Migrate Device Trust to Okta FastPass

Use this procedure to upgrade Device Trust to Okta FastPass.

  1. Identify the types of devices in your organization: desktop (macOS and Windows) or mobile (Android and iOS).
  2. If you use Device Trust for managing mobile devices, turn off Mobile Device Trust.
  3. Upgrade from Classic Engine to Identity Engine.
  4. Verify that the Device Trust policies are available in Identity Engine.
  5. Enable Okta FastPass for all users.
  6. Remove Device Trust and decommission your Integrated Windows Authentication (IWA) servers.

IWA and Device Trust aren’t supported on Identity Engine. This procedure allows you to maintain Device Trust functionality until you have Okta FastPass rolled out in your organization. On Identity Engine, you must use Okta FastPass and Okta Verify.

After the upgrade, you can’t modify Device Trust. On Identity Engine, Device Trust functionality continues to work as configured. However, you no longer have the administrative capability to modify or change configurations.

Before you begin

  • If you have IWA Agents configured in Classic Engine, take note of the configuration settings. In the Admin Console, go to Security > Delegated Authentication > IWA Agents.

    The screenshot provides an example of configured IWA Agents.

    These settings are no longer available in the Admin Console after upgrade. To support rollback scenarios, don’t make IWA changes after upgrade.

  • Using your mobile device management (MDM) tool, take an inventory of all devices that have Device Trust certificates. This helps ensure that the same devices continue to work on Identity Engine after upgrade.

  • End users must use the latest version of Okta Verify. Okta Verify registers the device in the Universal Directory. Okta Verify detects the presence of management certificates on the device, to attest that a device is managed or trusted.

Start this procedure

Task 1: Identify the types of devices in your organization

During the migration, only desktop (Windows or macOS) devices are transferred to Identity Engine. There’s no automated migration for mobile devices. Mobile devices use Okta Verify.

  1. Determine what types of devices you have. In the Admin Console, go to Security > Device Trust. If Enable iOS Device Trust or Enable Android Device Trust is selected, you have mobile devices.

  2. Complete one of the following tasks, depending on the type of devices that you have:

Task 2: On Classic Engine, prepare mobile devices for migration

Mobile Device Trust isn’t eligible for migration to Identity Engine. Turn it off before you upgrade. After the upgrade, use Okta FastPass or Okta Verify to ensure that mobile devices are trusted.

  1. Change the app sign-on policy condition for mobile devices to Any:
    1. In the Admin Console, go to Security > Authentication Policies.
    2. Select the policy that you want to update.

    3. Click the Rules tab.

    4. In the Sign On Policy section, locate any mobile device (iOS, Android, or Other mobile) policy rules that don’t have the Device Trust state set to Any.
    5. Click Edit, and select Any.
    6. Click Save.
  2. Disable Mobile Device Trust policies:
    1. In the Admin Console, go to Security > General.
    2. In the Okta Mobile section, click Edit.
    3. In the APP SETTINGS section, clear the Apply device trust policies when accessing apps in Okta Mobile checkbox.
  3. Turn off Mobile Device Trust:
    1. In the Admin Console, go to Security > Device Trust.
    2. If Enable iOS Device Trust or Enable Android Device Trust is selected, click Edit.
    3. Clear the checkbox.
    4. Click Save.
  4. Deploy Okta Verify to mobile devices.
  5. Remove the Integrated Windows Authentication (IWA) routing rules:
    1. In the Classic Admin Console, go to Security > Identity Providers.
    2. Click IWA.
    3. Take a screenshot or make a note of your IWA routing rule. You need this information if a rollback is required later.
    4. A Failed to update OIE upgrade state error appears for the org Superuser. Click Dismiss.
    5. From the Active dropdown, click Deactivate > Delete.
    6. If required, repeat this procedure for any other IWA rules.

Task 3: Upgrade from Classic Engine to Identity Engine

After the upgrade, your existing Device Trust authentications (mutual TLS authentications) continue to work on Identity Engine.

