3dl5q (3dl5q) asked a question.
Hey everyone,
We’re in the middle of a Global Session Policy revamp for security hardening and I’d love to hear how others are tackling a conflict we’ve run into.
Some Context:
We’ve been running most of our apps under ZTNA enforced app authentication policies, with a few exemptions like Jamf Connect for Device SSO, which needs to operate outside of ZTNA for obvious reasons.
Now we’re looking to transition our primary app authentication to rely on Global Session Policies instead. The goal is to reduce unnecessary login prompts and create a smoother experience for end users. However, we also want to strengthen the Global Session Policy to only allow access when on the ZTNA network.
The issue:
Device SSO (via Jamf Connect) is usually the first login event during user sign-in.
Our current app level policy exempts it from the ZTNA requirement, so it works fine by itself.
But once we enable a stricter Global Session Policy that enforces ZTNA, Device SSO fails, because it doesn’t meet the ZTNA condition at that point in the flow.
It seems that Global Session Policy takes precedence over app-level policies because it's stricter in criteria, which makes this difficult to work around.
Questions:
How do you handle authentication flows like Jamf Connect's Device SSO when hardening Global Session Policy with ZTNA?
Is there a way to selectively exempt certain flows (like Device SSO) from Global Session Policy while still enforcing it elsewhere?
Are there best practices for sequencing or structuring policies so that Device SSO can succeed before Global Session Policy kicks in?
Ultimately, we’d like to avoid having a broad “catchall allow” rule in Global Session Policy just for this case we want to deny everything else by default.
Sorry guys I did have formatting to the post but it was just giving "Unexpected stylings or character formats encountered." so had to remove all formatting.
Hello @3dl5q (3dl5q) , thank you for contacting Okta Community!
This issue seems too complex to be addressed here. I recommend that you open a Support ticket (Customer Support Account ID number required) so one of our engineers can analyze it and provide in-depth troubleshooting. You could also provide more details in a ticket that shouldn’t be given here, as this is a public space.
Please note that opening a support ticket is a feature available only to paid accounts. If you do not have a paid account, but are interested in upgrading, you can contact our Sales team.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Just released: More Okta Community badges just added