Use Device Context in app-level policies
Device state and device management
In OIE, application sign-on policies and rules can be conﬁgured to apply to devices based on the following device state and device management selections:
- Any: The rule will be applied to all devices.
- Registered/Not managed: The rule will only be applied to devices enrolled in Okta Verify, but EMM management is not required.
- Registered/Managed: The rule will only be applied to devices that are enrolled in Okta Verify and managed by a third-party EMM solution.
Depending on whether the selected conditions are met or not, you can configure the rule to deny or allow access and prompt additional authentication. For example, you might consider this configuration:
- Low sensitivity applications: Only one rule allows access from all devices regardless of registrations and management.
- Medium sensitivity applications:
- A rule that requires unregistered devices to use two factors to authenticate
- A rule that allows registered and managed devices to authenticate without a password
- High sensitivity applications:
- Require that iOS and Android devices are managed by third-party EMM solutions
- Require biometric authentication every time the application is launched, regardless of the device state
To find a detailed list of available sign-on policy IF/THEN conditions and what actions they trigger, see Add an authentication policy rule.
Endpoint detection and response signals
In addition to evaluating the device's state and management, you can configure sign-on policies to evaluate signals from a third-party endpoint detection and response (EDR) solution such as Crowdstrike or Windows Security Center. Based on these signals, the policy makes an access or authentication decision when a user tries to access a protected resource.
For example, you can create a policy that allows access to a sensitive application only from Windows devices that have active ﬁrewall and endpoint protection software:
To learn more about leveraging an EDR integration in your authentication policies, see EDR Integrations.