It is a common belief that the certificate used by User A should only work on Device A and not on any other devices. However, this is not always true, and this article clarifies what exactly is happening in Okta when a certificate is deployed for a user. 

• Mobile Device Management (MDM)
• Intune
• SCEP Certificate

• Certificate is applied to the device and not the user. The device status will change to Managed for other users using the same machine under the same machine user profile when signing into Okta. 
• Importing a public key certificate from another device (Device 2) onto another device (Device 1) has no part in the management attestation. 
• Okta needs the private key to create the management attestation. 
• The device is managed based on the certificate that was deployed initially. 

NOTE: Okta binds the deviceId and the client certificate on the first authentication. After that, if a different device uses the client certificate for a management attestation, the management attestation will fail.

For more details, please check the Related References section of this article.
 

Related References

• Management attestation FAQ
• Configure Okta as a CA with delegated SCEP challenge for Windows using MEM (formally Intune)
• Configure Management Attestation for Desktop Devices with MEM (formally Intune)