<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Omnissa Certificate Domain Change Impact on Legacy Device Trust for OIE Customers
Feb 20, 2026
Devices and Mobility
Okta Identity Engine
Overview

This article explains the critical impact of the upcoming Omnissa (formerly VMware Workspace ONE) certificate rebranding on Okta customers who have migrated to Okta Identity Engine (OIE) but continue to leverage the Legacy Device Trust feature.


Note: This announcement does not affect customers who are already utilizing the native Management Attestation feature in OIE, which uses Okta Verify and SCEP profiles to establish device trust, or customers still on Okta Classic.

Applies To
  • Okta Identity Engine (OIE) 
  • Legacy Device Trust (migrated from Okta Classic)
  • Omnissa / VMware Workspace ONE integrations
Cause

Omnissa has announced a certificate domain change scheduled for April 2026. As part of their rebranding from VMware Workspace ONE, the issuer and Subject Distinguished Name (DN) in device identity certificates will change from vmwareidentity.com to omnissa. Learn more: link.

 

Impact

Okta's Legacy Device Trust integration relies on validating the specific certificate chain and Subject DN patterns of the device certificate. When Omnissa updates these certificates, the existing validation logic configured in Okta will fail, causing compliant devices to be marked as non-compliant and blocking user access to sensitive applications.

 

When Omnissa rolls out the new certificates on March 30, 2026, authentication for your managed devices will break.

 

Solution

Recommended Long-Term Solution

To ensure uninterrupted access for your users, we highly recommend that you transition from Legacy Device Trust to Management Attestation on OIE before April 2026.

 

Management Attestation is the native device trust solution for Okta Identity Engine. It offers equivalent functionality to the legacy feature, supports more MDM integrations, and is fully integrated with Okta Verify and FastPass for enabling strong passwordless authentication on managed, compliant devices. Learn more: link.

Temporary Solution:

If you need additional time to complete your full migration to Okta Identity Engine, you can update your Legacy Device Trust certificate file and metadata from Omnissa via the admin console: link.

 

Option 1 - Complete your OIE migration (OIE Management Attestation)

We strongly recommend you begin this process immediately by following these steps:

 

  1. Review Documentation: Familiarize yourself with the Management Attestation configuration guide.
  2. Configure in Preview: In your preview Okta environment, set up Omnissa/Workspace ONE to deploy the Okta Verify app and the necessary SCEP profiles to your test devices.
  3. Test and Validate: Confirm that your test devices are successfully sending device trust signals to Okta and that your authentication policies work as expected.
  4. Phased Production Rollout: Begin a controlled rollout in your production environment, starting with a non-critical application to validate the solution with a small group of users.
  5. Decommission Legacy Feature: Once the rollout is validated, update your global authentication policies to remove the enforcement of Legacy Device Trust.

Taking these steps now will ensure a smooth transition and maintain uninterrupted access for all your users.

 

Option 2 - Update Omnissa configuration (Legacy Device Trust)

If you are unable to migrate to OIE Management Attestation at this time, upload the new Omnissa certificate by following these steps:

 

  1. Retrieve the SAML metadata information from Omnissa by following Okta docs.
  2. Update your Identity Provider with the new entityID and SingleSignOnService URL in the OIE Admin Console by following Okta docs.

 

Recommended Action Plan:

  1. Review the Documentation: Familiarize yourself with the Management Attestation configuration guide.
  2. Configure in Preview: In your preview environment, set up your MDM (Omnissa/Workspace ONE) to deploy the Okta Verify app and the necessary SCEP profiles to your test devices.
  3. Test and Validate: In your preview environment, verify that test devices are successfully sending device context and attestation signals to Okta. Confirm that authentication policies requiring the "Device is managed" condition work as expected.
  4. Phased Production Rollout: Begin a controlled rollout to your production environment. A recommended strategy is to deploy the SCEP profiles and a new authentication policy for a single, non-critical application first. This allows you to validate the solution with a subset of users before a full cutover.
  5. Decommission Legacy Device Trust: Once the production rollout is complete and validated across all necessary applications, update your global authentication policies to remove the enforcement of Legacy Device Trust.

 

Related References

 

Recommended content

Still looking for help?
Loading
Omnissa Certificate Domain Change Impact on Legacy Device Trust for OIE Customers