Replace Workspace ONE SAML-based mobile device trust with Okta FastPass

Early Access release. See Enable self-service features.

This procedure is for Classic Engine orgs using Workspace ONE SAML-based mobile device trust. To migrate Okta Device Trust to Okta FastPass and Okta Verify, see Device Trust for mobile devices.

You can't modify Workspace ONE SAML-based mobile device trust after you upgrade to Identity Engine. Use Okta FastPass and Okta Verify instead.

After the upgrade, your existing Workspace ONE SAML-based mobile device trust authentications continue to work on Identity Engine.

Any app sign-on policy Workspace ONE SAML-based mobile device trust conditions are translated to Device: Registered, Managed conditions in Identity Engine. If the mobile device is enrolled in Workspace ONE, the device matches a registered and managed rule. If the device isn't enrolled in Workspace ONE, the device matches a registered but unmanaged rule.

Start this procedure

  1. Check upgrade eligibility from the OIE Upgrade Hub

  2. Verify that Workspace ONE SAML-based mobile device trust works

  3. Enable Okta FastPass for some users

  4. Enable Okta FastPass for all users

  5. Remove Workspace ONE SAML-based mobile device trust

Check upgrade eligibility from the OIE Upgrade Hub

Before you can upgrade to Identity Engine, your org must meet certain configuration requirements. Use the OIE Upgrade Hub to check your org and review the list of action items that must be completed before the upgrade can be scheduled.

  1. Open the OIE Upgrade Hub in the Admin Console.

  2. Click Update eligibility and review the action items returned. You should see items related to Workspace ONE mobile device trust that make your upgrade ineligible. For more information on eligibility, see Self-service upgrade action items.

  3. Unblock the Workspace ONE mobile device trust action items: In the Admin Console, open Settings Features.

  4. Locate the feature called Migration Support for Workspace ONE Device Trust for Android and iOS and click the toggle to enable it.

  5. Return to the OIE Upgrade Hub and click Update eligibility again. Your org should now be eligible to upgrade. If you don't see your org as eligible to upgrade, contact your account representative.

  6. In the OIE Upgrade Hub, click Schedule upgrade. Select a date and time for the upgrade.

Verify that Workspace ONE SAML-based mobile device trust works

After the upgrade, Workspace ONE SAML-based mobile device trust is still enabled. Okta FastPass isn't enabled yet. The end user experience is the same as on Okta Classic Engine. If a user attempts to access an app that is protected by a device condition, Okta redirects the user to Workspace ONE to authenticate the user and verify the device management status. After validation, the user can access the app account.

Don't remove Workspace ONE SAML-based mobile device trust yet. You can't revert this action.

  1. Verify that your Workspace ONE SAML-based mobile device trust configuration migrated to the Identity Engine:
    1. In the Admin Console, go to SecurityDevice integrations.
    2. Click the Endpoint security tab.
    3. Verify that the listed platforms match the device types you identified in the pre-upgrade procedure. For example, if Android and iOS Device Trust were enabled in your Classic Engine environment, these platforms are listed on the Endpoint security page.
  2. Verify that your authentication policy includes a rule for registered and managed device conditions:
    1. In the Admin Console, go to Security Authentication policies.
    2. Select the policy that you want to verify.
    3. One of the rules in the policy should specify Device: Registered, Managed.
  3. View the following System Log events, to verify that Workspace ONE SAML-based mobile device trust is still working:

    Authentication

    • DisplayMessage: Authentication of device through SAML IdP
    • EventType: user.authentication.authenticate
    • LegacyEventType:
      • If the device is managed from Workspace ONE: core.user_auth.authentication.auth_via_saml_idp_success.
      • If the device is unmanaged from Workspace ONE: core.user_auth.authentication.auth-via_saml_idp_failure.
  4. Verify the following items on multiple operating systems:
    • All existing use cases work. For example, users with device trust-enabled mobile devices are able to authenticate.
    • All app sign-on policies migrated successfully. For apps that are protected by Workspace ONE SAML-based mobile device trust, a rule must include a condition for Managed and Registered.
    • New enrollments work (if applicable).

Enable Okta FastPass for some users

Consider the following scenarios and read about Device registration.

