Configure Device Trust on mobile devices
The device must be enrolled in your EMM solution and have Okta Verify installed. For best results, integrate with an EMM solution that can silently install Okta Verify to all EMM-enrolled devices.
Okta has tested the following EMM solutions:
- Android: VMware Workspace ONE Uniﬁed Endpoint Management, Microsoft Intune
- iOS: VMware Workspace ONE Uniﬁed Endpoint Management
To provide a password experience (Okta FastPass) to iOS users, the Credential SSO Extension must be conﬁgured in your EMM solution. See Conﬁgure Credential SSO Extension for managed iOS devices.
Conﬁgure Okta endpoint management for mobile devices
When an authentication policy requires devices to be managed, Okta determines the management status of your targeted Android and iOS devices by verifying whether there's a key installed on the device. The key must match the key you generated from the Okta Admin Console and used in your EMM provider's managed app conﬁguration.
To generate this key, follow these steps:
- In the Admin Console, go to Security > Device integration.
- On the Endpoint management page, click Add platform. If you add more than one conﬁguration for the same type of platform, see Device Trust on Identity Engine known issues.
- Select Android or iOS as applicable and click Next.
- In Conﬁgure management attestation:
- Make a note of the secret key value as this is the only time it appears in Okta. If you generate a new secret key by clicking Reset secret key, also update your EMM conﬁguration with the new key.
- The Device management provider ﬁeld is pre-populated with the name of your EMM, but you can change it. Users see the content of this field when they enroll their devices.
Integrate Okta with your third-party EMM provider
Regardless of which EMM provider you choose to integrate with Okta, complete these two steps:
- Conﬁgure your EMM provider to manage Okta Verify and install the app on end-user devices that don't have it installed.
- Conﬁgure the key-value pair by using your EMM provider's managed app conﬁguration as described in their documentation. The key-value pair is case-sensitive.
- Domain: Enter the URL of your Okta org
- Key: Enter managementHint
- Value: Enter the Secret Key value you saved during the Conﬁgure Device Management for mobile devices procedure.
Note: If you are conﬁguring your EMM to deploy Okta Verify to Android devices, make sure that Okta Verify is installed in the work proﬁle of the device.
EMM conﬁgurations can change without notice. Read the documentation for your EMM solution for the most up-to-date information.
Workspace ONE for Android
To add, assign, and manage Okta Verify with Workspace ONE UEM, follow the instructions in the Workspace ONE documentation. See Add assignments and exclusions to your Android applications.
Conﬁgure these settings:
- App Delivery Method: Automatic
- Managed Access: Enable
Workspace ONE for iOS
- In Add Application:
- Platform: Apple iOS
- Source: Search App Store
- Name: Enter the name of the app. A search ﬁnds the app after you click Next.
- Details: Keep the defaults, and then click Save & Assign
- In Assignment:
- Name: Enter a name.
- Assignment Groups: Specify a group(s).
- App Delivery Method: Auto
- Make App EMM Managed if User Installed: Enable
- Application Conﬁguration:
- Managed Access: Enable
- Send Conﬁguration: Enable
- Click +Add and conﬁgure settings:
- Conﬁguration Key: managementHint
- Value Type: String
- Conﬁguration Value: Enter the Secret Key that you generated in step 4a above.
Microsoft Intune for Android
To manage Okta Verify with Microsoft Intune for Android devices, follow the instructions in the Microsoft Intune documentation. See Add app conﬁguration policies for managed Android Enterprise devices.
- Device enrollment type: Managed devices
- Associated App: Okta Verify
- Conﬁguration settings format: Use conﬁguration designer
- Username (string): Enter your username for your Okta org