Expression Language attributes for devices

When you use the Okta Expression Language (EL) to create a custom expression for devices, you reference attributes that exist in the Okta Device Profile.

Some attributes such as, device.profile.imei, device.profile.meid, device.profile.serialNumber, device.profile.udid, aren't available for all devices.

You can use ChromeOS only with the device.profile.platform attribute.

The following table lists the device profile attributes:

Attribute

Description

Type

Example

device.assurance.screenLockType

Obtains the value of the device screen lock type.

String

NONE No passcode is set on the device.

PASSCODE Only a passcode or password is set on the device. Biometrics isn't set up.

BIOMETRIC Passcode and biometrics are set on the device.

device.profile.diskEncryptionType

Obtains the value of the device profile's disk encryption type.

String

NONE No encryption has been set. (All platforms)

FULL The disk is fully encrypted. (Android, iOS)

USER The encryption key is tied to the user or profile. (Android)

ALL_INTERNAL_VOLUMES All internal disks are encrypted. (macOS, Windows)

SYSTEM_VOLUME Only the system volume is encrypted. (macOS, Windows)

device.profile.displayName

Obtains the value of the device profile's display name attribute.

4-byte UTF-8 characters aren't supported.

String

DESKTOP-BE6IL05, XYZ S21

device.profile.imei

Obtains the value of the device profile's International Mobile Equipment Identity (IMEI) attribute.

String

410154203237518

device.profile.integrityDebug

Indicates whether a debugger has been detected.

Boolean

true or false

device.profile.integrityEmulator

Indicates whether the device runs as an emulator.

Boolean

true or false

device.profile.integrityHook

Indicates whether internal functions or runtime hooks have been detected.

Boolean

true or false

device.profile.integrityJailbreak

Indicates if the mobile device has been jailbroken or rooted.

Boolean

true or false

device.profile.integrityRepackage

Indicates if the mobile device app was repackaged by an unknown third party.

Boolean

true or false

device.profile.managed

Obtains the value of the device profile's managed attribute.

This can only be used when Device Trust is enabled or if the DEVICE_CONDITION_IDX_ADVANCED feature is enabled.

Boolean

true or false

device.profile.manufacturer

Obtains the value of the device profile's manufacturer attribute.

String

VMware, Inc., samsung

device.profile.meid

Obtains the value of the device profile's Mobile Equipment Identifier (MEID) attribute.

String

99001092003340

device.profile.model

Obtains the value of the device profile's model attribute.

String

VMware7,1, SM-G991U1

device.profile.osVersion

Obtains the value of the device profile's operating system version attribute.

Use versionGreaterThan or versionLessThan functions to compare the OS versions.

String

10.0.18362, 30

device.profile.osVersion.versionGreaterThan('14.2.1') == true

Don't use device.profile.osVersion.versionGreaterThan > '14.2.1' to compare versions directly. The strings are compared literally, resulting in '2.0.0' > '14.2.1'

device.profile.platform

Obtains the value of the device profile's operating system.

String

IOS, ANDROID, WINDOWS, MACOS, MOBILE_OTHER, DESKTOP_OTHER, or CHROMEOS

device.profile.registered

Obtains the value of the device profile's registered attribute.

Boolean

true

device.profile.secureHardwarePresent

Obtains the value of the device profile's secure hardware present attribute. It checks for chip presence: trusted platform module (TPM) or Secure Enclave. It doesn't check whether there are tokens on the secure hardware.

Boolean

true or false

device.profile.serialNumber

Obtains the value of the device profile's serial number attribute.

String

VMware-56 5d e2 35 bd d8 66 75-5a bc 10 06 4c 6a fb 85

device.profile.sid

Obtain the value of the device profile's security identifier (SID) attribute. This is only available with Windows devices.

String

S-1-5-21-1016203815-1917570059-4244971090-500

device.profile.tpmPublicKeyHash

Obtains the value of the device profile's Trusted Platform Module (TPM) public key hash attribute.

String

18e3b568aeb17b4e75f3838d6b01ffe63c52d976950943a10968761b5bfe3f4d

device.profile.udid

Obtains the value of the device profile's unique device ID (UDID) attribute. This is only available with certain managed scenarios.

String

35E24D56-D8BD-7566-1ABC-10064C6AFB85

Operators

Use operators in your custom expression to handle decisions. Any Okta Expression Language operator can be used in a custom expression. The following table lists commonly used operators:

Operator Description
&& Signifies an AND function.
|| Signifies an OR function.
! Signifies a NOT function.
<, >, <=, and >= Signifies relational operators.
== Checks for equality.
!= Checks for inequality.

See Okta Expression Language for a complete list of Okta Expression Language functions.

Important considerations

  • Always include device.profile.registered == true if you want to include device conditions in your custom expression.
  • In general, device attributes can only be used if Okta FastPass is enabled.
  • Device attributes can only be evaluated if Okta Verify is installed.

Related topics

Add a custom expression to an authentication policy

About behavior and sign-on policies

Configure Okta FastPass

EDR signals for custom expressions