Restrict OMM enrollment based on device status and OS

This is an Early Access feature. To enable it, contact Okta Support.

You can prevent end users from enrolling compromised iOS and Android devices (jailbroken or rooted ) into Okta Mobility Management (OMM). Compromised devices pose a risk to the security of your org and the sensitive apps that users access from them. You can also restrict enrollment to specified operating system versions.

  1. In the Admin Console, go to OMM > OMM Policies
  2. Select an existing device policy or click Add Device Policy.
  3. Click the pencil icon to edit an existing platform rule or click Add Platform Rule.
  4. For Allow enrollment?, select Allow Devices.
  5. Configure the following settings in the Enrollment Exceptions section:
    • Jailbroken/Rooted
      • Deny new jailbroken or rooted devices
      • Wipe company data from existing jailbroken or rooted devices
    • OS Version
      • Deny new device if OS version: specify the OS version(s) running on new devices you want to deny access to.
      • Wipe company data from existing device if OS version: specify the OS version(s) running on existing devices you want to wipe company data from.
  6. Click Next.
  7. To configure passcode requirements and data separation, see Okta Mobility Management with Android for Work.
  8. Click Save.
    • If you don't select Deny new device but do select Wipe company data from existing device and specify one OS version to be wiped, end users with devices running that version are able to enroll but their device will be desprovisioned when Okta detects it.
    • If Okta Mobile Android end users are restricted from enrollment but then you change the policy to allow them to enroll, end users must sign out of Okta Mobile and then sign back in to be allowed to enroll.