<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Management Attestation Remediation Messaging Not Appearing During Policy Challenges
Apr 6, 2026
Okta Verify
Okta Identity Engine
Overview

When testing Authentication Policies that require a managed device, users may encounter the following generic error instead of specific remediation instructions (for example, "Enroll in MDM").

 

Access Denied

 

This article explains the logic behind Okta's display or hiding of management remediation signals.

 

Applies To
  • Management attestation
  • Okta Identity Engine (OIE)
  • iOS
  • macOS
  • Windows
  • Android

 

Cause

Okta only triggers remediation messaging when it detects a viable path for the user to resolve the requirement. If the specific platform (iOS, Android, macOS, or Windows) is missing or disabled under Device Integrations, Okta views the "Managed" requirement as an impossible condition. Because the system does not know which MDM vendor (for example, Intune, Jamf) is responsible for the attestation, it returns a generic error rather than providing instructions to a non-existent destination.

Solution

To ensure remediation instructions are visible to the end-user, verify the following configuration:

  1. Check Device Integrations: Navigate to Security > Device Integrations > Endpoint Management. Confirm that a valid configuration exists and is Active for the platform being tested.
  2. Verify Authentication Policy: Ensure the rule explicitly requires a "Managed" device and that no higher-priority rule is overriding the logic.
  3. Update Okta Verify: The Management Attestation signal relies on the handshake between the local Okta Verify client and the MDM certificate; ensure the app is up to date on the test device.

 

In this table, a "Platform Config" refers to an active MDM (Mobile Device Management) integration in the Okta Admin Console. For Okta to display specific remediation instructions, a corresponding record must exist under Security > Device Integrations > Endpoint Management for the operating system (iOS, Android, macOS, or Windows) in use.

If this configuration is missing or inactive, Okta cannot identify the remediation path (for example, whether to point the user toward Jamf, Intune, or another provider) and will default to a generic "Access Denied" message.



Summary of Behaviors

ScenarioResulting Behavior
Rule requires "Managed" + Platform Config exists Okta shows remediation instructions (for example, "Install Company Portal").
Rule requires "Managed" + No Platform Config existsOkta treats the requirement as a hard "Deny" (Generic Error).

 

Recommended content

Still looking for help?
Loading
Management Attestation Remediation Messaging Not Appearing During Policy Challenges