In a SAML integration, an application team may require a specific assertion attribute to identify whether a user is accessing the app from a managed or unmanaged device. While the standard Okta documentation suggests using device context attributes, users may find that these return a "true" value even for unmanaged devices when the application policy allows access to all device types, for example, Virtual Desktop Infrastructure (VDI) or mobile.
This workaround uses a custom expression to ensure the assertion correctly passes "false" for any device not explicitly marked as managed.
- Okta Identity Engine (OIE)
- SAML Integration/Device Trust
- Passing device management status in SAML assertions across multiple device types (Laptops, Mobiles, VDIs)
When an application's authentication policy is configured to allow access to all devices (rather than restricting it to managed machines only), the default device context attributes may not always be evaluated as expected for unmanaged or virtual endpoints, leading to an incorrect "true" value being sent in the SAML assertion.
To ensure the application receives a string value of "false" for any device not explicitly managed by Okta, use a custom expression in the SAML Settings of the application:
- Navigate to the Admin Console and go to Applications > Applications.
- Select the target SAML application and go to the Sign On tab.
- Under the Attribute Statement section, expand Show legacy configuration and click Edit.
- Add or update the attribute responsible for device status (for example,
managedDeviceStatus). - Set the Value to the following expression:
device.profile.managed == true ? "true" : "false". - Click Next and Finish.
This ternary operator explicitly checks the device profile's management state. If the device is not managed, it will force the assertion to send the literal string "false".
