Configure Okta Mobility Management

Okta Mobility Management (OMM) allows you to manage your end users' computers, mobile devices, applications, and data. Your end users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Concur. As an administrator, you can remove managed apps and associated data from end users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps.

Info

About Okta Mobility Management

  • The OMM menu is only available to orgs that implement Okta Mobility Management (OMM).
  • Procedures documented on this page are only available to customers who have already purchased OMM for their organization. New OMM sales are not supported. For more information, contact Okta Support.

  1. Make sure end user devices are running the supported OS version.
  2. Make sure Okta Mobile is installed on end user devices.
    For the Okta Mobility Management enrollment process to succeed, Okta Mobile must be installed on end-user devices.

    3. Note the following:

    • iOS: Following OMM enrollment, any security policies that you configure remain active even if end users delete Okta Mobile from their device.
    • Android: Android device users cannot delete Okta Mobile from their devices unless they unenroll from OMM.
  3. iOS and macOS devices: Create an Apple ID at http://appleid.apple.com so that you can complete the Apple Push Notification Service setup.
  4. iOS devices only: Review the Known Issue concerning Apple iOS 10.
  5. Make sure groups are created in your org before you configure mobile policies. You can create groups in Okta or import them from your directory. For more information, see Add and Use Groups below.

  1. Go to Devices > Mobile Policies.
  2. Go to OMM > OMM Policies.
  3. Click the appropriate button for the type of OMM enrollment you want to enable:

AfW setup instructions are documented in Okta Mobility Management with Android for Work. For Samsung SAFE and Native Android devices, no additional setup is necessary.

To configure Okta Mobility Management for your Apple iOS devices or macOS computers, you must first configure the Apple Push Notification Service (APNS) certificate. This process requires downloading a Certificate Signing Request (CSR) from Okta, uploading the CSR to Apple for digital signature, and finally uploading the signed certificate to the Okta org; as follows:

  1. Examine the Apple Certificate Setup button:

    • A Yellow exclamation mark indicates a push certificate has not yet been configured.

    • A Green check mark indicates a valid push certificate has already been configured.

    • A Red exclamation mark indicates your current push certificate has either expired, or is close to expiring.

  2. Follow the instructions in the Apple Certificate Setup dialog box:

    Click Download to obtain your Certificate Signing Request (okta-apns-CSR.dat) from Okta.

    1. Navigate to the Apple Push Certificates management portal using the link provided (https://identity.apple.com/pushcert).

      Note that you will need an Apple ID to log into this portal.

    2. If this is the first time you are setting up a certificate, you are prompted to accept Apple's terms and conditions. If you have configured one or more certificates already, they are listed in the portal.

      User-added image

    3. Click Create a Certificate.
    4. Click Choose File and navigate to the CSR file you downloaded previously for Apple to sign (okta-apns-CSR.dat), then click Upload. Once the request has been successfully uploaded, a confirmation screen appears.

      User-added image

    5. Click Download on the confirmation screen to download the APNS MDM certificate.

      Note that APNS certificates have an expiration date. Log in to the Apple Push Certificates Portal to Renew or Revoke certificates in the Certificates for Third-Party Servers section.

    Return to the Apple Certificate dialog box, click Browse to locate the APNS downloaded in the previous step, then click Upload to complete the CSR signature process.


Once you have configured the Apple Push Notification Service (APNS) certificate, your users must then download and install the Okta Mobile app from the Apple App Store. They should search for Okta Mobile and proceed through the download and installation process.

Requirements

Your Apple ID.

Manage APNS Certificates

Navigate to the Apple Push Certificates Portal, here: https://identity.apple.com/pushcert/ (you need your Apple ID to log into this portal).

If you have previously configured one or more certificates, they will be listed in the portal, as shown below. You can Renew, Download, and Revoke APNS certificates from this portal.

Important: We recommend you do not use the Revoke option. If you revoke a certificate, all your end users will subsequently need to re-enroll in Okta Mobility Management.

