Migrate from Device Trust to Okta FastPass

Is there an automated way to migrate from Device Trust to Okta FastPass?

No. First, upgrade from Classic Engine. Then, configure the new Device Trust and Okta FastPass settings in Identity Engine.

Why must I turn off Mobile Device Trust when I upgrade to Identity Engine?

Device Trust (Classic Engine) uses Okta Mobile to attest that a mobile device is trusted and managed. Identity Engine doesn't support Okta Mobile, so end users can no longer use it to access their apps. Instead, users can access their apps from the Okta End-User Dashboard in a mobile browser.

Do I need OktaDevice Trust for Okta FastPass?

Device Trust enables device management. In Classic Engine, Device Trust is established by the presence of certificates and has a strong dependency on Jamf (for macOS) and Active Directory (for Windows). In Identity Engine, Device Trust still works with certificates, but it uses Okta Verify and works across all MDMs. An endpoint management tool (for example, Jamf Pro Workspace ONE) manages devices before end users can access Okta-managed apps. Okta FastPass enables passwordless authentication. You combine Device Trust with Okta FastPass to obtain strong passwordless authentication on managed, compliant devices.

Why do end users require the latest version of Okta Verify?

Okta Verify registers the device in the Universal Directory. Okta Verify detects the presence of management certificates on the device to attest that a device is managed or trusted. The latest version is required for Okta FastPass.

Where can I learn more about Device Trust on Classic Engine?

See Okta Device Trust solutions on a Classic org.

Can I revert to Classic Engine after I upgrade to the Identity Engine?

You can ask your Okta account team to revert your Identity Engine org back to a Classic Engine org. After you revert to a Classic Engine org, push and TOTP remain enabled even if these factors weren't enabled on your Classic Engine org before the upgrade. You can deactivate Okta Verify in your org. Go to SecurityMultifactorFactor Types, select Okta Verify, and then select Deactivate.

How do I set up Desktop Device Trust in Identity Engine if it was also set up in Classic Engine?

Since IWA was used for Device Trust in Classic Engine, IWA agents stay in place until certificates are issued from the new platform:

In Identity Engine, go to SecurityDevice Integrations and configure the platform.
Configure a new Certificate Authority (CA).
Go to your device management software to deploy the new certification to all devices.
Deploy Okta Verify to all devices.
Remove the IWA agents.
Remove the Classic Engine platforms.
Don't revoke the Classic Engine certificate from the end-user devices.

What happens to the existing certificate after I deploy the new certificate?

The certificate works until you install Okta Verify on end-user devices and the users register their account by using the Okta Verify desktop application. After users create the Okta Verify account, the Certificate Authority requires the new certificate.

What happens if I don't roll out the new certificate to our managed devices?

The existing certificate continues to work until the users install and register Okta Verify on their devices. Users can't access apps if they must use a trusted device but don't have the new certificate.

If I have a new device, can I push a certificate from IWA with a device registration task?

Yes, you can. However, Okta recommends that you move away from IWA and use Device Integration instead to use the new features.

Okta allows this to continue our customers to function while moving to the new platform.

Does Classic Engine Device Trust stop when Okta Verify is pushed to the device?

No, but Okta requires pushing the new certificates before pushing Okta Verify to your devices. If you don't follow this sequence, users lose access to applications protected by Device Trust.

Jamf Connect for macOS devices

Can both old and new certificates live on my devices?

Yes, Okta uses the old certificate until you install and register Okta Verify on the device.

Will Classic EngineDevice Trust configured with Jamf work the same way after upgrade?

Yes. Perform the following steps to deploy Identity EngineDevice Trust after your upgrade:

Set up the SCEP URL.
Use your endpoint management solution to ensure that certificates are pushed to the devices.
Ensure that the devices have Okta Verify.
Enforce app policies.
Validate Identity EngineDevice Trust.
Decommission Classic EngineDevice Trust.

Is Jamf Connect reconfiguration required during or after upgrade?

No reconfiguration is required in Jamf.

Does MFA continue to work with Jamf Connect?

Okta Verify continues to work as expected. This is relevant if you've configured Jamf Connect to prompt reauthentication for certain actions like reboot.

YubiKey and WebAuth don't work in Jamf Connect after upgrading to Identity Engine, because Jamf Connect doesn't support these authenticators.

If you configured YubiKey or WebAuthN, configure Okta Verify after the upgrade.

Does Identity EngineDevice Trust require Python script?

No. The Python script, also known as Okta Device Registration Task, is no longer required in Identity Engine.

Is there a keychain associated with Identity EngineDevice Trust?

Identity EngineDevice Trust uses a keychain. Re-enroll the keychain if it gets cleared.

How do I verify pushed certificates before Okta Verify is installed?

You can use endpoint management solutions to push the certificates and validate.

After I configure a CA for Device Trust, can I change it?

Configure the new CA and issue certificates using the new CA. Identity Engine platform supports configuring multiple CA and endpoint management solutions. The existing CA doesn't require reconfiguration.