Create an endpoint security integration authentication policy

You can use Okta Expression Language (EL) to create or edit authentication policies that evaluate the trust signals collected by your endpoint detection and response (EDR) solution.

Start this procedure

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Select the authentication policy that you want to add a rule to.

  3. Click Add rule page.

  4. Type a Rule name to describe the rule.

  5. Configure the appropriate IF conditions to specify when the rule is applied.

    In setting conditions, keep in mind that some conditions are primarily useful for auditing and filtering events and shouldn't be treated as the basis for defining your security posture.

    For example, a malicious actor could easily spoof a device platform, so you shouldn't use the device platform as the key component of an authentication policy rule.

  6. Configure the appropriate THEN conditions to specify how authentication is enforced.

  7. Configure the re-authentication frequency, if needed.

  8. Click Save.

Specify signals by using custom expressions

You can specify the EDR signals you want a policy to evaluate by entering a custom expression. The custom expression must use valid Expression Language (EL) syntax. For example, you can use an expression similar to the following to integrate CrowdStrike ZTA signals into your authentication policy:

device.provider.zta.overall <= 60 or device.provider.zta.overall >= 60

Similarly, you can use a custom expression to integrate Windows Security Center signals in to your authentication policy. For example:

device.provider.wsc.fireWall == "GOOD" or device.provider.wsc.fireWall == "POOR"

You can then use the EDR signals to tailor your allow or deny access rules to meet your security needs. For information about the EDR signals available, see EDR signals for custom expressions.

Authenticator assurance level compliance

The THEN conditions in an rule define how a user's identity can be validated. When you configure these settings, you should consider the level of compliance required. For EDR integration, the recommended settings are:

For this Do this
THEN Access is Select Allowed after successful authentication.
AND User must authenticate with

  • Select Any 2 factors if the Okta Verify enrollment is set up for user verification with a PIN, facial recognition, or fingerprint.

  • Select Possession factor if the Okta Verify enrollment does not require user verification with a PIN, facial recognition, or fingerprint.
AND Possession factor restraints are Select Device bound (excludes phone and email).
AND Access with Okta FastPass is granted Select If the user approves a prompt in Okta Verify or provides biometrics (meets NIST AAL2 requirements) to require users to prove that they're physically present when using Okta FastPass to authenticate.
Password re-authentication frequency is Select Every sign-in attempt.
Re-authentication frequency for all other factors is Select Every sign-in attempt.

Next steps

Manage endpoint security integration plugins for macOS

Manage endpoint security integration plugins for Windows

Validate your endpoint security integration