Turn off Mobile Device Trust
Identity Engine doesn't support Device Trust on mobile devices. If your organization uses mobile devices, or a combination of desktop and mobile devices, turn off Mobile Device Trust before you upgrade.
Before you begin
-
If you have IWA Agents configured in Classic Engine, take note of the configuration settings. In the Admin Console, go to Security > Delegated Authentication > IWA Agents.
These settings are no longer available in the Admin Console after upgrade.
-
Using your mobile device management (MDM) tool, take an inventory of all devices that have Device Trust certificates. This helps ensure that the same devices continue to work on Identity Engine after upgrade.
-
Ensure that users have the latest version of Okta Verify. Okta Verify registers the device in the Universal Directory and detects the presence of management certificates on the device. These certificates attest that a device is managed or trusted.
Start this task
- Determine what type of devices you have. In the Admin Console, go to Security > Device Trust. If Enable iOS Device Trust or Enable Android Device Trust is selected, you have mobile devices. If you have only mobile devices or a mix of mobile and desktop devices in your org, go to the next step. If you have only desktop devices in your org, there are no further actions before upgrade.
- Change the app sign-on policy condition for mobile devices to Any:
- Disable Mobile Device Trust policies:
- Turn off Mobile Device Trust:
- In the Admin Console, go to Security > Device Trust.
- If Enable iOS Device Trust or Enable Android Device Trust is selected, click Edit.
- Clear the checkbox.
- Click Save.
- Deploy Okta Verify to mobile devices.
- Remove the Integrated Windows Authentication (IWA) routing rules:
- In the Admin Console, go to Security > Identity Providers.
- Click IWA.
- Make a note of your IWA routing rule. You need this information if a rollback is required later.
- A Failed to update OIE upgrade state error appears for the org Superuser. Click Dismiss.
- From the Active drop-down menu, click Deactivate > Delete.
- Repeat this procedure for any other IWA rules.