Migrate Device Trust to Okta FastPass
Use this procedure to upgrade Device Trust to Okta FastPass.
- Identify the types of devices in your organization: desktop (macOS and Windows) or mobile (Android and iOS).
- If you use Device Trust for managing mobile devices, turn off Mobile Device Trust.
- Upgrade from Classic Engine to Identity Engine.
- Verify that the Device Trust policies are available in Identity Engine.
- Enable Okta FastPass for all users.
- Remove Device Trust and decommission your Integrated Windows Authentication (IWA) servers.
IWA and Device Trust aren’t supported on Identity Engine. This procedure allows you to maintain Device Trust functionality until you have Okta FastPass rolled out in your organization. On Identity Engine, you must use Okta FastPass and Okta Verify.
After the upgrade, you can’t modify Device Trust. On Identity Engine, Device Trust functionality continues to work as configured. However, you no longer have the administrative capability to modify or change configurations.
Before you begin
If you have IWA Agents configured in Classic Engine, take note of the configuration settings. In the Admin Console, go to Security > Delegated Authentication > IWA Agents.
These settings are no longer available in the Admin Console after upgrade. To support rollback scenarios, don’t make IWA changes after upgrade.
Using your mobile device management (MDM) tool, take an inventory of all devices that have Device Trust certificates. This helps ensure that the same devices continue to work on Identity Engine after upgrade.
End users must use the latest version of Okta Verify. Okta Verify registers the device in the Universal Directory. Okta Verify detects the presence of management certificates on the device, to attest that a device is managed or trusted.
Start this procedure
- Task 1: Identify the types of devices in your organization
- Task 2: On Classic Engine, prepare mobile devices for migration
- Task 3: Upgrade from Classic Engine to Identity Engine
- Task 4: Verify that Device Trust works on Identity Engine
- Task 5: Enable Okta FastPass for some users
- Task 6: Enable Okta FastPass for all users
- Task 7: Remove Device Trust and decommission your IWA servers
During the migration, only desktop (Windows or macOS) devices are transferred to Identity Engine. There’s no automated migration for mobile devices. Mobile devices use Okta Verify.
- Determine what types of devices you have. In the Admin Console, go to Security > Device Trust. If Enable iOS Device Trust or Enable Android Device Trust is selected, you have mobile devices.
- Complete one of the following tasks, depending on the type of devices that you have:
- Mobile (Android or iOS) and desktop (Windows or macOS) devices: go to Task 2: On Classic Engine, prepare mobile devices for migration.
- Mobile devices only: go to Task 2: On Classic Engine, prepare mobile devices for migration.
- Desktop devices only: go toTask 3: Upgrade from Classic Engine to Identity Engine.
Mobile Device Trust isn’t eligible for migration to Identity Engine. Turn it off before you upgrade. After the upgrade, use Okta FastPass or Okta Verify to ensure that mobile devices are trusted.
- Change the app sign-on policy condition for mobile devices to Any:
- In the Admin Console, go to Security > Authentication Policies.
Select the policy that you want to update.
Click the Rules tab.
- In the Sign On Policy section, locate any mobile device (iOS, Android, or Other mobile) policy rules that don’t have the Device Trust state set to Any.
- Click Edit, and select Any.
- Click Save.
- Disable Mobile Device Trust policies:
- Turn off Mobile Device Trust:
- In the Admin Console, go to Security > Device Trust.
- If Enable iOS Device Trust or Enable Android Device Trust is selected, click Edit.
- Clear the checkbox.
- Click Save.
- Deploy Okta Verify to mobile devices.
- Remove the Integrated Windows Authentication (IWA) routing rules:
- In the Classic Admin Console, go to Security > Identity Providers.
- Click IWA.
- Take a screenshot or make a note of your IWA routing rule. You need this information if a rollback is required later.
- A Failed to update OIE upgrade state error appears for the org Superuser. Click Dismiss.
- From the Active dropdown, click Deactivate > Delete.
- If required, repeat this procedure for any other IWA rules.
After the upgrade, your existing Device Trust authentications (mutual TLS authentications) continue to work on Identity Engine.
When you upgrade, any app sign-on policy Device Trust conditions are translated to Device Registered & Managed Conditions in Identity Engine. If the valid Device Trust certificate is present on the device, the device is registered and managed. If a certificate doesn’t exist on the device, or if it exists but isn’t valid, the device is unmanaged.
After the upgrade, Device Trust is enabled. Okta FastPass isn’t enabled yet. The end-user experience is the same as on Classic Engine. If a user attempts to access an app that is protected by a device condition, Okta challenges the browser to present the Device Trust certificate, and then validates it. After validation, the user can access the app account.
Don’t remove Device Trust yet. You can’t revert this action.
- Verify that your Device Trust configuration migrated to the Identity Engine:
- In the Admin Console, go to Security > Device integrations.
- Click the Endpoint Management tab.
- Verify that the listed platforms match the device types you identified in Task 1: Identify the types of devices in your organization.
For example, if Windows and macOS Device Trust was enabled in your Classic Engine, these platforms are listed on the Endpoint management page.
- Verify that your app sign-on policy includes a rule for registered and managed device conditions:
- View the following System Log events, to verify that Device Trust is still working:
- DisplayMessage: Authentication of device through a certificate
- EventType: user.authentication.authenticate
- DisplayMessage: Device Trust certificate enrollment
- EventType: user.credential.enroll
- DisplayMessage: Device Trust certificate issuance
- EventType: pki.cert.issue
- DisplayMessage: Device Trust certificate revocation
- EventType: pki.cert.revoke
- DisplayMessage: Device Trust certificate renewal
- EventType: pki.cert.renew
- Verify the following items on multiple operating systems:
- All existing use cases work. For example, users with Device-Trust-enabled desktop devices are able to authenticate.
