This Series is authored by Ruchir Parikh.

Welcome back to our “Demystifying Upgrading to OIE Series”!. 

In this series of 4 episodes, we will take a fictitious company and walk through the steps of the Okta Identity Engine (OIE) upgrade, offering tips and tricks along the way. 

If you missed the first episodes, please check our Episode #1: The Upgrade Scenario & Episode #2: Eligibility & Best Practices. In these 2 past episodes, we covered the upgrade process as well as common blockers and their remediation.

This third post will review how to upgrade Mobile and Desktop Device Trust upgrade for Atko HytekSys. 

Form Device Trust to Device Context

With Okta Classic, you have the option to leverage a Mobile Device Management (MDM) solution and integrate ‘managed’ devices status into your policies. Although OIE offers the same capabilities,and more (see Device Assurance for example after you have gone through your own upgrade), the architecture is a bit different: in OIE, we talk about “Device Context”.

“Device context” in OIE is a state that the device can be in, and you can use the state information to craft policies (we will see examples of this).

There are four possible state for a device:

• Unknown device - this is the first time this device is trying to access Okta
• Known device - this device has already been seen and has been able to authenticate
• Registered device - Okta Verify has been installed and the device has been enrolled in Okta Verify (note that Okta Verify can aso in OIE capture a number of device characteristics such as OS type, OS version, as well as specific features like device encryption, passcode, etc)
• Managed Device - the device has be enrolled in a MDM tool

Note that a device can be both Registered and Managed.

In this blog post, we will explore how to upgrade from Okta Classic Device Trust to OIE Device Context using our fictitious friend Atko HytekSys.

Prerequisites for customers moving Device Trust in Okta Classic to Device Context in OIE

Managed Devices in OIE require Okta FastPass to be enabled (FastPass is a tenant-wide setting). Customers who do not want to allow FastPass authentication should understand per-app policies and customize policies to adhere to their company's policies.

Okta Verify for Mobile and Desktop will need to be deployed by Okta Administrators, which means that end-users will be required to use Okta Verify on their mobile devices and Desktop. They will have to follow a two step process:

• The user must enroll manually into Okta Verify on the Desktop—there is no auto/silent enrollment option.
• The user must enable FastPass on their Okta Verify mobile app post-OIE upgrade. (Android | iOS)

Atko HyTekSys plans to continue to leverage MDM after their OIE upgrade

Atko HytekSys uses both Mobile and Desktop Device Trust in their Okta Production tenant. To understand the difference between Okta Classic and OIE, their IAM team configured Mobile and Desktop Device Trust in Okta Preview Classic and upgraded the tenant to OIE. Here is what the team learned and their plan for Production upgrade. 

Upgrading Desktop Devices 

Atko HyTekSys is upgrading with Desktop Device Trust enabled in Okta Classic and has a plan to move off the legacy platform over to the new OIE Managed Devices as soon as possible. This way, Akto HyTekSys can continue to leverage its MDM solution in authentication policies.

NOTE: Do not remove the on-prem IWA Agents, as they are needed after the upgrade for Desktop Device Trust. After moving to the new Managed Devices in OIE and removing the legacy platform, it is safe to decommission the on-prem IWA agents. 

Upgrading with Desktop Device Trust in place is an option to make upgrading to OIE easier. Please plan to move over to the new Managed Device platform with Okta Verify as soon as possible after your upgrade for the best OIE experience. 

Please refer to the post-OIE upgrade checklist for managed mobile devices in the appendix of this blog (Episode #3b).

Upgrading Mobile Devices

Akto HyTekSys needs to plan its OIE upgrade in coordination with Mobile Device Trust. Mobile Device Trust must be disabled in Okta Classic before the OIE upgrade can be scheduled. 

NOTE: As of Jun 11, 2024, the OIE Upgrade Blocker related to Workspace ONE SAML-Based Mobile Device Trust will no longer require reconfiguration to upgrade.

Customers can enable the self-service feature “Migration Support for Workspace ONE Device Trust for Android and iOS” (by using Okta Administrator Dashboard → Settings → Features)

Atko HyTekSys would like to minimize the time frame that Mobile Device Trust is disabled for their Production tenant. Therefore their upgrade plan and company-wide communications need to take this into account. Two and a half hours before their upgrade time, an Okta Administrator will disable Mobile Device Trust in the tenant and schedule the OIE upgrade for the next available time slot. 

NOTE: Customers can schedule their OIE upgrade two hours from the current time. OIE upgrades happen at the top of the hour. Therefore, it is recommended to remediate all blockers around two hours and 30 minutes before your desired upgrade time.

Here is an example of typical sequence of events:

• Upgrade to OIE on Oct 10, 2024 at 5:00 PM PT
• Remediate all remaining blockers at 2:30 PM PT
• Please schedule your upgrade for 5:00 PM PT immediately after remediating all blockers. Do not wait until 3:00 PM PT, as this will result in having to schedule your upgrade at 6:00 PM PT
  • 
    

Before upgrading, it is highly recommended to take the following aspects into consideration:

• In an effort to reduce downtime, Okta has created a feature called Bring Your Own Secret (BYO Secret). This feature is available on OIE only and will automatically be enabled after your OIE upgrade.
• As long as the Secret Key was created using the following criteria, you should be able to use this Key in the Device Integrations, after upgrading to OIE:
  • The key has 8-256 alphanumeric characters (recommended at least 20).
  • The key is a mix of uppercase and lowercase letters and symbols.
• This Secret Key can be configured on your MDM deployed to Okta Verify on your end-user devices prior to upgrading the org to OIE. The end users will only need to open the Okta Verify account and enable Fastpass after the upgrade to be able to access applications requiring managed devices. (Android | iOS)

Please refer to the post-OIE upgrade checklist for managed mobile devices in the appendix of this blog (Episode #3b).

Another key step…

Devices are an integral part of our lives nowadays, and their role in identity security is becoming critical. OIE Device Context supports this trend very effectively, and delivers tools that help better manage and control your devices. 

In the last episode of our OIE Upgrade Series we will cover one more important topic: customizations.

Author: Ruchir Parikh

Contributors: Brent Arrington, Dimitri Volkmann