Expression Language attributes for devices
When you use the Okta Expression Language (EL) to create a custom expression for devices, you reference attributes that exist in the Okta Device Profile.
Some attributes such as, device.profile.imei, device.profile.meid, device.profile.serialNumber, device.profile.udid, aren't available for all devices.
You can use ChromeOS only with the device.profile.platform attribute.
The following table lists the device profile attributes:
|
Attribute |
Description |
Type |
Example |
|---|---|---|---|
|
device.assurance.screenLockType |
Obtains the value of the device screen lock type. |
String |
NONE No passcode is set on the device. PASSCODE Only a passcode or password is set on the device. Biometrics isn't set up. BIOMETRIC Passcode and biometrics are set on the device. |
|
device.profile.diskEncryptionType |
Obtains the value of the device profile’s disk encryption type. |
String |
NONE No encryption has been set. (All platforms) FULL The disk is fully encrypted. (Android, iOS) USER The encryption key is tied to the user or profile. (Android) ALL_INTERNAL_VOLUMES All internal disks are encrypted. (macOS, Windows) SYSTEM_VOLUME Only the system volume is encrypted. (macOS, Windows) |
|
device.profile.displayName |
Obtains the value of the device profile's display name attribute. 4-byte UTF-8 characters aren't supported. |
String |
DESKTOP-BE6IL05, XYZ S21 |
|
device.profile.imei |
Obtains the value of the device profile's International Mobile Equipment Identity (IMEI) attribute. |
String |
410154203237518 |
|
device.profile.integrityDebug |
Indicates whether a debugger has been detected. |
Boolean |
true or false |
|
device.profile.integrityEmulator |
Indicates whether the device runs as an emulator. |
Boolean |
true or false |
|
device.profile.integrityHook |
Indicates whether internal functions or runtime hooks have been detected. |
Boolean |
true or false |
|
device.profile.integrityJailbreak |
Indicates if the mobile device has been jailbroken or rooted. |
Boolean |
true or false |
|
device.profile.integrityRepackage |
Indicates if the mobile device app was repackaged by an unknown third party. |
Boolean |
true or false |
|
device.profile.managed |
Obtains the value of the device profile's managed attribute. This can only be used when Device Trust is enabled or if the DEVICE_CONDITION_IDX_ADVANCED feature is enabled. |
Boolean |
true or false |
|
device.profile.manufacturer |
Obtains the value of the device profile's manufacturer attribute. |
String |
VMware, Inc., samsung |
|
device.profile.meid |
Obtains the value of the device profile's Mobile Equipment Identifier (MEID) attribute. |
String |
99001092003340 |
|
device.profile.model |
Obtains the value of the device profile's model attribute. |
String |
VMware7,1, SM-G991U1 |
|
device.profile.osVersion |
Obtains the value of the device profile's operating system version attribute. Use versionGreaterThan or versionLessThan functions to compare the OS versions. |
String |
10.0.18362, 30 device.profile.osVersion.versionGreaterThan('14.2.1') == true Don’t use device.profile.osVersion.versionGreaterThan > '14.2.1' to compare versions directly. The strings are compared literally, resulting in '2.0.0' > '14.2.1' |
|
device.profile.platform |
Obtains the value of the device profile's operating system. |
String |
IOS, ANDROID, WINDOWS, MACOS, MOBILE_OTHER, DESKTOP_OTHER, or CHROMEOS |
|
device.profile.registered |
Obtains the value of the device profile's registered attribute. |
Boolean |
true |
|
device.profile.secureHardwarePresent |
Obtains the value of the device profile's secure hardware present attribute. It checks for chip presence: trusted platform module (TPM) or Secure Enclave. It doesn't check whether there are tokens on the secure hardware. |
Boolean |
true or false |
|
device.profile.serialNumber |
Obtains the value of the device profile's serial number attribute. |
String |
VMware-56 5d e2 35 bd d8 66 75-5a bc 10 06 4c 6a fb 85 |
|
device.profile.sid |
Obtain the value of the device profile's security identifier (SID) attribute. This is only available with Windows devices. |
String |
S-1-5-21-1016203815-1917570059-4244971090-500 |
|
device.profile.tpmPublicKeyHash |
Obtains the value of the device profile's Trusted Platform Module (TPM) public key hash attribute. |
String |
18e3b568aeb17b4e75f3838d6b01ffe63c52d976950943a10968761b5bfe3f4d |
|
device.profile.udid |
Obtains the value of the device profile's unique device ID (UDID) attribute. This is only available with certain managed scenarios. |
String |
35E24D56-D8BD-7566-1ABC-10064C6AFB85 |
Operators
Use operators in your custom expression to handle decisions. Any Okta Expression Language operator can be used in a custom expression. The following table lists commonly used operators:
| Operator | Description |
|---|---|
| && | Signifies an AND function. |
| || | Signifies an OR function. |
| ! | Signifies a NOT function. |
| <, >, <=, and >= | Signifies relational operators. |
| == | Checks for equality. |
| != | Checks for inequality. |
See Okta Expression Language for a complete list of Okta Expression Language functions.
Important considerations
- Always include device.profile.registered == true if you want to include device conditions in your custom expression.
- In general, device attributes can only be used if Okta FastPass is enabled.
Related topics
Add a custom expression to an authentication policy