Create device signal collection rules

Early Access release. See Enable self-service features.

Device signal collection rules let you augment the existing device probing capability in authentication policy rules. They enable you to add device signals from Okta Verify and Chrome Device Trust connector to your policy evaluations.

You can determine how to collect device signals and whether to collect the user identity from the device. Use these signals as conditions in authentication policies to evaluate requests to access apps or enroll in authenticators. Okta collects device signals before it evaluates the rules in your policies.

Device signal collection rules help you avoid situations where Okta FastPass satisfies possession requirements, and then doesn't prompt users to authenticate with other possession factors, like a Smart Card.

Collecting the user identity helps you determine which user is trying to authenticate on a particular device. This is helpful when there's more than one user identity in Okta Verify. You can pre-populate the Username field in the Sign-In Widget with the user identity so that the user can skip this step and choose a security method.

Device signal collection rules help you avoid situations where Okta FastPass satisfies possession requirements, and then doesn't prompt users to authenticate with other possession factors, like a Smart Card.

Collecting the user identity helps you determine which user is trying to authenticate on a particular device. This is helpful when there's more than one user identity in Okta Verify. You can pre-populate the Username field in the Sign-In Widget with the user identity so that the user can skip this step and choose a security method.

See Configure a device signal collection policy for instructions on using this feature with the Okta API.

You must create a device signals collection rule if you have an authentication policy rule with either of the following settings:

  • A device state of Registered or Managed: Create a device signals collection rule that collects device signals using Okta Verify.
  • A device assurance policy that uses a device attribute provider: Create a device signals collection rule that uses the same device attribute provider.

Start this procedure

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Select the policy that you want to add device signal collection rules to.
  3. Click Actions, and then Show device signal collection rules. The Device signal collection rules tab appears.
  4. Select the Device signal collection rules tab.
  5. Click Add rule.
  6. Enter a name in the Rule name field.
  7. Click the Device platform is dropdown menu, and then select a platform that you want to collect signals from. The platform you selected appears under the dropdown menu.
  8. From the User's IP is dropdown menu, select the network zone option. See Network zones.
  9. In the Perform device signal collection with section, select the configuration options:
    • Okta Verify: Get device signals from Okta Verify.
    • Allow Okta Verify to collect user identity: This option appears if you select Okta Verify. It gets the user identity from Okta Verify and populates the Username field on the Sign-In Widget when the user signs in to Okta. Leave this option cleared to require users to explicitly specify their username on the Sign-In Widget.
    • Chrome Device Trust connector: Get device signals from Google Chrome browser and ChromeOS devices. See Manage Chrome Enterprise device trust connectors.
  10. From the Device posture identity provider is dropdown menu, select a device posture identity provider.
  11. Click Save. The Device signal collection rules tab appears.
  12. Click Enable the ruleset.

  13. Add a deny rule. In the THEN Access is section, select Denied. This rule denies access to any device that doesn't satisfy the requirements of the other rules in this policy. This helps block malicious actors who spoof User-Agent and IP values when probing for weak rules.

Activate or deactivate a device signal collection rule

You can deactivate a rule while you're creating it, and then activate it when you're ready to deploy it.

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Select the policy that contains the rule that you want to activate or deactivate.
  3. Click the Device signal collection rules tab.
  4. Click Actions beside the rule that you want to activate or deactivate, and then select Activate or Deactivate.

Delete a device signal collection rule

Deleting a rule can't be undone. If you delete a rule by mistake, you need to create another one to replace it.

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Select the policy that you want to remove a rule from.
  3. Click the Device signal collection rules tab.
  4. Deactivate the rule. See Activate or deactivate a device signal collection rule.
  5. Click Actions beside the rule that you want to remove, and then click Delete.

Remove all device signal collection rules from an authentication policy

You can delete all device signal collection rules and disable this feature if you don't want to use it in your authentication policies.

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Select the policy that you want to remove device signal collection rules from.
  3. Click Actions, and then select Remove device signal collection rules.
  4. Click Remove device signal collection rules in the confirmation prompt. The Device signal collection rules tab is removed.

    If you see an error message, go to SecurityAuthentication Policies. Find the authentication policies that use device signal collection rules, and then remove these rules from the policies. See Delete a device signal collection rule. Return to this section and try these steps again.

Related topics

Create an authentication policy

Add an authentication policy rule