ko0ms (ko0ms) asked a question.
Device Trust setup on a per app basis but not for signing into Okta initially.
Hi! We are looking to start implementing device trust here in our organization tied into our MDM, Kandji and eventually Google's MDM. Additionally, we want to enforce phishing resistant MFA across specific applications but not for all. Our ideal setup would be:
- You do not need to be enrolled in our MDM to get to the Okta dashboard.
- You do need to have a phishing resistant MFA method to sign into your Okta dashboard, Okta verify will be disabled for this sign in process.
- You do not need to enrolled in our MDM to get HR or Finance applications like Rippling, Expensify, etc.
- You do need to be enrolled in our MDM to access specific applications like Google, Slack, Jira, etc.
- We need to allow Okta verify to be used for device enrollments through DEP. Okta verify should be available as an option during enrollment only.
Is this setup doable, especially the piece of using Okta verify for only device enrollments but not allowing it as an option when signing into the dashboard?
Hello @ko0ms (ko0ms) Thank you for reacting out to our Community!
This should be possible leveraging Sign on policy into Okta and at application level.
However this exact flow would be mostly achievable if you are using OIE, as the Sign on policies are more flexible.
Please see the Classic engine doc:
https://help.okta.com/en-us/Content/Topics/Security/policies/configure-signon-policies.htm#:~:text=The%20Okta%20sign%2Don%20policy,on%20policy%20in%20the%20list.
https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm
OIE doc:https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/about-app-sign-on-policies.htm
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
Community members help others by clicking Upvote or Select as Best on responses. Try it today.