How to Configure Authentication Policies for Device Management
Apr 30, 2025
Devices and Mobility
Okta Identity Engine
Overview
This article reviews how to configure Authentication Policies for Okta Device Management in the Okta Identity Engine (OIE).
Applies To
- Okta Identity Engine (OIE)
- Okta Verify - FastPass
- Device Management
- Authentication Policies
Cause
Authentication Policies must be specifically configured to enable device management checks.
Solution
- In the Admin Console, navigate to Security > Authentication Policies.
- Select the authentication policy that should be added to a rule.
- In the Authentication Policy, click Add Rule.
- Type a Rule name to describe the rule.
- Configure the appropriate IF conditions to specify when the rule is applied.
- Rules should target user groups that are being enabled for FastPass Device Management.
- Look for AND Device state is and change the condition from Any to Registered. Once the Device State is set to Registered, another option will appear immediately below the Device state for: AND Device management is; to enable Device Management checks on the policy, set this option to Managed.
- Configure the appropriate THEN conditions to specify how authentication is enforced.
- Configure the re-authentication frequency if needed.
- Click Save.
To make sure that Device Management is enforced, either:
- Create another rule targeting the same user groups configured in the rule above (Configured in the IF Conditions), which is configured to deny the login.
OR
- Modify the Catch All Rule to deny login.
NOTE:
- When device management is enforced, the device context is required to determine its status (the device can only be "registered" or "registered and managed").
- To determine the device status, users will be prompted to set up Okta Verify FastPass on the device from which they access the restricted resources.
