<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Okta Verify Device Does Not Appear As Managed

Okta Device Access
Okta Identity Engine

Overview

A previously managed Windows device appears as unmanaged in Okta due to a failed Okta Verify upgrade. Resolve this issue by redeploying Okta Verify and authenticating using Okta FastPass to re-establish the managed status.

Applies To

  • Okta Identity Engine (OIE)
  • Managed Windows Devices
  • Okta Verify (OV)

Cause

In this case, a failed Okta Verify upgrade caused the device to lose the managed status. Review the Okta Verify logs in the Windows Event Viewer to confirm the failure by following these steps.

  1. Open the Run command using Windows+R command and enter eventvwr.
  2. Select Okta under Applications and Services Logs.
| Level | Date and Time | Source | Event ID | Task Category | Message |
| --- | --- | --- | --- | --- | --- |
| **Information** | 02/09/2024 07:16:10 | OktaUpdate | 8611 | None | ApplicationInstaller: Process Launched to upgrade from version: 5.1.3 to 5.3.0 message:CurrentInstalledVersion=5.1.3&AutoUpdateUrl=https://<MyDomain>.okta.com/&EventLogName=Okta&EventSourceName=OktaUpdate&ReleaseChannel=GA&ArtifactType=WINDOWS_OKTA_VERIFY&PipeName=Okta.etc.=. |
| **Error** | 03/09/2024 08:18:33 | Okta Verify | 8120 | None | WindowsMessageSender.InformAllInstances: Failed copying data from process 22692 from sender window 0x196760. |
| **Error** | 03/09/2024 08:18:33 | Okta Verify | 8120 | None | BindingsManager.HandleCustomUriActivation: Failed to signal the primary instance for URI activation. |
| **Error** | 03/09/2024 13:25:04 | OktaUpdate | 8900 | None | ApplicationInstaller: Auto Update will not happen due to exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond <ipAddress:Port> at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult) etc. |
| **Error** | 04/09/2024 09:36:27 | Okta Verify | 8120 | None | [PrimaryApplicationLaunch][CustomUriRequest][OktaWebRequest.SendMessageAsync]: Call to https://<domain>/idp/authenticators/<id>/transactions/ftjwN3TgqXXWHzr8rCnCw-eWT__kq3DzMEE/verify failed with Forbidden. Request Id: a99a99aa0123aaaaaa9999aa9a9a99aaa |

Solution

How is the managed status restored?

Redeploy Okta Verify to the affected device by following the instructions in the Deploy Okta Verify to Windows devices documentation, and create a temporary bookmark application with an authentication policy requiring managed status to have the user authenticate using Okta FastPass. 

 

 

How is the temporary bookmark application created?

Trigger the process that updates the device management status by authenticating using Okta FastPass. Create a temporary Bookmark application to guide the user through the initial authentication by following these steps.

  1. Navigate to Applications > Applications > Browse App Catalog in the Okta Admin Console.
  2. Search for and select Bookmark.
  3. Choose Add Integration.
  4. Enter a name for the temporary bookmark (for example, "Managed Device Check").
  5. Enter a working URL.
  6. Choose Assign and assign the bookmark application to the specific user experiencing the issue.

 

 

How is the authentication policy configured for the temporary bookmark?

Create an authentication policy requiring managed status for the Bookmark application by following these steps.

  1. Navigate to Security > Authentication Policies in the Okta Admin Console.
  2. Choose Add Policy.
  3. Enter a name for the temporary policy (for example, "Require Managed Device").
  4. Choose Save.
  5. Navigate to the Applications tab on the policy page and choose Add App.
  6. Select the created Bookmark application and choose Done.
  7. Navigate to the Rules tab for the new policy.
  8. Choose Actions > Edit next to the Catch-All Rule.
  9. Select Denied under the THEN Access is section.
  10. Choose Save.
  11. Choose Add Rule.
  12. Enter a name for the rule (for example, "Managed Device Allowed").
  13. Leave the default setting under the IF User is section.
  14. Select Registered under the AND Device state is section.
  15. Select Managed under the AND Device management is section.
  16. Ensure Okta Verify - FastPass is listed as an available option under the AND Authentication methods section.
  17. Choose Every time user signs in to resource under the When to prompt for authentication section.
  18. Choose Save.

 

 

Test the Configuration

Instruct the user to authenticate and review the results by following these steps.

  1. Instruct the user to access the temporary bookmark application from the unmanaged device.
  2. Review the authentication results. If the user authenticates successfully using Okta Verify FastPass, Okta updates the device status to Managed. If the Catch-All Rule denies access, collect the logs generated by the authentication attempt for further analysis by following the instructions in the Collect Okta Verify Logs from Desktop (macOS / Windows) article.
Loading
Okta Support - Okta Verify Device Does Not Appear As Managed