This article discusses using the device.profile.diskEncryptionType attribute with Okta Expression Language(EL) in Authentication Policies. This attribute allows modification to the default behavior of Device Assurance Policy requirements for disk encryption to be more granular in implementation. 

• Okta Identity Engine (OIE)
• Device Expression Language (EL)
• Device Assurance Policies 
• Okta Verify Fastpass

For details on implementing device custom expression language into policies, see the manual chapter Add a custom expression to an authentication policy and this article, Using Okta Expression Language for Devices in Authentication Policy Rules.

• Supported String values:
  • NONE  - No encryption has been set. (All platforms)
  • FULL  - The disk is fully encrypted. (Android, iOS)
  • USER  - The encryption key is tied to the user or profile. (Android)
  • ALL_INTERNAL_VOLUMES  - All internal disks are encrypted. (macOS, Windows)
  • SYSTEM_VOLUME  - Only the system volume is encrypted. (macOS, Windows)

When creating a custom expression referring to devices, please note the following requirements:

• Always include the device.profile.registered == true to include device conditions in the custom expression.
• In general, device attributes can only be used if Okta FastPass is enabled.
• If the Device Assurance Policy is configured to require disk encryption without Device Custom EL stating otherwise, then all drives must be encrypted.
  • If Device Assurance Policy is configured to require disk encryption and is configured in the Authentication Policy, then Custom Device EL should not be set to "NONE" at the same time. This would be expected to result in the target rule being skipped. 

Example:

device.profile.registered == true && device.profile.diskEncryptionType == "SYSTEM_VOLUME"

Related References

• Expression Language attributes for devices
• Add a custom expression to an authentication policy
• Using Okta Expression Language for Devices in Authentication Policy Rules