Thank you to everyone who participated in our Ask Me Anything on Okta Device Assurance! For those who couldn’t join, we’ve put together the top five highlights from the session. You can also dive into the full discussion to explore detailed answers from our product expert by reading the complete discussion thread.

Here are the key takeaways:

• Do I need Okta Verify to use Device Assurance?

Okta Verify is our primary device attribute provider to Device Assurance policies. However, you can also enforce attributes from the Chrome Device Trust connector in Device Assurance. For more details, see the official documentation on Add a device assurance policy and Device assurance overview.

• Informing users that their device is not compliant

User communication is handled directly within the authentication flow. When a device fails a policy check, a customizable error message is displayed in the Okta sign-in widget. This message can clearly state the reason for the denial and provide specific, actionable steps for the user to remediate the compliance issue and regain access. 

To see the full list of device assurance conditions and their corresponding remediation messages, refer to the official documentation on Remediation messages for device assurance. Customize remediation messages per posture check for tailored user guidance. For detailed instructions, see the official Okta documentation on Add user help for device assurance and Configure custom remediation instructions for device assurance.

• Device Access Policies are granular and targeted

A customer asked if Device Assurance policies can be assigned to user groups and apps, or if they’re global. Our expert informed us that Device Assurance policies are not global. They are configured directly within the Okta Authentication Policy framework, which allows for highly granular assignments. This means you can scope a specific requirement to be enforced only for specific user groups accessing specific information. This allows for strong selective security, without impacting your entire user base or application portfolio.

• Do I need to use Okta FastPass for Device Assurance?

Okta FastPass is not a requirement to use Device Assurance. FastPass is an optional feature that leverages the device context collected by Okta Verify to provide a passwordless sign-on experience; however, you may still use Device Assurance with traditional or password-based MFA flows. You can follow the documentation for  Device Assurance overview and  Configure Okta FastPass for more insights.

• Policy flexibility allows enforcement without blocking access

A question was asked about whether you can enforce being up to date with security patches without blocking access. Policies are flexible and designed for risk mitigation, so users can enforce security patches using the Grace period feature in Device Assurance policies. See the steps to follow below.

How to Configure Device Assurance for Security Patch Compliance with Grace Period

1. In the  Okta Admin Console, go to Security > Device Assurance Policies
2. Create or edit a device assurance policy that includes the  OS version or  Minimum OS version condition to enforce security patch levels or OS updates.
3. Scroll to the  Grace period settings:

Select:

• Yes, by a due date or  
• Yes, after a number of days to grant users a remediation window before access is blocked.
• Specify the due date or number of days for the grace period.

        What Happens During the Grace Period

• Users with devices that do not meet the OS version or security patch requirements will  still be allowed access during the grace period.
• The  Sign-In Widget displays remediation messages instructing users to update their devices before the grace period expires.
• After the grace period ends, users who have not remediated their devices are  denied access to Okta-protected resources until they comply.

As we continue our AMA program, we’re excited to bring you more topics and connect you with our product experts to discuss the issues that matter most to your organization. Stay tuned for upcoming sessions—we look forward to seeing you!