Add an Android platform rule

  • The OMM menu is only available to orgs that implement Okta Mobility Management (OMM).
  • Procedures documented on this page are only available to customers who have already purchased OMM for their organization. New OMM sales are not supported. For more information, contact Okta Support.

  1. In the Admin Console, go to OMM > OMM Policies.

  2. Click the required device policy.

  3. Click Add Platform Rule.

  4. Select Android.

  5. Choose whether to allow users to enroll their Android device through Okta Mobile.
    • Allow devices: Select this option to allow users to enroll their macOS device through OMM. If you select this option, specify which device types are supported:
    • On November 1, 2020 Google ended support for Native Android and Samsung SAFE enrollment types. Okta will no longer support Native Android and Samsung SAFE enrollment types in OMM policy rules on devices running Android 10 or later. Native Android and Samsung SAFE enrollment options will continue to work for Android 9 and earlier devices. Do the following:

      • If you configure new OMM policy rules, make sure to select the Android for Work enrollment type so that users on Android 10+ devices can enroll and remain compliant.
      • Check your existing OMM policy rules and update any that are currently configured with the Native Android and/or Samsung SAFE options to make sure that they also include the Android for Work option so that users on Android 10+ devices can enroll and remain compliant.
      • To force Android 10+ users to re-enroll to the Android for Work enrollment option, go to the Okta OMM devices dashboard (OMM > Okta Mobility Management) and un-enroll any Android 10+ device users that may be enrolled with the Native Android or Samsung SAFE enrollment options.

      See the Announcement Log.

      • Android for Work. If this option is unavailable, click Set Up AfW.

      • Samsung SAFE

      • Native Android

    Enrollment options are ordered by priority. If you select more than one, Okta first attempts to enroll a device using the top-most selected option. If the device doesn't support a selected option, Okta attempts to enroll the device using the next (lower) selected option.

    • Deny devices: Select this option to prevent users from enrolling their macOS device through OMM, and then click Save. The procedure is complete.
  6. Click Next.
  7. Configure the general Android device passcode requirements:
    • Prompt for device passcode: Select if you want to require users to enter a device passcode. If so, specify the following:
    • PIN minimum length: Specify the minimum PIN length (from 4 to 30).
    • Characters: Specify whether passcodes must contain at least one letter, and/or at least one symbol.
    • Expiration: Specify whether passcodes never expire (the default), or the number of days they are valid before expiration (Max age), and how many distinct passcodes a user must create before they can reuse a previous passcode (History limit).
    • Failed attempts before wipe: Specify the maximum number of times users can enter the wrong passcode before their device is wiped. Note the following:
      • Select Unlimited attempts if you never want to wipe a device because of failed passcode attempts.
      • On Android for Work, only the Work profile is wiped.
      • Devices are not wiped if users enter the wrong passcode less than 4 times.
      • You can allow up to 10 failed attempts before the device is wiped.
    • Device lock timeout: Specify how long after the display is turned off that the user must enter their passcode to unlock the device. This is only supported on Android devices running Okta Mobile 2.8 or later.
  8. Configure Android Data Separation:
    • Work profile to personal: Select if you want to allow apps in the personal profile to open files in the work profile.
    • Regardless of how you configure the Data Separation option above, Okta recommends that you deploy at least the following types of apps to your users:

      • Browser (such as Chrome)
      • PDF reader (such as Adobe Acrobat Reader)
      • Image viewer (such as Google Photos)
      • Music player (such as Google Play Music)

      See Managed Application Configurations.

  9. Optional. Configure Android 7.0+ Work Passcode Requirements:

    Note: This section appears only if you have selected Android for Work under Allow Devices on the previous page.

    • Prompt for work passcode: Select this option if you want to require Android 7.0+ users to enter a passcode to open any managed application on their device, then specify the passcode requirements shown below. Important: When this option is selected, general Android device passcode requirements no longer apply to Android 7.0+ devices. If you want your Android 7.0+ users to lock their entire device, not just their work profile, select this option and the option Prompt for device passcode on 7.0+ described below.
      • PIN minimum length: Specify the minimum PIN length (from 4 to 30).
      • Characters: Specify whether passcodes must contain at least one letter, and/or at least one symbol.
      • Expiration: Specify whether passcodes never expire (the default), or the number of days they are valid before expiration (Max age), and how many distinct passcodes a user must create before they can reuse a previous passcode (History limit).
      • Failed attempts before wipe: Specify the maximum number of times users can enter the wrong passcode before their device is wiped. Note the following:
        • Select Unlimited attempts if you never want to wipe a device because of failed passcode attempts.
        • On Android for Work, only the Work profile is wiped.
        • Devices are not wiped if users enter the wrong passcode less than 4 times.
        • You can allow up to 10 failed attempts before the device is wiped.
      • Device lock timeout: Specify how long after the display is turned off that the user must enter their passcode to unlock the device.

        Note: Supported only on Android devices running Okta Mobile 2.8 or higher.

    • Prompt for device passcode on 7.0+: Select this option if you want to require Android 7.0+ users to enter a passcode to unlock their device. If this is selected, you must also specify the passcode requirements listed in the Prompt for work passcode bullet above.
  10. Click Save.

Next steps