Device Context deployment guide

Learn how to configure Device Trust across various platforms and third-party Enterprise Mobility Management (EMM) solutions. You can find procedures for desktop and mobile devices. To learn about passwordless authentication, go to Passwordless authentication deployment guide.

Overview

Modern digital businesses face an increasing number of challenges. As enterprises are witnessing an influx of new devices and device types chosen by their end users, they must make access decisions based on user, device, and network risk). As an administrator, you must easily view and manage the device state, ownership, and user-to-device binding across most common platforms (macOS, iOS/iPad OS, Windows, and Android).

When users authenticate on a device, it presents a context:

  • Device type
  • Device state (registered or managed)
  • Additional data, such as the presence of a firewall or an active antivirus solution.

The context is critical when determining what authentication methods are required to satisfy the appropriate level of authentication assurance for a specific app security requirement.

Device Context encompasses Okta Devices and Device Trust. Okta Devices provides services and capabilities that embed Okta on every device to give organizations visibility into devices accessing Okta resources. Device Trust builds upon Okta Devices. You can use Device Trust to integrate with Enterprise Mobility Management (EMM) solutions and provide context for enterprise-managed devices. Both Device Trust and Okta Devices enable contextual access decisions.

With Device Context, you can configure sophisticated app-level policies and enable passwordless authentication with the proper assurance level. For details, see Deploying authentication policies and Deploying passwordless authentication.

Device Context benefits

Device Context provides information about devices and their state so that you can assess what authentication methods are required to grant access to Okta-managed apps. By combining app-level policies (powered by authentication assurance levels) with Device Context, you can enable passwordless user experiences.

Key benefits are:

  • Better visibility: Device and user binding in Okta Universal Directory
  • Better access control: Suspend or deactivate devices and sessions
  • Better device analysis that strengthens app-level policies, based on:
    • Registration with Okta using Okta Verify
    • EMM status (managed or unmanaged)
    • Endpoint Detection and Response (EDR) Signals

Considerations when deploying Device Context

To create secure access policies for your apps, consider the following aspects:

  • Okta Devices registers devices in the Okta Universal Directory as soon as users enroll in Okta Verify. The Okta Verify enrollment creates a strong binding between users and their devices, which allows you to administer devices. You can suspend or deactivate a user's registered device to prevent it from accessing protected applications. However, Okta Devices is not an alternative to an UEM or EDR solution. Consider adopting such solutions.
  • Okta Device Trust supports the most common platforms: iOS/iPad OS, macOS, Windows, and Android. For a consistent experience, consider using only these supported platforms.
  • Device Trust supports unified endpoint management (UEM) tools, such as Workspace ONE, Jamf, and Microsoft Intune. It also supports EDR tools, including Crowdstrike and Microsoft Windows Security Center.
  • UEM tools inform the policy if the device is managed or unmanaged. Consider this when crafting your policies.
  • EDR tools capture additional information (such as the presence of a firewall or antivirus application on a PC) that can be useful to determine the assurance level. To learn what signals are available for you to include in access-level policies, see Expression Language attributes for EDR vendors.

Next steps

Review prerequisites

Review and implement use cases