Turn off Device Trust on mobile devices

Identity Engine doesn't support Device Trust on mobile devices. If your organization uses mobile devices, or a combination of desktop and mobile devices, turn off Device Trust for mobile devices before you upgrade.

Before you begin

  • If you have IWA Agents configured in Classic Engine, take note of the configuration settings. In the Admin Console, go to SecurityDelegated AuthenticationIWA Agents.

    The screenshot provides an example of configured IWA Agents.

    These settings are no longer available in the Admin Console after upgrade.

  • Using your mobile device management (MDM) tool, take an inventory of all devices that have Device Trust certificates. This helps ensure that the same devices continue to work on Identity Engine after upgrade.

  • Ensure that users have the latest version of Okta Verify. Okta Verify registers the device in the Universal Directory and detects the presence of management certificates on the device. These certificates attest that a device is managed or trusted.

Start this task

  1. Determine what type of devices you have. In the Admin Console, go to SecurityDevice Trust. If Enable iOS Device Trust or Enable Android Device Trust is selected, you have mobile devices. If you have only mobile devices or a mix of mobile and desktop devices in your org, go to the next step.

    If you have only desktop devices in your org, go to Delete Integrated Windows Authentication routing rules.

  2. Change the app sign-on policy condition for mobile devices to Any:
    1. In the Admin Console, go to ApplicationsApplications.

    2. Select the policy that you want to update.

    3. In the Sign On Policy section, locate any mobile device (iOS, Android, or Other mobile) policy rules that don't have the Device Trust state set to Any.
    4. Click Edit, and select Any.

    5. Click Save.
  3. Disable Mobile Device Trust policies:
    1. In the Admin Console, go to SecurityGeneral.
    2. In the Okta Mobile section, click Edit.
    3. In the APP SETTINGS section, clear the Apply device trust policies when accessing apps in Okta Mobile checkbox.

  4. Turn off Mobile Device Trust:
    1. In the Admin Console, go to SecurityDevice Trust.
    2. If Enable iOS Device Trust or Enable Android Device Trust is selected, click Edit.
    3. Clear the checkbox.
    4. Click Save.
  5. Deploy Okta Verify to mobile devices.
  6. Remove the Integrated Windows Authentication (IWA) routing rules. See Delete Integrated Windows Authentication routing rules.

Related topics

Migrate from Device Trust to Okta FastPass FAQ

Troubleshoot Device Trust after upgrade