Turn off Mobile Device Trust

Identity Engine doesn't support Device Trust on mobile devices. If your organization uses mobile devices, or a combination of desktop and mobile devices, turn off Mobile Device Trust before you upgrade.

Before you begin

  • If you have IWA Agents configured in Classic Engine, take note of the configuration settings. In the Admin Console, go to Security > Delegated Authentication > IWA Agents.

    The screenshot provides an example of configured IWA Agents.

    These settings are no longer available in the Admin Console after upgrade.

  • Using your mobile device management (MDM) tool, take an inventory of all devices that have Device Trust certificates. This helps ensure that the same devices continue to work on Identity Engine after upgrade.

  • Ensure that users have the latest version of Okta Verify. Okta Verify registers the device in the Universal Directory and detects the presence of management certificates on the device. These certificates attest that a device is managed or trusted.

Start this task

  1. Determine what type of devices you have. In the Admin Console, go to Security > Device Trust. If Enable iOS Device Trust or Enable Android Device Trust is selected, you have mobile devices. If you have only mobile devices or a mix of mobile and desktop devices in your org, go to the next step. If you have only desktop devices in your org, there are no further actions before upgrade.

  2. Change the app sign-on policy condition for mobile devices to Any:
    1. In the Admin Console, go to Applications > Applications.

    2. Select the policy that you want to update.

    3. In the Sign On Policy section, locate any mobile device (iOS, Android, or Other mobile) policy rules that don’t have the Device Trust state set to Any.
    4. Click Edit, and select Any.

    5. Click Save.
  3. Disable Mobile Device Trust policies:
    1. In the Admin Console, go to Security > General.
    2. In the Okta Mobile section, click Edit.
    3. In the APP SETTINGS section, clear the Apply device trust policies when accessing apps in Okta Mobile checkbox.

  4. Turn off Mobile Device Trust:
    1. In the Admin Console, go to Security > Device Trust.
    2. If Enable iOS Device Trust or Enable Android Device Trust is selected, click Edit.
    3. Clear the checkbox.
    4. Click Save.
  5. Deploy Okta Verify to mobile devices.
  6. Remove the Integrated Windows Authentication (IWA) routing rules:
    1. In the Admin Console, go to Security > Identity Providers.
    2. Click IWA.

    3. Make a note of your IWA routing rule. You need this information if a rollback is required later.
    4. A Failed to update OIE upgrade state error appears for the org Superuser. Click Dismiss.

    5. From the Active drop-down menu, click Deactivate > Delete.
    6. Repeat this procedure for any other IWA rules.

Related topics

From Device Trust to Okta FastPass

Troubleshoot Device Trust after upgrade