Okta Mobility Management with Android for Work


About Okta Mobility Management

  • The OMM menu is available only to orgs that implement Okta Mobility Management (OMM).
  • Operations documented in this article are available only to customers who have already purchased OMM for their organization. New OMM sales are not supported. For more information, contact Okta Support.

Android for Work, or Android in the enterprise, is Google's solution to enterprise mobility management. Enrolling an end user in Okta Mobility Management (OMM) through Android for Work creates an encrypted, containerized Work profile on their device, and installs a managed Google Play store. These allow you to assign separate managed versions of work apps, like Box or Outlook, as well as selectively wipe company data from an end user's device, while leaving their personal data intact.

Supported Versions of Android

Android for Work is supported on devices running Android 5.1.1 (L) and above.

  • If you enable Android for Work, we strongly recommend you deploy Google Chrome to your OMM users in order to prevent unexpected behavior on certain older Android devices. See Enable access to managed mobile apps for information on deploying managed apps.

  • When a work profile is configured on an Android O device, Google Chrome is automatically installed. This prevents Okta Mobile and other apps that use web views from crashing due to a bug in Android O. See the Google documentation of the bug for details.

Set up Android for Work

See Setting up Android for Work in Okta for instructions.

Configure a Work profile passcode policy

OMM allows you to configure passcode policies for any supported Android device. These policies allow you to require your users to enter a passcode that meets your specifications to unlock their device. They are applied based on groups you create, which allows you to set different levels of access and security for different people.

For an additional level of flexibility, you can also set a separate work profile passcode policy for your users with Android 7.0+ devices. You can use this policy to require users to enter a passcode before accessing apps managed by their work profile, which allows you to set a more secure policy for accessing work resources than for accessing personal apps and data. This way, your users can easily access their personal resources without having to enter complex passwords, while still keeping company data safe and secure.

Note: Requires Okta Mobile 3.0 or above.

To set a work profile passcode policy, you must create or edit a device policy, then configure that policy's Android rule.

Known issues

  • (Applies to Android devices running versions 7.1 or 7.1.1; fixed in 7.1.2) After an admin strengthens a group's work profile passcode policy, end users are prompted to update their passcode to comply with the updated policy. However, when end users respond to the prompt, their device passcode is updated instead of their work profile passcode. If the end user's Security settings allow different device and work profile passcodes, they are prompted continually to update their work profile passcode until they change it in their device settings.
  • On November 1, 2020 Google ended support for Native Android and Samsung SAFE enrollment types. Okta will no longer support Native Android and Samsung SAFE enrollment types in OMM policy rules on devices running Android 10 or later. Native Android and Samsung SAFE enrollment options will continue to work for Android 9 and earlier devices. Do the following:
    • If you configure new OMM policy rules, make sure to select the Android for Work enrollment type so that users on Android 10+ devices can enroll and remain compliant.
    • Check your existing OMM policy rules and update any that are currently configured with the Native Android and/or Samsung SAFE options to make sure that they also include the Android for Work option so that users on Android 10+ devices can enroll and remain compliant.
    • To force Android 10+ users to re-enroll to the Android for Work enrollment option, go to the Okta OMM devices dashboard (OMM > Okta Mobility Management) and un-enroll any Android 10+ device users that may be enrolled with the Native Android or Samsung SAFE enrollment options.

    For more details, see the Announcement Log.

Related Resources

Configure Okta Mobility Management Policies

Configure Okta Mobility Management

Use Okta Mobile