the end user to re-authenticate or re-enroll the device.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Devices
- Device Integrations
- Unmanaged Devices
- Desktop (MacOS/Windows)
- Mobile Devices (iOS/Android)
Why do devices become unmanaged?
The management status of a device can change for several reasons. Administrators must review the following list to determine the exact cause of the unmanaged device status:
| Potential Cause | Action to Take |
|
The end user did not log in with Fastpass after renewing the certificate. |
Have the end user authenticate using Fastpass on the affected device. For more information, see: FastPass Login is Required for Device to Show as Managed. |
|
The end user's client certificate has expired, was revoked, or is no longer valid. |
Remove the existing client certificate and issue a new one. For more information, see: Client certificates. |
|
The end user has registered two devices with the exact same certificate in the same Okta organization. Certificates require a unique identifier per device within the same organization, as the certificate ID is bound to the device within the Universal Directory; this prevents users from reusing a given certificate on another device. |
Remove the client certificate from one of the affected devices and issue a new one. For more information, see: Client certificates. |
|
Clock drift/time skew has caused the machine's time to fall out of sync with Okta's servers. |
Ensure that the user's machine is synced to the correct Network Time Protocol (NTP) server, and that the device is set to automatically set the date and time. For more information, see: Okta Verify Logs Showing the Error "Authorization Error: ID Token expired". |
|
When using Bring Your Own Certificate Authority (BYOCA), the certificate chain may become invalid, be revoked, or expire. |
Upload a new certificate chain in the Admin Dashboard. For detailed instructions, see: Use your own certificate authority for managed devices |
|
The device's activation status has changed:
|
Correct the device's activation status:
For more information, see: Okta Verify Invalidated Device or Illegal Device Errors. |
|
The authentication policy rules are misconfigured. |
The Application Sign-On Policy (ASOP) requires additional configuration to effectively leverage a device's management status. A comprehensive guide to the necessary configurations may be found here: How to Configure Authentication Policies for Device Management. |
|
The user has not authenticated at least once with Okta Verify Push or Fastpass. | At least one Fastpass authentication (or Okta Verify Push, if using a mobile device) is required to bring the device into the Registered state. Once the device is registered, the Sign-In Widget (SIW) will silently probe the device for its Okta Verify installation, along with the client certificate or managementHint if the authentication policy requires device management. This probing cannot take place if the device is not yet registered. |
| The device fails to meet the security requirements defined in the Device Assurance Policy. | If an authentication policy leverages a Device Assurance Policy, users may not authenticate with it until they bring the device into compliance. |
|
For BYOCA configurations, the Certificate Revocation List (CRL) cannot be reached. |
If the client certificate cannot be identified as active in the CRL during the management attestation evaluation, Okta marks the device as not managed. The CRL must be publicly accessible. For more information, see: How does the CA affect client certificate binding?. |
|
After being issued a client certificate, the user does not complete a Fastpass authentication within 90 days. |
When using Okta as a Certificate Authority (CA), Okta revokes the client certificate on the 91st day after issuance if the user fails to complete a successful Okta FastPass flow. For more information, see: Okta CA Client Certificate is Revoked after 90 Day of Issuance. |
|
The Okta Verify application fails to run in the background on Android. |
Okta Verify must maintain a persistent local web server. This requires additional configuration for Android. For more information, see: |
|
The Client Secret Keys for the Dynamic Simple Certificate Enrollment Protocol (SCEP) URL have expired. |
Client certificates cannot be issued if the Client Secret Keys have expired. For more information, see: Okta System Logs Showing the Error "FAILURE: Error while issuing a ClientCertificate via delegated SCEP". |
|
When using BYOCA, the end user's client certificate fails to match the private key on Windows devices. Okta Verify logs show the error: "Failed to acquire private key for certificate [Thumbprint Value]: Error: 0x80090016" | Deploy a new client certificate to the machine. |
|
An administrator deletes a managed device from the user profile in Okta, which invalidates the device management certificate. |
A new certificate must be issued to the device before it can be recognized as Managed again. For more information, see: How to Make a Device Managed Again. |
