The settings in this section apply to general security policies for your organization and specific security policies for mobile usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control.. To access these settings, navigate to Security > General.
You can configure the following settings under Organization:
When this feature is enabled, an end user will receive an email notification if they sign in from a new or unrecognized clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. . This email contains details pertaining to the user login such as the web browser and operating system used to sign in, in addition to the time and location of authentication.
Note: This feature is enabled by default for new orgs.
A client is identified by a browser cookie or fingerprint when the cookie is not available. A client can be considered new in one or more of the following scenarios:
- New browser type or version
- New OS type or version
- New or updated application
- Unrecognized browser or OS (appears as Unknown in the notification email)
If the authentication is not recognized, it is recommended that end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. contact their adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. immediately to investigate their account activity. The admin can perform actions such as terminating a user's sessions, lock the user's account, and add multifactor authentication to improve security.
Limitations of this Feature
This feature complements other security features such as multifactor authentication and should not act as a replacement. In most scenarios, clients are easily and accurately identified. However, there are some limitations that present a challenge for identification. As a result, it is recommended to use this feature in addition to other identifiers such as a new IP address or new location for improved accuracy when identifying suspicious activity on an end user's account.
The current limitations for identifying new clients are as follows:
- Device fingerprints are not captured over non-authentication and widget flows.
- New device notifications are generated occasionally when a device fingerprint is generated based on a change in the OS or browser.
- The device fingerprint is based on the browser in use. The end user will receive a new device notification email if they sign in with a new browser.
- For mobile logins, new device notification emails are sent based on the detection of a new mobile application and not the device used to log in.
- New device detection cannot always be fully guaranteed.
- End users may receive an unexpected new or unknown device notification email if they have not signed in to their accounts within 40 days.
For more information about end user notifications, refer to Email and SMS Options.
This setting displays or hides the Remember Me checkbox for end users on the login screen. If an end user checks this feature and signs in, their username is remembered and displayed at sign-on until their browser cookies are cleared.
Sets the link expiry in the account activation email sent to end users. For more information about email notifications, refer to Email and SMS Options.
End users are sent a confirmation email if they or an admin enroll in a new factor for their account. For more information about email notifications and template customization, refer to Email and SMS Options.
End users are sent an email if they or an admin reset a factor for their account. For more information about email notifications and template customization, refer to Email and SMS Options.
Go to Security > General > Okta Mobile and configure the folowing:
|PIN length||Specify the required number of digits for the PIN.|
|Allow simple PIN||Select to permit the use of repeating, ascending, and descending numeric sequences (such as 1111, 1234, 4321, etc.).|
|Ask for PIN when user is inactive for||Specify how long users can be inactive before they are prompted to enter a PIN.|
|PIN expires after||Specify how long the PIN is valid before it expires.|
|Screen preview/capture (Android only)||When this option is selected, Android device users cannot take screenshots, record videos, or share their screen from within Okta Mobile (other apps are not affected). RequiresOkta Mobile 3.8.0+ for Android. For iOS device users, this option has no effect.|
|Sign on to SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. apps (iOS only)||This iOS-specific option allows access to SAML apps in iOS Safari using an iOS Safari extension.|