Expression Language attributes for devices

When you use the Okta Expression Language (EL) to create a custom expression for devices, you reference attributes that exist in the Okta Device Profile.

The following table lists the device profile attributes:

Some attributes; such as, device.profile.imei, device.profile.meid, device.profile.serialNumber, device.profile.udid, are not available for all devices.

Attribute

Description

Type

Example

device.profile.displayName

Obtains the value of the device profile's display name attribute.

Note that 4-byte UTF-8 characters are not currently supported.

String

"DESKTOP-BE6IL05", "XYZ S21"

device.profile.imei

Obtains the value of the device profile's International Mobile Equipment Identity (IMEI) attribute.

String

"410154203237518"

device.profile.managed

Obtains the value of the device profile's managed attribute.

This can only be used when Device Trust is enabled or if the DEVICE_CONDITION_IDX_ADVANCED feature is enabled.

Boolean

true or false

device.profile.manufacturer

Obtains the value of the device profile's manufacturer attribute.

String

"VMware, Inc.", "samsung"

device.profile.meid

Obtains the value of the device profile's Mobile Equipment Identifier (MEID) attribute.

String

"99001092003340"

device.profile.model

Obtains the value of the device profile's model attribute.

String

"VMware7,1", "SM-G991U1"

device.profile.registered

Obtains the value of the device profile's registered attribute.

Boolean

true

device.profile.secureHardwarePresent

Obtains the value of the device profile's secure hardware present attribute. It checks for chip presence: trusted platform module (TPM) or secure enclave. It does not check whether there are tokens on the secure hardware.

Boolean

true or false

device.profile.serialNumber

Obtains the value of the device profile's serial number attribute.

String

"VMware-56 5d e2 35 bd d8 66 75-5a bc 10 06 4c 6a fb 85"

device.profile.sid

Obtain the value of the device profile's security identifier (SID) attribute. This is only available with Windows devices.

String

"S-1-5-21-1016203815-1917570059-4244971090-500",

device.profile.tpmPublicKeyHash

Obtains the value of the device profile's Trusted Platform Module (TPM) public key hash attribute.

String

"18e3b568aeb17b4e75f3838d6b01ffe63c52d976950943a10968761b5bfe3f4d"

device.profile.platform

Obtains the value of the device profile's operating system.

String

"IOS", "ANDROID", "WINDOWS", "MACOS", "MOBILE_OTHER", or "DESKTOP_OTHER"

device.profile.udid

Obtains the value of the device profile's unique device ID (UDID) attribute. This is only available with certain managed scenarios.

String

"35E24D56-D8BD-7566-1ABC-10064C6AFB85"

Operators

Use operators in your custom expression to handle decisions. Any Okta Expression Language operator can be used in a custom expression. The following table lists commonly used operators:

Operator Description
&& Signifies an AND function.
|| Signifies an OR function.
! Signifies a NOT function.
<, >, <=, and >= Signifies relational operators.
== Checks for equality.
!= Checks for inequality.

See Okta Expression Language for a complete list of Okta Expression Language functions.

Important considerations

  • Always include device.profile.registered == true if you want to include device conditions in your custom expression.
  • In general, device attributes can only be used if the signed nonce authentication method is enabled.

Related topics