Expression Language attributes for devices

When you use the Okta Expression Language (EL) to create a custom expression for devices, you reference attributes that exist in the Okta Device Profile.

The following table lists the device profile attributes:

Some attributes; such as, device.profile.imei, device.profile.meid, device.profile.serialNumber, device.profile.udid, are not available for all devices.

Attribute

Description

Type

Example

device.assurance.screenLockType

Obtains the value of the device screen lock type.

String

“NONE” No passcode is set on the device.

“PASSCODE” Only a passcode or password is set on the device. Biometrics are not set up.

“BIOMETRIC” Passcode and biometrics are set on the device.

device.profile.diskEncryptionType

Obtains the value of the device profile’s disk encryption type.

String

“NONE” No encryption has been set. (All platforms)

“FULL” The disk is fully encrypted. (Android, iOS)

“USER” The encryption key is tied to the user or profile. (Android)

“ALL_INTERNAL_VOLUMES” All internal disks are encrypted. (macOS, Windows)

“SYSTEM_VOLUME” Only the system volume is encrypted. (macOS, Windows)

device.profile.displayName

Obtains the value of the device profile's display name attribute.

Note that 4-byte UTF-8 characters are not currently supported.

String

"DESKTOP-BE6IL05", "XYZ S21"

device.profile.imei

Obtains the value of the device profile's International Mobile Equipment Identity (IMEI) attribute.

String

"410154203237518"

device.profile.integrityDebug

Indicates wheter a debugger has been detected.

Boolean

true or false

device.profile.integrityEmulator

Indicates whether the device runs as an emulator.

Boolean

true or false

device.profile.integrityHook

Indicates whether internal functions or runtime hooks have been detected.

Boolean

true or false

device.profile.integrityJailbreak

Indicates if the mobile device has been jailbroken or rooted.

Boolean

true or false

device.profile.integrityRepackage

Indicates if the mobile device app was repackaged by an unknown third party.

Boolean

true or false

device.profile.managed

Obtains the value of the device profile's managed attribute.

This can only be used when Device Trust is enabled or if the DEVICE_CONDITION_IDX_ADVANCED feature is enabled.

Boolean

true or false

device.profile.manufacturer

Obtains the value of the device profile's manufacturer attribute.

String

"VMware, Inc.", "samsung"

device.profile.meid

Obtains the value of the device profile's Mobile Equipment Identifier (MEID) attribute.

String

"99001092003340"

device.profile.model

Obtains the value of the device profile's model attribute.

String

"VMware7,1", "SM-G991U1"

device.profile.osVersion

Obtains the value of the device profile's operating system version attribute.

Use versionGreaterThan or versionLessThan functions to compare the OS versions.

String

"10.0.18362", "30"

device.profile.osVersion.versionGreaterThan('14.2.1') == true

Don’t use device.profile.osVersion.versionGreaterThan > ‘14.2.1' to compare versions directly. The strings are compared literally, resulting in ‘2.0.0’ > '14.2.1’

device.profile.registered

Obtains the value of the device profile's registered attribute.

Boolean

true

device.profile.secureHardwarePresent

Obtains the value of the device profile's secure hardware present attribute. It checks for chip presence: trusted platform module (TPM) or secure enclave. It does not check whether there are tokens on the secure hardware.

Boolean

true or false

device.profile.serialNumber

Obtains the value of the device profile's serial number attribute.

String

"VMware-56 5d e2 35 bd d8 66 75-5a bc 10 06 4c 6a fb 85"

device.profile.sid

Obtain the value of the device profile's security identifier (SID) attribute. This is only available with Windows devices.

String

"S-1-5-21-1016203815-1917570059-4244971090-500"

device.profile.tpmPublicKeyHash

Obtains the value of the device profile's Trusted Platform Module (TPM) public key hash attribute.

String

"18e3b568aeb17b4e75f3838d6b01ffe63c52d976950943a10968761b5bfe3f4d"

device.profile.platform

Obtains the value of the device profile's operating system.

String

"IOS", "ANDROID", "WINDOWS", "MACOS", "MOBILE_OTHER", or "DESKTOP_OTHER"

device.profile.udid

Obtains the value of the device profile's unique device ID (UDID) attribute. This is only available with certain managed scenarios.

String

"35E24D56-D8BD-7566-1ABC-10064C6AFB85"

Operators

Use operators in your custom expression to handle decisions. Any Okta Expression Language operator can be used in a custom expression. The following table lists commonly used operators:

Operator Description
&& Signifies an AND function.
|| Signifies an OR function.
! Signifies a NOT function.
<, >, <=, and >= Signifies relational operators.
== Checks for equality.
!= Checks for inequality.

See Okta Expression Language for a complete list of Okta Expression Language functions.

Important considerations

  • Always include device.profile.registered == true if you want to include device conditions in your custom expression.
  • In general, device attributes can only be used if the signed nonce authentication method is enabled.

Related topics

Add a custom expression to an authentication policy

About behavior and sign-on policies

Configure Okta FastPass

EDR signals for custom expressions