<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009eeAGMCA2Okta Classic EngineAuthenticationAnswered2024-03-08T16:21:39.000Z2023-09-13T16:26:29.000Z2024-01-23T18:08:57.000Z

JPS.92699 (Customer) asked a question.

September 13, 2023 at 4:26 PM
Device Management Attestation/Okta Verify for Windows for non-persistent Citrix VDI

We're looking to deploy Okta Verify for Windows and implement device management attestation through Okta CA-issued certs, pushed to devices via Intune and SCEP. After deploying it, we plan to use it to limit unmanaged device access to our corporate apps, like M365, etc. The tricky part of this is with our non-persistent Citrix VDIs. My understanding of the non-persistent VDIs is that, even if Okta Verify for Windows was installed on them, the app configuration would be wiped as soon as the VDI was torn down after the user ended his/her session, requiring the user to re-enroll that factor every time. Also, our Citrix VDIs are not managed by Intune. How have others worked out conditional access policies requiring device management on non-persistent VDIs, while using the Okta CA for management attestation? My initial thought is to have Citrix traffic egress from a dedicated IP address, separate from the rest of the network traffic, and then exclude that address from the device management requirement.

  • 1 answer
  • 736 views

  • User16594883467582706479 (Customer Support Online Experience)

    Hi, @JPS.92699 (Customer)​ 

     

    Thank you for posting on our Community page!

     

    Sounds like you are on the right track with identifying a workaround, as there is no way to "fix" them wiping an entire device of all device specific config. Therefore a means to specifically identify these machines so that they may be directed to alternate policies that do not require device management / registration would be the way to go. Network zones configured for those VDI machines seems like a reasonable workaround to accomplish that as well.

     

    I will leave this question open so that others can contribute with their solutions.

     

    Thank you for reaching out to our Community and have a great day!

    _____________________________________________________________________________

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    _____________________________________________________________________________

    Follow us at OktaSupport 

    _____________________________________________________________________________

    Expand Post
    Selected as Best

  • User16594883467582706479 (Customer Support Online Experience)

    Hi, @JPS.92699 (Customer)​ 

     

    Thank you for posting on our Community page!

     

    Sounds like you are on the right track with identifying a workaround, as there is no way to "fix" them wiping an entire device of all device specific config. Therefore a means to specifically identify these machines so that they may be directed to alternate policies that do not require device management / registration would be the way to go. Network zones configured for those VDI machines seems like a reasonable workaround to accomplish that as well.

     

    I will leave this question open so that others can contribute with their solutions.

     

    Thank you for reaching out to our Community and have a great day!

    _____________________________________________________________________________

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    _____________________________________________________________________________

    Follow us at OktaSupport 

    _____________________________________________________________________________

    Expand Post
    Selected as Best
This question is closed.
Loading
Device Management Attestation/Okta Verify for Windows for non-persistent Citrix VDI