User-added image

You can click the information (i) icon to view details (highlighted in yellow below) about each certificate. Use this information to compare certificates in this portal to the one in Okta.


User-added image

Renew APNS Certificates

It's important that you renew APNS certificates in a timely manner; once an APNS certificate expires, you can't send commands to currently-enrolled devices, and new devices can't enroll. To reduce the likelihood of a certificate expiring, we:

  • Expose the certificate expiration date when you first create the certificate.
  • Send you an email notification 30 days, then 7 days, before expiration.
  • Add an error icon to the Apple Certificate Setup button on the Mobile Policy page when the certificate is within 30 days of expiration.

It's not possible to overwrite an existing certificate in Okta – don't worry about accidentally renewing the wrong certificate. However, you can avoid the hassle of reloading the same certificate by carefully following the instructions below.

APNS certificates expire after one year. If you need to renew your certificate you need to first download a new Certificate Signing Request (CSR) from Okta, as follows:

  1. Go to Devices > Mobile Policies.
  2. Go to OMM > OMM Policies.

  3. Click the Apple Certificate Setup button.

    Note that a green check box on the Apple Certificate Setup button indicates that a push certificate has already been configured, while a red exclamation point indicates the configured certificate has either expired or is close to expiring.

    The Apple Certificate Setup dialog appears:

    User-added image

    Note that step 2 on this screen displays information (highlighted in yellow, above) about your current APNS certificate, expired or not. Use this information to identify the certificate in the portal that you want to renew.

  4. Click Download to obtain your Certificate Signing Request (okta-apns-CSR.dat) from Okta.

  5. Navigate to the Apple Push Certificates Portal, here: https://identity.apple.com/pushcert/ (your Apple ID is required to log into this portal).

  6. Locate the certificate that has expired/is expiring, and click Renew.

    Note that you can find information about each certificate by click the information (i) icon. Use this information to compare your certificates.

  7. Click Choose File, then navigate to the CSR file you previously downloaded for Apple to sign (okta-apns-CSR.dat), then click Upload.

    User-added image

    Once the request has been successfully uploaded a confirmation screen is displayed:

    User-added image

  8. Click Download on the confirmation screen.

  9. Return to the Apple Certificate Setup dialog box in Okta, in the Upload Apple Push Certificate section, click Browse to locate the renewed APNS that was just downloaded, then click Upload to complete the process.

The option Wipe All Device Data is enabled by default but you can disable it on a per-iOS mobile policy basis for new OMM enrollments. When disabled, the Wipe All . . . option is unavailable in the Device Actions menu for iOS devices that:

  • Are covered by the relevant iOS mobile policy.
  • Enrolled in OMM after the Wipe All . . . option was disabled in the mobile policy. The Wipe All . . . option is still available for iOS devices that enrolled in OMM before the option was disabled. ClosedMore

  1. In the Admin Console, go to OMM > OMM Policies.
  2. Select a policy in the left pane.
  3. Under PLATFORMS, locate the rule for the relevant iOS device, and then click the pencil icon.
  4. In the Edit iOS Rule dialog box, click Next to advance to the second screen.
  5. Scroll down to the IOS PERMISSIONS section, and then select Disable wipe all device permission.

  6. Click Save.

This is an Early Access feature. To enable it, contact Okta Support.

You can prevent end users from enrolling compromised iOS and Android devices (jailbroken or rooted ) into Okta Mobility Management (OMM). Compromised devices pose a risk to the security of your org and the sensitive apps that users access from them. You can also restrict enrollment to specified operating system versions.