- All app sign-on policies migrated successfully. For apps that are protected by Device Trust, a rule must include a condition for Managed and Registered.
- Use existing mutual TLS (MTLS) certification.
- Optional. Certificate renewals work.
- Optional. New enrollments work.
Consider the following scenarios:
- Okta Verify isn’t installed:
- When the user tries to access a Device Trust-protected app, the org sign-in page appears. Okta probes the user’s device for Okta Verify.After the user enters their username, Okta completes an MTLS challenge and the management attestation is gathered from the Device Trust certificate on the device.
- Okta Verify is installed, inline enrollment is disabled, but the user didn’t add an account yet:
- When the user tries to access a Device Trust-protected app, the org sign-in page appears. After the user enters their username, Okta completes an MTLS challenge and the management attestation is gathered from the Device Trust certificate on the device.
- Okta Verify is installed, inline enrollment is enabled, but the user didn’t add an account yet:
- When a user tries to access a Device Trust-protected app, they’re prompted to add an Okta Verify account. The authentication flow completes without mutual TLS authentication because the Device Trust status was provided by Okta Verify.
For more information, see Device registration.
- If you disabled mobile Device Trust, complete this procedure: Configure management attestation for mobile devices.
- Prepare enterprise devices for Okta FastPass. Push the latest version of Okta Verify app to all desktop devices. Using your MDM, turn on inline enrollment for some users.
- Make sure a certificate authority (CA) is configured, and that management certificates are deployed to all desktop devices. You can use Okta as a CA, or provide your own CA. See Configure a Certificate Authority.
- In the Admin Console, go to Security > Authentication Policies.
- Click the Certificate Authority tab.
- Deploy management certificates to the devices.
- Update your app sign-on policy. Verify that you have a managed rule for each applicable platform. Change the User must authenticate with value to Any 1 factor type:
- Allow Trusted macOS:
- Platform: macOS
- Device: Registered, Managed
- User must authenticate with: Any 1 factor type
- Allow Trusted Windows:
For details about setting up your app sign-on policy, see Configure an app sign-on policy for Okta FastPass.
- Allow Trusted macOS:
- Enable Okta FastPass. This is a global setting, but only the following categories of users have access to Okta FastPass:
- Users with inline enrollment (set up in step 2)
- Users that registered in Okta Verify and have a management certificate (set up in step 3).
- Verify these scenarios when Okta FastPass is enabled:
- Users who aren’t enrolled in Okta Verify, but are enrolled with Device Trust, should be able to successfully access apps that are managed.
- Users who aren’t enrolled in Okta Verify should be able to enroll in Okta Verify.
- Users who enrolled in Okta Verify from a managed device should be able to successfully access apps that are managed.
- Users who enrolled in Okta Verify from an unmanaged device should be able to access apps the same way they could before the migration.
After you complete step 4 in this section, users are automatically prompted to enroll in Okta Verify the next time they access Okta. If a user installed Okta Verify and added an account (enrolled), they now use Okta FastPass to sign in. Therefore, the device is trusted. If the user doesn’t have an Okta Verify account, they use the Classic Engine Device Trust certificates to sign in.
At this point, Okta Verify is in a “ready” state. When you enable Okta FastPass (in step 4), users with Okta Verify are prompted to set up Okta FastPass. This step allows you to roll out Okta FastPass and Okta Verify registration in a controlled manner to help with change management.
If you provide your own CA, follow these steps:
When you enable Okta FastPass, make sure you select the Okta FastPass (all platforms) checkbox before you deactivate Okta Device Trust.
Encourage users to enroll in Okta Verify and have management certificates on their devices. Ideally, all users have an Okta Verify account with Okta FastPass enabled so that you no longer need Device Trust.
- Request all users to enroll in Okta Verify or deploy it on all user devices.
Share this information with your end users:
- Verify the following items:
- Okta Verify is deployed to all users using your MDM (see Task 6: Enable Okta FastPass for all users, step 1).
- All users have a management certificate, using your MDM (see Task 5: Enable Okta FastPass for some users, step 2).
- All user access apps from devices with Okta Verify, and not Device Trust) (see Task 4: Verify that Device Trust works on Identity Engine, step 3).
When all of your users are using Okta FastPass, you can remove Device Trust.
Don’t remove Device Trust until all your users are enrolled in Okta FastPass.
- View the System Log events, to ensure that Device Trust signals no longer exist. (See Task 4: Verify that Device Trust works on Identity Engine, step 3).
- Deactivate Device Trust:
- In the Okta Admin Console, go to Security > Device Integrations.
- Click Endpoint Management.
- For the required Platform, click Actions > Deactivate.
- Click Deactivate.
If you receive an error when you try to delete the platform, see "Deactivate this Device Trust (Classic Engine) configuration" error in Troubleshoot the migration of Device Trust to Okta FastPass.
- Delete Device Trust:
- For the Inactive Platform, click Actions > Delete.
- Click Delete.
- Decommission the IWA servers from your infrastructure, and then remove the Device Registration task from your devices using your preferred tool.
If Device Trust signals exist, migrate these users to Okta Verify. Any users who don’t use Okta Verify will be impacted.