User16629966865584978414 (Customer) asked a question.
Hello,
I did set up Device Assurance Policies and added it to the authentication policy. Could you please assist me as I think that this tool is down and has some errors.
1. I set up the minimum system version to Monterey but I have Ventura. It still worked. So seems like it will work on each version. I though that if I set up a minimum system version to Monterey. It will decline access if I’m using the Ventura version.
2. If you set it up manually for example that this assurance policy will work only if MacOS has version 14. It will require laptop with macOS 14 to authenticate. All other version will be able to access it without auth.
I think that Catch-All rule is letting other systems access it?.
But If I set up my test rule to decline acces to Machines from test asuraance policy and have catach-all rule set up to allow. It will go with my test rule and deny it
If I set up the password required for the test rule and auth required for catch-all it only asks me to do auth while clicking the app It does not ask for a password.
3. I created a device assurance policy for Windows but it does not work. I assigned it to the authentication policy but it's not catching it. For example, if I set up not managed or managed device in authentication policy settings. It does not affect my laptop. My laptop is signed into Azure and is managed by my company. It does work for MacBook but not for Windows.
Best, Adrian
Hi Adrian,
Thank you so much for reaching us. My name is Sebastian, from the Okta Technical Support team.
Monterey is equivalent to macOS 12, and Ventura is equivalent to macOS 13. Therefore, setting up a minimum system version requirement for Monterey means that only devices with macOS 12 and up can access Okta's resources. Your device being on Ventura means that it would be allowed to authenticate.
Regarding your concerns with your authentication policies, please open a support case so we may have a look at your configuration and properly advise the next steps.
Before you add device assurance to an authentication policy, you need to add a DENY action to the catch-all rule to ensure that Okta collects device signals. See Configure an authentication policy for Okta FastPass.
Also, you need to confirm that these conditions are met:
Furthermore, for a device to be managed, they need to meet certain conditions:
References:
Best regards,
Sebastian Sandu
Technical Support Engineer
Okta Global Customer Care
Hello,
Thank you for your answer. It did help and it's working now.
I have a meeting with Okta support tomorrow as I set up policy to require Windows hello to be enabled and it's letting me access Okta app with Windows Hello not set up on my laptop.
Best, Adrian
Hello,
I just figured it out.
Thank you.
Best, Adrian