When you upgrade, any app sign-on policy Device Trust conditions are translated to Device Registered & Managed Conditions in Identity Engine. If the valid Device Trust certificate is present on the device, the device is registered and managed. If a certificate doesn’t exist on the device, or if it exists but isn’t valid, the device is unmanaged.

To upgrade to Identity Engine, contact your Okta account team. See Contact your Okta account team, and Give access to your Okta account team.

Task 4: Verify that Device Trust works on Identity Engine

After the upgrade, Device Trust is enabled. Okta FastPass isn’t enabled yet. The end-user experience is the same as on Classic Engine. If a user attempts to access an app that is protected by a device condition, Okta challenges the browser to present the Device Trust certificate, and then validates it. After validation, the user can access the app account.

Don’t remove Device Trust yet. You can’t revert this action.

  1. Verify that your Device Trust configuration migrated to the Identity Engine:
    1. In the Admin Console, go to Security > Device integrations.
    2. Click the Endpoint Management tab.
    3. Verify that the listed platforms match the device types you identified in Task 1: Identify the types of devices in your organization.
    4. For example, if Windows and macOS Device Trust was enabled in your Classic Engine, these platforms are listed on the Endpoint management page.

  2. Verify that your app sign-on policy includes a rule for registered and managed device conditions:
    1. In the Admin Console, go to Security > Authentication Policies.
    2. Select the policy that you want to update.
    3. Click the Rules tab.
    4. View the Sign On Policy information. One of the rules in the policy should specify Device: Registered, Managed.
  3. View the following System Log events, to verify that Device Trust is still working:
    • Authentication
      • DisplayMessage: Authentication of device through a certificate
      • EventType: user.authentication.authenticate
    • Enrollment
      • DisplayMessage: Device Trust certificate enrollment
      • EventType: user.credential.enroll
    • Issuance
      • DisplayMessage: Device Trust certificate issuance
      • EventType: pki.cert.issue
    • Revocation
      • DisplayMessage: Device Trust certificate revocation
      • EventType: pki.cert.revoke
    • Renewal
      • DisplayMessage: Device Trust certificate renewal
      • EventType: pki.cert.renew
  4. Verify the following items on multiple operating systems:
    • All existing use cases work. For example, users with Device-Trust-enabled desktop devices are able to authenticate.
    • All app sign-on policies migrated successfully. For apps that are protected by Device Trust, a rule must include a condition for Managed and Registered.
    • Use existing mutual TLS (MTLS) certification.
    • Optional. Certificate renewals work.
    • Optional. New enrollments work.

Task 5: Enable Okta FastPass for some users

Consider the following scenarios:

Okta Verify isn’t installed:
When the user tries to access a Device Trust-protected app, the org sign-in page appears. Okta probes the user’s device for Okta Verify.After the user enters their username, Okta completes an MTLS challenge and the management attestation is gathered from the Device Trust certificate on the device.
Okta Verify is installed, inline enrollment is disabled, but the user didn’t add an account yet:
When the user tries to access a Device Trust-protected app, the org sign-in page appears. After the user enters their username, Okta completes an MTLS challenge and the management attestation is gathered from the Device Trust certificate on the device.
Okta Verify is installed, inline enrollment is enabled, but the user didn’t add an account yet:
When a user tries to access a Device Trust-protected app, they’re prompted to add an Okta Verify account. The authentication flow completes without mutual TLS authentication because the Device Trust status was provided by Okta Verify.

For more information, see Device registration.

  1. If you disabled mobile Device Trust, complete this procedure: Configure management attestation for mobile devices.
  2. Prepare enterprise devices for Okta FastPass. Push the latest version of Okta Verify app to all desktop devices. Using your MDM, turn on inline enrollment for some users.
  3. After you complete step 4 in this section, users are automatically prompted to enroll in Okta Verify the next time they access Okta. If a user installed Okta Verify and added an account (enrolled), they now use Okta FastPass to sign in. Therefore, the device is trusted. If the user doesn’t have an Okta Verify account, they use the Classic Engine Device Trust certificates to sign in.

