<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y000091JbO9SAKOkta Classic EngineDevices and MobilityAnswered2020-07-29T16:37:45.000Z2020-07-23T18:42:36.000Z2020-07-29T16:37:45.000Z

MichaelD.58674 (Customer) asked a question.

July 23, 2020 at 6:42 PM
Routing Rule to Match iOS Devices Only

I’m working up an implementation cookbook for the delegated IdP model to redirect authentication requests only for mobile devices to a second IdP (MobileIron Access), while all other endpoints are authenticated by Okta.

 

I’m seeing an anomaly where Routing Rules don’t work correctly for iPads.  If the Routing Rule user platform criteria includes iOS, and the access request originates from an iPad, the Routing Rule is not matched.  If the user platform criteria includes macOS, then the iPad traffic matches the rule. This is a problem because I don't want macOS devices to be authenticated by Access.

 

Here’s some data from the logs. The client device is recognized as a tablet:

 

Client

Device Tablet

 

The UserAgent data indicates the device is an iPad, but the OS is being detected as "Mac OS X (iPad)", not iOS:

 

UserAgent

·        Browser SAFARI

·        OS Mac OS X (iPad)

·        RawUserAgent Mozilla/5.0 (iPad; CPU OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1”)

 

Is this a known issue?

  • 3 answers
  • 973 views

  • AndrewM.53141 (Okta)

    Hi @MichaelD.58674 (Customer)​ ,

     

    Don't have a good answer for this, but did started hearing about this around the time when iOS 13 was released. From chatter internally, these are some of the work-arounds that was suggested about 8 months back:

     

    • Option 1. All websites accessed from Safari (iPadOS 13 and higher) – In iPad settings, go to Safari settings > Request Desktop Website and then turn off the All Websites setting.
    • Option 2. Per-website basis – Open Safari, tap Aa on the left side of the search field, and then tap Request Mobile Website.
    • Option 3. Access the target app through its Native App version or through Okta Mobile instead of through Safari.

     

    I also created this okta idea about 7 months back, appreciate an upvote if you think it's valid or you could search/create one that is relevant to your use case.

     

    https://ideas.okta.com/app/#/case/115124

     

    -Andrew

    Expand Post

  • MichaelD.58674 (Customer)

    Thanks, Andrew. It is good to know I'm not the only implementation seeing this anomaly. I'm going to hypothesize that Okta's endpoint identification code is just keying on seeing the string "Mac OS X" in the UserAgent and categorizing the operating system based on that pattern and not the device identifiers like "iPad".

     

    I'm going to have another look at the Routing Rules interface to see if there is a way to match Routing Roues based on a RegEx of the UserAgent string. I'll report back what I find.

    Expand Post
This question is closed.
Loading
Routing Rule to Match iOS Devices Only