Configure Device Trust on mobile devices

The device must be enrolled in your EMM solution and have Okta Verify installed. For best results, integrate with an EMM solution that can silently install Okta Verify to all EMM-enrolled devices.

Okta has tested the following EMM solutions:

  • Android: VMware Workspace ONE Unified Endpoint Management, Microsoft Intune
  • iOS: VMware Workspace ONE Unified Endpoint Management

Note: To provide a password experience (Okta FastPass) to iOS users, the Credential SSO Extension must be configured in your EMM solution. See Configure Credential SSO Extension for managed iOS devices.

Configure Okta endpoint management for mobile devices

When an authentication policy requires devices to be managed, Okta determines the management status of your targeted Android and iOS devices by verifying whether there's a key installed on the device. The key must match the key you generated from the Okta Admin Console and used in your EMM provider's managed app configuration.

To generate this key, follow these steps:

  1. In the Admin Console, go to Security > Device integration.
  2. On the Endpoint management page, click Add platform.
  3. Note: If you add more than one configuration for the same type of platform, see Device Trust on Identity Engine known issues.

  4. Select Android or iOS as applicable and click Next.
  5. In Configure management attestation:
    1. Click Copy next to the Secret key. You'll enter the secret key later in your EMM provider's app configuration.
      • Make a note of the secret key value as this is the only time it appears in Okta. If you generate a new secret key by clicking Reset secret key, also update your EMM configuration with the new key.
      • The Device management provider field is pre-populated with the name of your EMM, but you can change it. Users see the content of this field when they enroll their devices.
    2. In the Enrollment link field, enter a web address for redirecting end users with unenrolled devices. For example, you may want to redirect these users to a page with enrollment instructions or the enrollment page of your selected EMM (assuming the EMM provider supports web-based enrollment).
    3. Click Save.

Integrate Okta with your third-party EMM provider

Regardless of which EMM provider you choose to integrate with Okta, complete these two steps:

  1. Configure your EMM provider to manage Okta Verify and install the app on end-user devices that don't have it installed.
  2. Note: If you are configuring your EMM to deploy Okta Verify to Android devices, make sure that Okta Verify is installed in the work profile of the device.

  3. Configure the key-value pair by using your EMM provider's managed app configuration as described in their documentation:
    1. Domain: Enter the URL of your Okta org
    2. Key: enter managementHint
    3. Value: Enter the Secret Key value you saved during the Configure Device Management for mobile devices procedure.

Note: The key-value pair is case-sensitive.

EMM configurations can change without notice. Read the documentation for your EMM solution for the most up-to-date information.

Workspace ONE for Android

To add, assign, and manage Okta Verify with Workspace ONE UEM, follow the instructions in the Workspace ONE documentation. See Add Assignments and Exclusions to yourAndroid Applications.

Configure these settings:

  • App Delivery Method: Automatic
  • Managed Access: Enable

Workspace ONE for iOS

  • In Add Application:
    • Platform: Apple iOS
    • Source: Search App Store
    • Name: Enter the name of the app. A search finds the app after you click Next.
    • Details: Keep the defaults, and then click Save & Assign
  • In Assignment:
    • Distribution:
      • Name: Enter a name.
      • Assignment Groups: Specify a group(s).
      • App Delivery Method: Auto
    • Restrictions:
      • Make App EMM Managed if User Installed: Enable
    • Application Configuration:
      • Managed Access: Enable
      • Send Configuration: Enable
      • Click +Add and configure settings:
        • Configuration Key: managementHint
        • Value Type: String
        • Configuration Value: Enter the Secret Key that you generated in step 4a above.

Microsoft Intune for Android

To manage Okta Verify with Microsoft Intune for Android devices, follow the instructions in the Microsoft Intune documentation. See Add app configuration policies for managed Android Enterprise devices.

  • Device enrollment type: Managed devices
  • Associated App: Okta Verify
  • Configuration settings format: Use configuration designer
  • Username (string): Enter your username for your Okta org