Managed app configurations for Windows devices

You can use your device management solution to deploy managed app configurations to domains. Okta Verify has built-in functionality for Windows that you can configure at the time of installation. When you need to update Okta Verify settings, redeploy the updated installer to your users.

Use the examples in this table to configure your managed app configurations:

Flag

Description

Values

Default value

Minimum supported version

AutoUpdateDeferredByDays

Defer automatic updates by one to thirteen days past the staggered release end date.

Integer from 1 through 13

NOT_SET

3.7.1

DeviceHealthOptions

Hide the Device Health page, or hide specific health checks in Okta Verify on end-user devices.

NOT_SET: Displays all device health check functions in Okta Verify on end-user devices.

Disabled: Hides and stops all device health checks in Okta Verify on end-user devices.

HideOSUpdate: Hides the OS version check in Okta Verify on end-user devices. All other device assurance checks are enabled.

HideDiskEncryption: Hides the disk encryption check in Okta Verify on end-user devices. All other device assurance checks are enabled.

HideBiometrics: Hides the biometrics check in Okta Verify on end-user devices. All other device assurance checks are enabled.

You can select multiple values. Separate the values by using a semicolon. For example: HideOSUpdate;HideDiskEncryption

If the value contains Disabled, the Device Health page isn't displayed in Okta Verify.

NOT_SET

3.12.1

4.1.2

EnableZTAPlugin

Configure whether the CrowdStrike endpoint detection and response (EDR) manifest file is deployed to devices during Okta Verify installation.

See Manage endpoint security integration plugins for Windows.

TRUE: The manifest file is deployed to devices during Okta Verify installation.

FALSE: The manifest file isn't deployed to devices during Okta Verify installation.

FALSE

2.0.1

EnrollInBetaProgram

Configure whether users can enroll in the Okta Verify beta program on their Windows devices.

NOT_SET: Users aren't enrolled in the beta program. To enroll, users open Okta Verify and select Join our beta program on the Settings page.

TRUE: Users are enrolled in the beta program.

FALSE: Users aren't enrolled in the beta program and can't enroll by selecting Join our beta program on the Okta Verify Settings page.

NOT_SET

2.6.0

EnrollmentOptions

Configure whether end users are prompted to enroll in Okta Verify. You can reduce the number of user prompts or control the rollout of Okta Verify and Okta FastPass in your org.

SilentEnrollmentDisabled: Default. Users are prompted to add an Okta Verify account only if they click Sign in with Okta Verify.

Enabled: Users are always prompted to add an Okta Verify account.

Disabled: Users are never prompted to enroll in Okta Verify unless they open the app and click Add an account.

SilentEnrollmentDisabled

2.0.1

LogLevel

Configure the log level for the event viewer.

None, Critical, Error, Warning, Info, or Debug

Warning

1.3.1

OrgUrl

When you configure this flag, the org URL is included in on the user's enrollment page and automatically deploys updates to Okta Verify when available. See Deploy Okta Verify to Windows devices for more information.

<Fully-qualified domain name> or <org URL>

Empty

1.3.1

ProxyPacFileLocation

Configure the PAC file path for the proxy server. When you set the PAC file location, the AutoUpdate Service is updated (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).

Proxy settings can be configured at installation time using a ProxyURL or ProxyPacLocation argument, depending on the customer's proxy setting.

A configuration is created:

<appSettings>

<system.net>

<defaultProxy>

<proxy scriptLocation="PacFileLocation>"/>

</defaultProxy>

</system.net>

<PAC_file_path>

During installation:

OktaVerifySetup-X.X.X.X-YYYYYYY.exe ProxyPacLocation=<pac-file-location>

NOT_SET 3.0.0
ProxyPassword Configure the password for the authentication proxy server.

If you use spaces in the password, enclose it with double quotes ("").

The password is encrypted before it’s stored in the service configuration file. The password is decrypted by the value set in the ProxyPasswordEntropy flag.

If you use this flag, the ProxyURL and ProxyUsername flags are also required.

<password>

For example, GhKan2a_ya12

NOT_SET 3.1.0
ProxyURL Configure the URL and port for the proxy server that are used to access the AutoUpdate Service (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).

If you use this flag, the ProxyUsername and ProxyPassword flags are also required.

A configuration is created:

<appSettings>

<system.net>

<defaultProxy>

<proxy proxyaddress="<url>:<port>"/>

</defaultProxy>

</system.net>

<URL>:<Port>

For example, https://example.com:2035

During installation:

OktaVerifySetup-X.X.X.X-YYYYYYY.exe ProxyURL=https://proxy.sample.com:3888

NOT_SET 3.0.0
ProxyUserName Configure the username for the authentication proxy server.

If you use this flag, the ProxyURL and ProxyPassword flags are also required.

The Okta.Coordinator.Service.exe.config file is updated:

<appSettings>

<!--Possible values None, Critical, Error, Warning, Info,

Debug -->

<add key="LogLevel" value="Info" />

<add key="ProxyUrl" value="https://test.com:6545" />

<add key="ProxyUsername" value="TestUserName" />

<add key="ProxyPassword" value="AQAAANCMnd8BFdERjHoAwE/Cl+sB

AAAAiDxe77U1Gk21ZcuZJjmUmAQAAAACAAAAAAAQZgAAAAEAACAAAADo1

s0yrCoIJ15t/iYstL2KDeemboTZ8+RaAac4447v6QAAAAAOgAAAAAIAAC

AAAAAAYMeKTNHpXHKSZIvCahkJJxcvIizIaIKpLm0gARhfNyAAAAC09

RRn7psZmzbuTO+e4HSRjOKeRr3o5KyLGPgV2Jb8+UAAAADtR/AHye/4L

vhhLOf0MGY5IlYaMse87Li7GojQCEOMqdlFpUA3OLL9i/uQLMAx3enyn/gk

8a0euEl3l4MmE4zb" />

<add key="ProxyPasswordEntropy" value="83928a31-c7c1-449

e-8b68-b59a4063f877" />

</appSettings>

<username>

For example, proxyUsername

NOT_SET 3.1.0

ReportDiagnostics

Configure whether crash reports are sent to your diagnostics reporting tool (for example, AppCenter).

TRUE: Crash reports are sent.

FALSE: Crash reports aren’t sent.

TRUE

1.3.1