Configure advanced posture checks for device assurance

Early Access release. See Enable self-service features.

Advanced posture checks offer more granular control over device security beyond the capabilities of standard device assurance policies. With this feature, you can define specific device posture conditions that reflect the unique security requirements of your org. This allows you to configure a secure org where access to sensitive resources is granted only when a device meets a precise set of conditions.

Before you begin

Getting started requires a basic level of proficiency with osquery, however AI assistants can help you write and modify queries. Review these resources:
macOS devices must meet the following minimum requirements:
- macOS version 14.4 or later
- Okta Verify for macOS version 9.39.0 or later
  
  Support for osquery is only available through the Okta Verify app downloaded from the Okta Admin Console (SettingsDownloads)
- Devices have System Integrity Protection enabled
- Devices are managed through a mobile device management (MDM) tool, such as Microsoft Intune or Jamf Pro
Windows devices must meet the following minimum requirements:
- Windows 10 (22H2) or later, 64-bit
- Okta Verify for Windows version 6.7.0 or later
- Devices are managed through an MDM, such as Microsoft Intune or Omnissa Workspace ONE

Enable custom device checks on user devices

Follow the appropriate procedure for the operating system on your user devices.

macOS

To enable custom osquery checks on macOS devices, use your MDM to deploy Okta Verify with a plist file that includes configuration properties. This enables Okta Verify to collect the custom checks from the devices.

Append the following keys to the Okta Verify configuration. See Okta Verify configurations for macOS devices.
- OktaVerify.EnableOSQueryCustomChecks
- OktaVerify.OSQueryAllowedDomains
- OktaVerify.OSQueryCustomChecksTimeout
Push the app configuration change to Okta Verify using your MDM. See Deploy Okta Verify to macOS devices.
Install Okta Verify. If Okta Verify is already installed on the device, reinstall it.

Windows

To enable custom osquery checks on Windows devices, use your MDM to deploy Okta Verify:

Configure your MDM to install Okta Verify with the EnableOSQueryCustomChecks configuration value set to True. See EnableOSQueryCustomChecks in Okta Verify configurations for Windows devices.
Generate and install the osquery plugin manifest file. See Install the osquery integration plugin.
Push the app configuration change to Okta Verify using your MDM. See Deploy Okta Verify to Windows devices.
Install Okta Verify. If Okta Verify is already installed on the device, reinstall it.

Enable osquery in Okta

In the Admin Console, go to SecurityDevice integrations.
On the Endpoint security tab, click Add endpoint integration, and select osquery.
Select the platform, and click Save.

Create a custom check

In the Admin Console, go to SecurityAdvanced Posture Checks.
On the Custom checks tab, click Add custom check.
Configure your posture check.
1. Enter a name and description.
2. Assign a variable to identify this posture check when you configure your device assurance policies.
3. Select macOS or Windows, depending on the operating system of the endpoint devices.
4. Write your query using standard SQL. The query must return either 1 (pass) or 0 (fail) and must end with a semicolon.
  Copy
```
SELECT
  CASE
    WHEN global_state = 0 THEN 0
    ELSE 1
  END AS firewall_enabled
FROM
  alf;
```
  Validate and test your queries in a Preview environment before you deploy them to your production org.
  
  To test your query on macOS, run this command on a device where the advanced posture checks feature is enabled:
  Copy
```
/Applications/Okta\ Verify.app/Contents/XPCServices/OktaAuthenticationService.xpc/Contents/Resources/osqueryd --S --json "YOUR QUERY"
```
  In Okta Verify for macOS 9.52.0, the name of the binary file changed. If you're validating your query against a device running Okta Verify for macOS 9.50 or earlier, change OktaAuthenticationService.xpc to OSQueryService.xpc in the validation query command.
  
  To test your query on Windows, run this from an administrator command prompt on a device where advanced posture checks are enabled:
  Copy
```
"C:\Program Files\Okta\Services\Authenticator Service\osqueryi.exe" --S --json "YOUR QUERY"
```
  The result of your query must return only one entry in the JSON object. The previous example query returns this output:
  Copy
```
[
    {"firewall_enabled": "1"}
]
```
5. When you configure your device assurance policy, you can have your posture check appear as a checkbox or text field. In the User interface form element, select either Checkbox or Textbox.
Optional. Configure any remediation instructions to appear in the browser if the device posture evaluation fails. See Configure custom remediation instructions for device assurance.
Click Save posture check.

Add the custom check to a device assurance policy

Add a device assurance policy or Edit a device assurance policy.
Configure the options for your macOS or Windows devices.
In the Custom posture check section, search and select one or more posture checks from the dropdown menu.
Select Enabled to confirm which checks to add to the policy.
Click Save.

Add the device assurance policy to an app sign-in policy

Follow the steps in Add device assurance to an app sign-in policy.
For the Device assurance policy is condition, select the device assurance policy that includes the custom checks.

Known issues and limitations

Device assurance policies that use custom osquery checks don't work if the user is authenticating using Safari with the SSO extension deployed. The workaround is to use a different browser.