Device lifecycle

Device lifecycle references changes to the state of a device within Okta Verify: active, suspended, or deactivated. Admins can perform actions on devices to change their lifecycle state.

The image shows a device lifecycle flow chart.

Lifecycle states

You can change the lifecycle state of a device through the Okta Admin Console. The current state of a device affects the available options:

State Description

Active

An Active device can be:

  • Suspended
  • Deactivated

From an Active device, a user can access protected resources if permitted by the App Sign On policies applied to the resources.

Suspended

A Suspended device can be:

  • Unsuspended, which returns it to an Active state.
  • Deactivated

Deactivated

A Deactivated device can be:

  • Activated
  • Deleted by clicking the Trash icon

Device state buttons

Depending on the current device state, different device state buttons are available. You can Suspend or Deactivate (if Active), Unsuspend (if Suspended), and Activate or Delete (if Deactivated):

Button

Description

Activate

The image shows the Activate button.

Only Deactivated devices can be activated. Activate is only available on the Devices page and Device Profiles page of Deactivated devices.

When a device is activated:

  • All Okta Verify factors associated with the device are supported.
  • Users can access protected resources from the device, if permitted by the app sign-on policies applied to the resources.

A Suspend and Deactivate button is located:

  • On the Devices page of the active device.
  • In the Device Attributes page of the active device.

Suspend

The image shows the Suspend button.

Only Active devices can be suspended. Suspend is available only on the Devices page and Device Profiles page of Active devices. This is intended to be a temporary state. It is useful if you need to pause, and later resume, device access for users such as contractors or employees who take a leave of absence.

When a device is suspended:

  • All active sessions that were established on that device using Okta Verify are terminated.
  • Active sessions established without Okta Verify are unaffected until the session ends.
  • New sessions using Okta Verify can’t be established.
  • Okta Verify authentication factors (for example, signed nonce authentication, signed nonce with User Verification, temporary one-time password, and Push) can’t be used from the device, but users can continue to use password, email, or WebAuthN authentication factors from the device.
  • Users can't add or remove accounts from Okta Verify on the device.
  • Device certificates are unaffected (applies to desktop devices).
  • The device can’t be unsuspended by the user trying to enroll in Okta Verify from the device.

An Unsuspend button is located:

  • On the Devices page of the suspended device.
  • In the Device Attributes page of the suspended device.

Unsuspend

The image shows the Unsuspend button.

Only Suspended devices can be unsuspended. Unsuspend is available only on the Devices page and Device Profiles page of Suspended devices.

When a device is unsuspended:

  • The device becomes Active.
  • All Okta Verify factors associated with the device are unsuspended.
  • Users can access protected resources from the device, if permitted by the app sign-on policies applied to the resources.

A Unsuspend button is located:

  • On the Devices page of suspended devices.
  • In the Device Attributes page of suspended devices.

Deactivate

The image shows the Deactivate button.

Only Active devices can be deactivated. Deactivate is available only on the Devices page and Device Profiles page of Active devices.

When a device is deactivated:

  • All active sessions that were established on that device using Okta Verify are terminated.
  • Active sessions established without Okta Verify are unaffected until the session ends.
  • New sessions using Okta Verify can’t be established.
  • Okta Verify authentication factors (for example, signed nonce authentication, signed nonce with User Verification, temporary one-time password, and Push) can’t be used from the device, but users can continue to use password, email, or WebAuthN authentication factors from the device.
  • Users can't add or remove accounts from Okta Verify on the device.
  • Enrolled factors on the device are deactivated and users must re-enroll them when the device is activated.
  • Device certificates are revoked (applies to desktop devices).
  • If all rules in the app sign-on policy protecting a resource require devices to be registered, a user on a Deactivated device is denied access to that resource (regardless of the factors they have enrolled). If the policy includes rules that allow access from unregistered devices, an end user on a Deactivated device might be able to access the resource but not by using Okta FastPass.

An Activate button is located:

  • On the Devices page of the deactivated device.
  • In the Device Attributes page of the deactivated device.

Delete

The image shows the Delete button.

Only Deactivated devices can be deleted. Delete is available only on the Devices page and Device Profiles page of Deactivated devices.

When a device is deleted:

  • It is deleted from Universal Directory. A message appears asking you to confirm the delete decision.
  • It no longer appears in the Admin Console.
  • It can appear again in Devices if a user uses it to add an account in Okta Verify.

A Delete button is located:

  • On the Devices page of deactivated devices.
  • In the Device Attributes page of deactivated device.

Related topics