About Okta Mobile

Okta Mobile delivers Okta's simple Single Sign-On (SSO) experience to iPads, iPhones, and Android devices. When end users launch the Okta Mobile, they get immediate one-click access to all of their applications. From Okta Mobile end users can enroll into Okta Mobility Management (OMM) if they choose, and if OMM is configured for your org.

Note: Okta Mobile is included with Okta's SSO product and does NOT require your org to purchase OMM (for more information, see Configure Okta Mobility Management).

Options that you configure in the Okta Admin console interact with mobile device-user settings and the state of the Okta Mobile app. This interaction determines when Okta Mobile users are challenged for MFA, and prompted to input a PIN, fingerprint, or Face ID, to unlock Okta Mobile.

Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.

Topics

Task

Description

Role Specifications

Configure Okta Mobile settings Define how end users access the Okta Mobile app on their devices. Administrator
Configure what apps display in Okta Mobile Define what apps end users see in Okta Mobile. Administrator

How Okta Mobile works with MFA and Session Expiration settings

Reference information. Find out how MFA and Session expiration settings interact with end user options in Okta Mobile.

Administrator

Okta Mobile for end users Learn how end users install and use Okta Mobile. Okta Mobile Users

Remarks and known limitations

  • Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.

  • Not all SAML apps are accessible from mobile devices. SAML federation allows end users one-click access to supported apps. After authenticating into Okta, end users can access SAML apps without having to authenticate into the app itself. Many SAML apps also provide a fallback method so end users can access the app by entering their app sign on credentials.

    While many apps, such as Salesforce and Box, support SAML federation with their mobile applications, not all do. Some Independent Software Vendors (ISVs) still require users to enter their app credentials in order to access the mobile version of the SAML app. To verify how a given app will behave, consult the ISV of the app.

  • If Okta Mobility Management (OMM) is not enabled for your org, apps in Okta Mobile open directly in the browser when end users long-press an app.

  • Okta Mobile is not supported for use with Identity Provider Routing Rules.

  • Downloading files from within Okta Mobile for Android webview is not supported. As a security precaution, Okta doesn't support downloading files or opening attachments from within the Okta Mobile for Android webview. This restriction is intended to minimize the threat from malware as well as prevent end users from preserving copies of company resources. Okta enforces no restriction on opening files that don't require saving to disk.
  • End users can rate Okta Mobile for iOS. End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. After clicking Submit, users are redirected to the App Store page for the Okta Mobile app to provide additional feedback. They can click Not now to dismiss the option.
  • Device Trust-secured apps are shown as locked on end-user Okta Home pages. End-user Okta Home pages viewed on desktop and mobile browsers (but not in Okta Mobile) display a lock icon on all Device Trust-secured app icons if all of the following are true:

    • Device Trust is enabled for the org .
    • The device is not trusted.
    • The end user tried to access any Device Trust -secured app from their Home page.

    The lock icon remains for the duration of the session.

  • Active Directory-managed users can use PIN or FaceID to access Okta Mobile even if their accounts are in Password Reset state. To temporarily deactivate user accounts, use the Suspend procedure. See Suspend or unsuspend users. If you set an AD-managed account into Password Reset status, the user can still access Okta Mobile by PIN or FaceID authentication.

Related Topics   

Okta Mobile Release Notes

Multifactor Authentication

Devices

Configure Okta Mobility Management (OMM) policies