Okta Device Access - Policy Definitions 

Okta Device Access extends Okta's Identity and Access Management capabilities to the device sign-in experience. 

This document describes how Administrative Template files can be used to enhance the device sign-in experience for Okta Device Access. 

THE CHALLENGE:
	Okta Device Access has become a prevalent solution throughout the organization. In the past, configuring changes required manual edits to registry settings across multiple systems. This method proved to be inefficient, time-consuming, and carries inherent risks. Many administrators have reported challenges in effectively managing these settings.

THE SOLUTION:
	- Administrative Templates
		To simplify and centralize configuration management, we provide Administrative Template files. These files, consisting of language-neutral .admx files and language-specific .adml files, are designed for seamless integration with Group Policy. By importing these templates into Group Policy Objects (GPOs), administrators can deploy configuration settings across all domain-joined machines. Any modifications made within the GPO are automatically applied to the relevant registry settings on the managed systems, significantly reducing the need for manual registry edits and improving overall consistency. 

UNDERSTANDING ADMINISTRATIVE TEMPLATE FILES: 
Administrative Templates utilize a two-part structure: 
	- `.admx` files: These XML-based files contain the core policy settings and are language-independent. 
	- `.adml` files: These XML-based files provide the user interface text for the policy settings in specific languages. 
This separation allows administrators to manage the same policies in different languages by pairing the `.admx` files with the appropriate `.adml` files. 

SUPPORTED OPERATING SYSTEMS: 
 - Windows 10 
 - Windows 11
 - Windows Server 2019 
 - Windows Server 2022 
 - Windows Server 2025 

INCLUDED FILES:  
The file Okta_Device_Access_PolicyDefinitions_v1.zip contains the following: 

  - Okta_Device_Access_PolicyDefinitions_v1
      |- Okta_Device_Access_PolicyDefinitions_v1_Intune_Readme.txt
      |- Okta_ODA_Policy_Definitons_v1_GPO_readme.txt
	- Okta_ODA_PolicyDefinitions
	    |- Okta.admx
	    |- OktaODA.admx
	       - en-US
		  |- Okta.adml
		  |- OktaODA.adml

PRE-REQUISITE: Follow Microsoft documentation to create the Central store for Domain environments.
 - To create a Central Store for .admx and .adml files, create a new folder named PolicyDefinitions in the following location (for example) on the domain controller: \\{domain.com}\SYSVOL\{domain.com}\policies\PolicyDefinitions
 - OR -
 - When you already have such a folder that has a previously built Central Store, use \\{domain.com}\SYSVOL\{domain.com}\policies\PolicyDefinitions)

INSTALLATION STEPS: 
1. Extract the Contents: Begin by copying and extracting the contents of the provided zip file to a convenient location. 
2. Locate the PolicyDefinitions Folder: Identify the appropriate location for the ADMX and ADML files: 
	- Central Store (Recommended for Domain Environments): `\\{domain.com}\SYSVOL\{domain}\policies\PolicyDefinitions` 
	- Local Computer (If not using a Central Store): `%systemroot%\PolicyDefinitions` 
* Important: ADML files must reside within language-specific subfolders within the `PolicyDefinitions` directory. For example, U.S. English ADML files should be placed in a subfolder named `en-US`.
3. Copy ADMX Files: Copy both `Okta.admx` and `OktaODA.admx` files to the `PolicyDefinitions` folder: 
	- Central Store: \\{domain.com}\SYSVOL\{domain}\policies\PolicyDefinitions` 
	- Local Computer: `%systemroot%\PolicyDefinitions` 
4. Copy ADML Files: Copy both `Okta.adml` and `OktaODA.adml` files to the corresponding language subfolder (e.g., `en-US`) within the `PolicyDefinitions` folder: 
	- Central Store:`\\{domain.com}\SYSVOL\{domain}\policies\PolicyDefinitions\en-US` 
	- Local Computer: `%systemroot%\PolicyDefinitions\en-US` 
5. Open Group Policy Editor:  
	- Press the `Windows Key + R` to open the Run dialog. 
	- Type `gpedit.msc` and press Enter. 
6. Verify Template Availability: 
	- Navigate to Computer Configuration -> Policies -> Administrative Templates 
	- The Okta -> Okta Device Access policy settings should now be visible under Administrative Templates. 
7. Configuring Group Policy Settings: 
	- Access Policy Settings: Within the Group Policy Editor, navigate to the specific Okta Device Access policy settings you wish to modify. 
	- Enable Policies: Double-click on the desired policy setting and select "Enabled". 
	- Configure Settings: Make the necessary adjustments to the policy options.
	- Apply Changes: Click "Apply" and then "OK" to save the configuration. 
	Example:
	 - To configure “AllowedFactors," double-click on “AllowedFactors" and select “Enabled.”
	 - In the settings below, enter * in the text box
	 - Apply Changes: Click "Apply" and then "OK" to save the configuration.
8. Verify Registry Changes:
	- On a client machine affected by the GPO, you can verify that the policy settings have been applied by checking the corresponding registry entries.
	- The specific registry keys modified will depend on the policy configured.
	Example:
	- Navigate to HKLM\Software\Policies\Okta\Okta Device Access and verify whether "AllowedFactors" is enabled. 
9. Keys under HKLM\Software\Policies\Okta\Okta Device Access Backend are for service purposes, do not modify these registry settings.

By utilizing these Administrative Template files, you can effectively manage and deploy Okta Device Access configurations, leading to a more consistent, secure, and user-friendly device sign-in experience across your organization.

References:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store

 