<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Enforce Device Assurance Policies on Android Using Device Trust from Android Enterprise
Oct 10, 2025
Okta Identity Engine
Okta Device Access
Overview

This article explains how to enforce Okta Device Assurance policies on Android devices using Device Trust from Android Enterprise. This integration allows Okta to assess Android device posture—including Play Protect status, OS version, encryption state, and device integrity—before granting access to Okta-protected resources.

 

Device Trust from Android Enterprise extends Okta’s device posture evaluation to both managed and unmanagedAndroid devices. When enabled, it allows Okta to collect rich security signals directly from Android devices without requiring a full MDM enrollment.

This enables administrators to apply granular access controls based on real-time posture information, ensuring compliance with Zero Trust policies across BYOD and corporate-owned Android devices.

Applies To
  • Okta Identity Engine
  • Device Assurance
  • Device Trust from Android Enterprise
Solution

Configuration Steps

Step 1: Enable Device Trust from Android Enterprise

  1. Sign in to the Okta Admin Console.
  2. Navigate to Security > Device Integrations.
  3. Open the Endpoint security tab.
  4. Click Add endpoint integration.
  5. Select Device Trust from Android Enterprise and click Save.

This allows Okta to consume posture signals from Android Enterprise, including device integrity and Play Protect data.

Step 2: Create a Device Assurance Policy for Android

  1. Go to Security > Device Assurance.
  2. Click Add Device Assurance Policy.
  3. Select Android as the platform.
  4. Configure the desired posture checks.

Key posture signals from Device Trust for Android Enterprise include:

SettingDescription
Play ProtectRequire Google Play Protect to be active and optionally set a maximum risk threshold.
Device IntegrityVerify hardware attestation level (Basic, Standard, or Strong).
Wi-Fi SecurityRequire devices to connect to secure Wi-Fi networks.

 

  1. Click Save when done.

Step 3: Apply the Policy to an Authentication Rule

  1. Navigate to Security > Authentication Policies.
  2. Select the application or app group to protect.
  3. Edit an existing rule or create a new one.
  4. Under Conditions > Device Assurance, select your Android policy.
  5. Save your changes.

End-User Experience

When users sign in with Okta Verify on an Android device, Okta automatically retrieves device posture data through Device Trust from Android Enterprise.

If Android Device Policy is installed:

  • The posture evaluation runs silently in the background.
  • Users only see a prompt if their device fails compliance checks (e.g., Play Protect disabled or encryption missing).
  • Okta displays an in-line remediation message or a Custom Remediation Instruction if configured.

If Android Device Policy is not installed:

  • Okta prompts the user to install Android Device Policy. This will happen in the background without the user being redirected to Google Play.
  • After installation, users are guided to complete basic setup so posture signals can be verified.
  • If users decline installation, Okta cannot verify compliance and access will be denied or limited, depending on policy configuration.

Related References

Recommended content

Still looking for help?
Loading
Enforce Device Assurance Policies on Android Using Device Trust from Android Enterprise