Device platform security

Okta app sign-in policies evaluate the user agent information included in the request header sent by the user's browser.

As malicious actors can spoof a User-Agent value, they may target the least restrictive rules in your policies.

For this reason, make sure that your app sign-in policies comply with your company's security needs. Consider using the following best practices when you create your policies:

1. Implement an allowlist that consists of one or more rules permitting access to the app. The rules should specify the allowed combinations of client type, device platform, and trust posture.
2. Require device registration, device assurance policies, or MFA to access the app. See Devices and Multifactor authentication.
3. Include a final rule to deny access to any device that doesn't match any of the preceding rules.