About Okta Mobile

Okta Mobile delivers Okta's Single Sign-On (SSO) experience to Android and iOS devices. When end users launch Okta Mobile, they get immediate one-click access to all of their apps.

Options that you configure in the Admin Console interact with mobile device user settings and the state of the Okta Mobile app. This interaction determines when Okta Mobile users are challenged for multifactor authentication (MFA), and are prompted to enter a PIN, fingerprint, or Face ID, to unlock Okta Mobile.




Role Specifications

Configure Okta Mobile settings Define how end users access the Okta Mobile app on their devices. Administrator
Hide apps from Okta Mobile Define what apps end users see in Okta Mobile. Administrator

How Okta Mobile works with MFA and Session Expiration settings

Reference information. Find out how MFA and Session expiration settings interact with end user options in Okta Mobile.


Okta Mobile for end users Learn how end users install and use Okta Mobile. Okta Mobile Users

Remarks and known limitations

  • Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.
  • Not all Security Assertion Markup Language (SAML) apps are accessible from mobile devices. SAML federation allows end users one-click access to supported apps. After authenticating with Okta, end users can access SAML apps without signing in to the app itself. Many SAML apps also provide a fallback method so end users can access the app by entering their app sign on credentials.

    While many apps, such as Salesforce and Box, support SAML federation with their mobile applications, not all do. Some Independent Software Vendors (ISVs) still require users to enter their app credentials in order to access the mobile version of the SAML app. To verify how a given app behaves, consult the ISV of the app.

  • If Okta Mobility Management (OMM) is not enabled for your org, apps in Okta Mobile open directly in the browser when end users long-press an app.

  • Okta Mobile is not supported for use with Identity Provider routing rules.

  • Downloading files from Okta Mobile for Android webview is not supported. This restriction minimizes the threat from malware and prevents end users from preserving copies of company resources. Okta enforces no restriction on opening files that don't require saving to disk.
  • End users can rate Okta Mobile for iOS. The app prompts users to provide a rating. After they click Submit, users are redirected to the App Store page for Okta Mobile to provide additional feedback. To dismiss this option, users can click Not now.
  • Apps secured by Device Trust are shown as locked on the Okta End-User Dashboard. A lock icon is shown beside apps secured by Device Trust under these conditions:

    • The end users accessed the dashboard in a desktop or mobile browser (not in Okta Mobile).
    • Device Trust is enabled for the org.
    • The device is not trusted.
    • The end user tried to access any Device Trust-secured app from their dashboard.
  • Active Directory-managed users can use PIN or FaceID to access Okta Mobile even if their accounts are in Password Reset state. To temporarily deactivate user accounts, use the Suspend procedure. See Suspend or unsuspend users. If you set an AD-managed account into Password Reset status, the user can still access Okta Mobile by PIN or FaceID authentication.

Related topics

Okta Mobile release notes

Multifactor Authentication