Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices

This is an Early Access feature. To enable it, go to Settings > Features in the Okta Admin Console and turn on Workspace1 Device Trust for your mobile platform(s).

This integration is based primarily on SAML trust connections. It combines the power of Okta’s Contextual Access Management policy framework with device signals from VMware Workspace ONE to deliver a secure and seamless end-user experience. Allowing Workspace ONE to add the Device Context to the SAML Assertion lets enterprises leverage Okta’s policy framework to require users to enroll their unmanaged device or satisfy an MFA challenge.

You can also configure this integration to provide end users a streamlined device enrollment experience, leverage Okta's extensible Multi Factor Authentication to applications in Workspace ONE, and provide a consistent and familiar login experience for users and administrators.

This guide provides step-by-step instructions to configure and test use cases supported by the Okta + Workspace ONE. To integrate Okta with Workspace ONE, you integrate VMware Identity Manager with Okta. VMware Identity Manager is the identity component of Workspace ONE.


Intended audience

This information is written for experienced administrators who are familiar with Okta and VMware Identity Manager.

 

 


Use Cases

The main use cases supported by the Okta + Workspace ONE integration include:

USE CASE 1 – Enforce Device Trust and SSO for mobile devices with Okta + VMware Workspace ONE

USE CASE 2 – Configure streamlined Device Enrollment and Workspace ONE login using Okta

 


USE CASE 1 – Enforce Device Trust and SSO for mobile devices with Okta + VMware Workspace ONE

Integrating Okta with Workspace ONE allows administrators to establish device trust by evaluating device posture, such as whether the device is managed, before permitting end users to access sensitive applications. For iOS and Android devices, device posture policies are configured in Okta and evaluated anytime a user logs into a protected application.

This use case also establishes Okta as a trusted identity provider to Workspace ONE, allowing end users to log in to the Workspace ONE app, Workspace ONE Intelligent Hub app, and web portal using Okta authentication policies.


To configure this use case:


 


USE CASE 2 – Configure streamlined Device Enrollment and Workspace ONE login using Okta

You can configure this use case to provide end users a streamlined device enrollment experience, leverage Okta's extensible Multi Factor Authentication to applications in Workspace ONE, and provide a consistent and familiar login experience for users and administrators.

This configuration is configured in VMware Identity Manager, the identity component of Workspace ONE.


To configure this use case:


 

Note: If you want to combine both use cases, first configure this use case and then configure Enforce Device Trust and SSO with Okta + VMware Workspace ONE.

 


 

Optional: You can allow end users to access apps from either the Okta dashboard or the Workspace ONE dashboard. Both experiences are fully supported. You can configure the Workspace ONE catalog to publish applications federated through Okta without the need to first import them into VMware Identity Manager.

For details, see (Optional) Publish Okta apps to the Workspace ONE catalog


Requirements

Ensure that your environment meets the following requirements before you begin the Workspace ONEand Okta integration.

Components

VMware

  • A VMware Identity Manager tenant with System Administrator role
  • A Workspace ONE Unified Endpoint Management(UEM) tenant
  • VMware Identity Manager Connector
  • VMware Identity Manager AirWatch Cloud Connector (ACC)
  • ACC is required only if you use Workspace ONE UEM.

    Note: If your existing deployment syncs users to VMware Identity Manager from Workspace ONE UEM, the VMware Identity Manager connector is not required. For new deployments, using the VMware Identity Manager connector to sync users from Active Directory to VMware Identity Manager is recommended.

Okta

  • An Okta org (tenant) with Super or Org Administrator role
  • Device Trust for Workspace ONE enabled by Okta Support
  • Identity Provider Routing Rules (IdP Discovery) enabled by Okta Support

Supported apps and devices

  • Any iOS or Android SAML or WS-Fed cloud app
  • Devices running Okta-supported versions of iOS and Android operating systems

Integrate Workspace ONE and VMware Identity Manager

Integrate your Workspace ONE UEM and VMware Identity Manager tenants and configure the mobile SSO authentication methods that you intend to use for device trust.



Caveats

  • Device Trust does not apply to apps accessed via chiclets within Okta Mobile.
  • Enroll devices in Workspace ONE for best end user experience – Your end users will have a better experience when accessing your corporate resources if their Android or iOS device is already enrolled in Workspace ONE UEM. Otherwise, end users with un-enrolled iOS and Android devices are guided through the Workspace ONE UEM enrollment process before they can access device trust-secured apps.
  • Do not secure Workspace ONE with this Device Trust solution – Doing so will prevent new users from enrolling their device in Workspace ONE and accessing other device trust-secured apps.
  • Timeout issue can cause an SSO error – End users signing in to device trust-secured apps from an untrusted iOS or Android device are prompted to enroll their device with Workspace ONE. (This is expected behavior.) But if the apps are native apps and Workspace ONE enrollment takes longer than 10 minutes, or if the end user waits longer than 10 minutes after enrollment before trying again to access the app, an SSO error occurs because the app session has timed out. Advise affected end users to try to access the app again.
  • Device Trust-secured apps are shown as locked on end-user Okta Home pages. End-user Okta Home pages viewed on desktop and mobile browsers (but not in Okta Mobile) display a lock icon on all Device Trust-secured app icons if all of the following are true:

    • Device Trust is enabled for the org .
    • The device is not trusted.
    • The end user tried to access any Device Trust -secured app from their Home page.

    The lock icon remains for the duration of the session.



Additional documentation

Okta

Okta Device Trust

Identity Provider Routing Rules

Identity Providers

Get started with Office 365 sign on policies

VMware

VMware Device Trust

VMware Identity Manager Documentation

VMwareWorkspace ONE UEM Documentation