<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
iOS Device Not Managed by Okta Successfully Authenticates with an Authentication Policy That Requires Registered & Managed Devices
Apr 27, 2026
Devices and Mobility
Okta Identity Engine
Overview

This article discusses inconsistencies with the "Managed" status of iOS devices. When an iOS device is managed in MDM but not in Okta, and has Single Sign-On Extension (SSOe) configured, it will be flagged as managed in the Okta System Log if it authenticates via the SSOe. This behavior is expected.

Single Sign-On Extension is configured, and the device authenticates via the Single Sign-On Extension:

System Log

Applies To
  • iOS devices
  • Okta Verify
  • Single Sign-On Extension (SSOe)
  • Okta Identity Engine (OIE)
Cause

If the device does not also push a managed app configuration for Okta Verify with the managementHint, then, when SSOe fails, and the user uses Universal Link, they will become unmanaged.

Solution

To resolve this behavior, deploy the managementHint to both the Single Sign-On Extension (SSOe) and the Okta Verify Managed App configuration for iOS devices. 

This ensures the device is counted as managed in all authentication flows. 

Related resources

Recommended content

Still looking for help?
Loading
iOS Device Not Managed by Okta Successfully Authenticates with an Authentication Policy That Requires Registered & Managed Devices