<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configure a Grace Period in Device Assurance to Prevent User Lockouts During OS Updates
Oct 6, 2025
Devices and Mobility
Multi-Factor Authentication
Okta Identity Engine
Overview

Operating system (OS) vendors periodically release new versions. Okta updates its “latest OS” definitions on a scheduled cadence after these releases, but there may be a short window where the Okta definition does not yet align with the vendor’s newly available version.

During this period, users may be denied access if Device Assurance policies require the latest OS version, but Okta has not yet recognized it. To avoid disruptions, administrators can configure a Grace Period in their Device Assurance OS compliance policies.

This article explains how the Grace Period works and how to enable it.

Impact of New OS Releases

  • Non-Dynamic OS policies

    • No impact. Admins must manually update their policy if they want to enforce the newest OS version.
    • Until then, admins can use a Custom Version to enforce specific OS versions.

  • Dynamic OS policies (require “latest”)

    • If the OS vendor releases earlier than Okta’s definition update, users may be blocked at sign-in because Okta does not yet recognize the new version.
    • If the vendor releases later, users may be blocked because the policy requires an update that is not yet available to install.

Grace Period prevents both scenarios by allowing a buffer period before users are required to meet the new OS requirement.

 

Applies To
  • Okta Identity Engine (OIE)
  • Okta Verify
  • Device Assurance
Solution

Configure a Grace Period

Steps to enable:

  1. In the Admin Console, go to Security > Device Assurance Policies.
  2. Select the OS Compliance Policy for the platform(s) that need to be managed.
  3. Select Display remediation instructions if it is not selected to display the Grace Period section.
  4. Enable Grace Period and set the duration (for example, 30 days).
  5. Save the policy.

With Grace Period enabled, users are granted access during the buffer window and must update by the end of the configured period.

 

Best Practices

If using Dynamic OS policies (require latest): Enable a Grace Period during vendor release cycles.

Monitor Okta Release Notes for confirmation of when new OS versions are supported.

Related References

 

 

 

Recommended content

Still looking for help?
Loading
Configure a Grace Period in Device Assurance to Prevent User Lockouts During OS Updates