Device assurance

With device assurance policies you can check sets of security-related device attributes as part of your authentication policies. For example, you can configure a device assurance policy to check whether a specific operating system version or security patch is installed on a device before that device can be used to access Okta-protected resources. By adding device checks to authentication policy rules, you can establish minimum requirements for the devices that have access to systems and applications in your organization.

After you add at least one device assurance policy, you can include it in authentication policy rules. You can't apply device assurance policies to users, groups, or devices until you make them part of an authentication policy rule.

Users who have at least one Okta Verify enrollment can check the security health of their devices by opening Okta Verify and going to MenuSettingsDevice health. This feature is available in the following Okta Verify versions or later:

• Android: 7.7.1
• iOS: 7.7.0
• macOS: 3.5.0
• Windows: 3.6.0

Device health

If the device passes all checks, each security requirement has a green check mark.

For any failed device assurance checks, the user receives remediation messages on the Device health page.

To check the latest OS definitions for your org, go to https://<myorg>/.well-known/ov-configurations.

How to configure device assurance

• Add a device assurance policy
• Add device assurance to an authentication policy
• Add user help for device assurance
• Edit a device assurance policy
• Delete a device assurance policy
• Device health attributes in System Log events

How end users check the device health

• Check the health of your Android device
• Check the health of your iOS device
• Check the health of your macOS device
• Check the health of your Windows device