    See Managed app configurations for macOS devices, and Managed app configurations for Windows devices for information about the EnrollmentOptions flag.

    At this point, Okta Verify is in a “ready” state. When you enable Okta FastPass (in step 4), users with Okta Verify are prompted to set up Okta FastPass. This step allows you to roll out Okta FastPass and Okta Verify registration in a controlled manner to help with change management.

  4. Make sure a certificate authority (CA) is configured, and that management certificates are deployed to all desktop devices. You can use Okta as a CA, or provide your own CA. See Configure a Certificate Authority.
  5. If you provide your own CA, follow these steps:

    1. In the Admin Console, go to Security > Authentication Policies.
    2. Click the Certificate Authority tab.
    3. Deploy management certificates to the devices.
  6. Update your app sign-on policy. Verify that you have a managed rule for each applicable platform. Change the User must authenticate with value to Any 1 factor type:
    • Allow Trusted macOS:
      • Platform: macOS
      • Device: Registered, Managed
      • User must authenticate with: Any 1 factor type
    • Allow Trusted Windows:
      • Platform: Windows
      • Device: Registered, Managed
      • User must authenticate with: Any 1 factor type

      For details about setting up your app sign-on policy, see Configure an app sign-on policy for Okta FastPass.

  7. Enable Okta FastPass. This is a global setting, but only the following categories of users have access to Okta FastPass:
    • Users with inline enrollment (set up in step 2)
    • Users that registered in Okta Verify and have a management certificate (set up in step 3).
  8. When you enable Okta FastPass, make sure you select the Okta FastPass (all platforms) checkbox before you deactivate Okta Device Trust.

  9. Verify these scenarios when Okta FastPass is enabled:
    • Users who aren’t enrolled in Okta Verify, but are enrolled with Device Trust, should be able to successfully access apps that are managed.
    • Users who aren’t enrolled in Okta Verify should be able to enroll in Okta Verify.
    • Users who enrolled in Okta Verify from a managed device should be able to successfully access apps that are managed.
    • Users who enrolled in Okta Verify from an unmanaged device should be able to access apps the same way they could before the migration.

Task 6: Enable Okta FastPass for all users

Encourage users to enroll in Okta Verify and have management certificates on their devices. Ideally, all users have an Okta Verify account with Okta FastPass enabled so that you no longer need Device Trust.

  1. Request all users to enroll in Okta Verify or deploy it on all user devices.

    Share this information with your end users:

  2. Verify the following items:

Task 7: Remove Device Trust and decommission your IWA servers

When all of your users are using Okta FastPass, you can remove Device Trust.

Don’t remove Device Trust until all your users are enrolled in Okta FastPass.

  1. View the System Log events, to ensure that Device Trust signals no longer exist. (See Task 4: Verify that Device Trust works on Identity Engine, step 3).
  2. If Device Trust signals exist, migrate these users to Okta Verify. Any users who don’t use Okta Verify will be impacted.

  3. Deactivate Device Trust:
    1. In the Okta Admin Console, go to Security > Device Integrations.
    2. Click Endpoint Management.
    3. For the required Platform, click Actions > Deactivate.
    4. If you receive an error when you try to delete the platform, see "Deactivate this Device Trust (Classic Engine) configuration" error in Troubleshoot the migration of Device Trust to Okta FastPass.

      or

    5. Click Deactivate.
  4. Delete Device Trust:
    1. For the Inactive Platform, click Actions > Delete.
    2. Click Delete.
  5. Decommission the IWA servers from your infrastructure, and then remove the Device Registration task from your devices using your preferred tool.

Related topics

Troubleshoot the migration of Device Trust to Okta FastPass

Migrate from Device Trust to Okta FastPass FAQ