CarstenW.33950 (SFLX) asked a question.
Hello Okta fans,
I am a little bit at a loss because I don't know the solution.
We use Okta for SSO and we use MFA at Okta and application level (not really sure what's the best practice for this too).
Now our problem:
We use Kandji as an MDM solution. When new employees start, they'll receive their Okta credentials along with their new computer. When they follow the setup assistant on the computer they are asked to authenticate to Kandi via Okta to assign the computer to the user.
In the process MFA enrollment will also be required. The thing is, they can't set up Okta Verify on their new computers because they aren't fully set up yet.
Is there any way to defer MFA enrollment until the computer has been fully set up?
And how would you set up the requirement for MFA? On an Okta level or on an application level?
I want our users to stay logged in for a couple of days without the need to reauthenticate.
Thank you for your answers!
Hello @CarstenW.33950 (SFLX) Thank you for reacting out to our Community!
At this time there is no such option, if you have a sign on policy setup with MFA requirements the users will be prompted for MFA. You could make a policy that will exclude them from MFA until that happens but this might require manual action to move them back to the correct policy after the computer is fully setup.
Please also see our docs on MFA and Sign on Policy's below:
https://help.okta.com/en-us/Content/Topics/Security/policies/configure-signon-policies.htm#:~:text=The%20Okta%20sign%2Don%20policy,on%20policy%20in%20the%20list.
https://help.okta.com/en-us/Content/Topics/Security/policies/configure-mfa-policies.htm
You could put in a Feature Request on our Idea section for a feature that would delay MFA requirement for a specific number or hours/days after the account creation, I think this would help.
https://support.okta.com/help/s/ideas
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
Community members help others by clicking Upvote or Select as Best on responses. Try it today.