  1. Go to Devices > Mobile Policies.
  2. Go to OMM > OMM Policies
  3. Select an existing – or add a new – Device Policy.
  4. Edit an existing – or add a new – Platform Rule.
  5. Under Enrollment, select Allow Devices.
  6. Configure settings in the Enrollment Exceptions section:
    • Jailbroken/Rooted
      • Deny new jailbroken or rooted devices
      • Wipe company data from existing jailbroken or rooted devices
    • OS Version
      • Deny new device if OS version – specify the OS version(s) running on new devices you want to deny access to.
      • Wipe company data from existing device if OS version – specify the OS version(s) running on existing devices you want to wipe company data from.
  7. Click Next to continue.
  8. To configure passcode requirements and data separation, see Okta Mobility Management with Android for Work.
  9. When you are finished, click Save.

Important:

  • If you do not select Deny new device but do select Wipe company data from existing device and specify one OS version to be wiped, end users with devices running that version are able to enroll but their device will be desprovisioned when Okta detects it.
  • If Okta Mobile Android end users are restricted from enrollment but then you change the policy to allow them to enroll, end users must sign out of Okta Mobile and then sign back in to be allowed to enroll.

If you already have imported your users, proceed to the following sections. If not, there are many ways to add users to your org. You can import them as described in Importing People or by individually adding them as described in Adding People. You can import users from your existing directories as well. Refer to Available Directory Integrations for information on importing users from Active Directory, LDAP, and other directories.


Okta Mobility Management security policies are configured and enforced at the group level. You cannot assign policies to individual users. You can add groups in Okta or use groups that you have imported from directories or apps. For more information about adding groups in Okta, refer to the Groups section in Manage People. For a complete overview of using groups in Okta, including detailed descriptions of importing groups from directories, refer to About Groups.


Okta can send pre-configured key-value pairs to all managed apps installed by Okta Mobility Management (OMM).

Mobile admins create a configuration field name, value, and data type when uploading to OMM. These values are sent to the managed apps when end users choose to install them.

Note: Not all apps support configuration of key-value pairs.

  1. From the Dashboard, select Applications > Application-name > Mobile.

  2. Click the Edit icon next to the application you want to preconfigure.

  3. In the Preconfigure section, click the Add keys (iOS) or View Keys (Android).

    Note: For Android for Work apps, keys have already been pre-populated; you can still view them as described later in this article.

  4. Enter the following (for Android for Work, these fields are read-only):

    • Key: The name of the key you want to pre-configure for the selected app.

    • Data Type: Either string, integer, boolean, or *multi (*Android for Work only).

    • Value: The value you want to pre-configure for that key. The value must match the Data Type.

    • Click Add Another to add more key / value pairs (iOS only).

    • Click Save.

Use Expression Language

Managed App Configuration supports light weight Expression Language. To send a user's username instead of a constant string, use appuser.userName. For details about using SpEL with Okta features, see Okta Expression Language.


After you have configured OMM, you must configure one or more Mobile Policies as described in Configuring Mobile Policies.

After you've set up your security policies, your users can sign in to Okta Mobile to enroll. For end-user enrollment instructions, see Okta Mobility Management - End User Setup .

Help end users understand their privacy status

Beginning with Okta Mobile 5.0 for iOS and 2.16.0 for Android, an enhanced enrollment flow helps your end-users understand their device privacy status when their device(s) are enrolled in OMM. This makes it easier for end users to distinguish private data from data that is company-accessible.

Admin Configuration

The following steps assume that you have enabled OMM and created one or more mobile policies. For details about creating policies for iOS or Android, see Configuring Mobile Policies.

Once you have enabled policies for your end-users, they will immediately be prompted with the following enrollment flow when they sign into Okta Mobile.

End User Configuration

End users have three options to proceed:

  • Get Started begins the end user enrollment of OMM.
  • Learn how we protect your privacy provides a list of admin accessible data on the end-user’s device, once connected, as shown below.
  • Skip allows users to come back later.

If the end user chooses to skip enrollment, they are immediately brought into their Okta App page. Selecting Learn More takes them back into the OMM starting page, allowing them another opportunity to enroll. This can also be accessed from the app Settings section of the app.

Once enrolled, end-users can view their device status from the Settings screen. From here, they can also re-enroll if they have previously un-enrolled from OMM.