RobL.71426 (Customer) asked a question.
New device / New sign-on Email mechanism - especially PaloAlto GlobalProtect VPN client
We find that after a reboot, signing in to the Palo Alto GlobalProtect client *always* triggers a "new device" email. This is happening with both Macs and Windows systems, despite the fact that the location and device fingerprint appear to be the same in the Okta logs. I believe this is somehow tied to a device token that's lost on reboot. Can anyone advise? The logs don't appear to show the *reason* a new device email was sent, just that it was.
Hi Rob,
This is Marius with Okta support. A device is considered a new one when it has not been the source of a prior, successful sign in. A device is based on the client. Changing the browser is considered new device. For more information on New Device behavior detection, please have a look at the articles below:
If additional information is needed, I would suggest opening up a support ticket with us.
Cheers,
Marius Dinu
Okta T2 TSE
Hi Marius,
I do have a support case open about it. In our case, we're seeing the GlobalProtect VPN client triggering a new device / new sign-on email notification after every reboot. Log shows identical browser, fingerprint, location.
I suspected a device cookie or similar involved that may be getting cleared from the MacOS GP VPN client on reboot, but the Windows client appears to just use the computer's IE browser, so I don't know why it would be treated different from the browser.
Okta support also seems to be saying that only the immediately prior login is compared to determine if the device is 'new' -- so if I alternate between two devices regularly, I would always get a new sign-on email, even though I use the same 2 devices consistently. This seems like a bad practice if it's correct.