Okta Verify isn't installed, or Okta Verify is installed on the device but the user only has an Okta Classic Engine account. When the user tries to access a Workspace ONE SAML-based mobile device trust-protected app, the org sign-in page appears. Okta probes the user's device for Okta Verify. The user is redirected to the Workspace ONE Identity Provider to evaluate device trust, then is redirected back to the sign-in page. Okta collects the device posture to evaluate the device meets the app sign-on policy.
Okta Verify is installed on the device, but the user doesn't have any account. When a user tries to access a Workspace ONE SAML-based mobile device trust-protected app, they're prompted to add an Okta Verify account. The authentication flow completes without Workspace ONE authentication because the Device Trust status was provided by Okta Verify.
  1. If you disabled Workspace ONE SAML-based mobile device trust, complete this procedure: Configure management attestation for mobile devices. Then, go to the next step.
  2. Prepare enterprise devices for Okta FastPass. Push the latest version of Okta Verify app to all devices. Using your MDM, turn on inline enrollment for users. See Device registration and Managed devices.
  3. Update your app authentication policy. Verify that you have a managed rule for each applicable platform. Change the User must authenticate with value to Any 1 factor type:
    • Allow Trusted iOS:
      • Platform: iOS
      • Device: Registered, Managed
      • User must authenticate with: Any 1 factor type
    • Allow Trusted Android:
      • Platform: Android
      • Device: Registered, Managed
      • User must authenticate with: Any 1 factor type

      For details about setting up your authentication policy, see Configure an authentication policy for passwordless authentication with Okta FastPass.

      After you complete this step, users are automatically prompted to enroll in Okta Verify the next time they access Okta. If a user installed Okta Verify and added an account (enrolled), they now use Okta FastPass to sign in. Therefore, the device is trusted. If the user doesn't have an Okta Verify account, they use Workspace ONE SAML-based mobile device trust to sign in.

  4. Enable Okta FastPass. This is a global setting, but only the following categories of users have access to Okta FastPass:
    • Users with inline enrollment.
    • Users who registered in Okta Verify and have an MDM-enrolled device.

    When you enable Okta FastPass, make sure you select the Okta FastPass (all platforms) checkbox before you deactivate Workspace ONE SAML-based mobile device trust.

  5. Verify these scenarios when Okta FastPass is enabled:
    • Users who aren't enrolled in Okta Verify but are enrolled with Workspace ONE SAML-based mobile device trust should be able to successfully access apps that are managed.
    • Users who aren't enrolled in Okta Verify should be able to enroll in Okta Verify.
    • Users who enrolled in Okta Verify from a managed device should be able to successfully access apps that are managed.
    • Users who enrolled in Okta Verify from an unmanaged device should be able to access apps the same way they could before the migration.

Enable Okta FastPass for all users

Encourage users to enroll in Okta Verify. Ideally, all users have an Okta Verify account with Okta FastPass enabled so that you no longer need Workspace ONE SAML-based mobile device trust.

  1. Request all users to enroll in Okta Verify or deploy it on all user devices. Share the appropriate link with your users.
  2. Verify the following items:
    • Okta Verify is deployed to all users using your MDM.
    • All users have a management certificate, using your MDM (see task 2, step 2).
    • All user access apps from devices with Okta Verify, and not Workspace ONE SAML-based mobile device trust (see task 1, step 3).

Remove Workspace ONE SAML-based mobile device trust

When all of your users are using Okta FastPass, you can remove Workspace ONE SAML-based mobile device trust.

  1. View the System Log events to ensure that Workspace ONE SAML-based mobile device trust signals no longer exist. (See task 2, step 3). If Workspace ONE SAML-based mobile device trust signals exist, migrate these users to Okta Verify. Any users who don't use Okta Verify will be impacted.
  2. Delete Workspace ONE SAML-based mobile device trust:
    1. In the Admin Console, go to SecurityDevice integrations.
    2. Click Endpoint security.
    3. For the required platform, click ActionsDelete. This is a permanent action and can't be undone.
  3. Decommission Workspace ONE from your infrastructure.

Related topics

Turn off Device Trust on mobile devices

Migrate from Device Trust to Okta FastPass FAQ

Troubleshoot Device Trust after upgrade