Expression Language attributes for devices
When you use the Okta Expression Language (EL) to create a custom expression for devices, you reference attributes that exist in the Okta Device Profile.
Some attributes aren't available for all devices, such as device.profile.imei, device.profile.meid, device.profile.serialNumber, and device.profile.udid.
You can use ChromeOS only with the device.profile.platform attribute.
The following table lists the device profile attributes.
|
Attribute name and type |
Description |
Examples |
|---|---|---|
|
device.assurance.screenLockType Type: String |
Obtains the value of the device's screen lock type. |
NONE: No passcode is set on the device. PASSCODE: The device only has a passcode or password configured. Biometrics isn't set up. BIOMETRIC: Passcode and biometrics are set on the device. |
|
device.provider.oktaVerify.version Type: String |
Obtains the value of the device's version of Okta Verify. Use the versionGreaterThan and versionLessThan functions to compare against Okta Verify version levels. Use == to make a comparison against an exact Okta Verify version. |
device.provider.oktaVerify.version.versionGreaterThan('9.43') == true device.provider.oktaVerify.version.versionLessThan('9.42.0') == true device.provider.oktaVerify.version == '9.46.1.2025.710.1826' Don't use the < or > relational operators directly as these perform a literal comparison of the strings. For example, device.provider.oktaVerify.version > '10.3.1' could result in an incorrect evaluation such as '9.23.0' > '10.3.1' |
|
device.profile.diskEncryptionType Type: String |
Obtains the value of the device profile's disk encryption type. |
NONE: No encryption has been set. (All platforms) FULL: The disk is fully encrypted. (Android, iOS) USER: The encryption key is tied to the user or profile. (Android) ALL_INTERNAL_VOLUMES: All internal disks are encrypted. (macOS, Windows) SYSTEM_VOLUME: Only the system volume is encrypted. (macOS, Windows) |
|
device.profile.displayName Type: String |
Obtains the value of the device profile's display name attribute. 4-byte UTF-8 characters aren't supported. |
DESKTOP-BE6IL05, XYZ S21 |
|
device.profile.imei Type: String |
Obtains the value of the device profile's International Mobile Equipment Identity (IMEI) attribute. |
410154203237518 |
|
device.profile.integrityDebug Type: Boolean |
Indicates whether a debugger has been detected. |
true or false |
|
device.profile.integrityEmulator Type: Boolean |
Indicates whether the device runs as an emulator. |
true or false |
|
device.profile.integrityHook Type: Boolean |
Indicates whether internal functions or runtime hooks have been detected. |
true or false |
|
device.profile.integrityJailbreak Type: Boolean |
Indicates if the mobile device has been jailbroken or rooted. |
true or false |
|
device.profile.integrityRepackage Type: Boolean |
Indicates if an unknown third party repackaged the mobile device app. |
true or false |
|
device.profile.managed Type: Boolean |
Obtains the value of the device profile's managed attribute. This can only be used when Device Trust is enabled or if the DEVICE_CONDITION_IDX_ADVANCED feature is enabled. |
true or false |
|
device.profile.manufacturer Type: String |
Obtains the value of the device profile's manufacturer attribute. |
VMware, Inc. Samsung |
|
device.profile.meid Type: String |
Obtains the value of the device profile's Mobile Equipment Identifier (MEID) attribute. |
99001092003340 |
|
device.profile.model Type: String |
Obtains the value of the device profile's model attribute. |
VMware7,1 SM-G991U1 |
|
device.profile.osVersion Type: String |
Obtains the value of the device profile's operating system version attribute. Use versionGreaterThan or versionLessThan functions to compare the OS versions. |
10.0.18362 30 device.profile.osVersion.versionGreaterThan('14.2.1') == true Don't use the < or > relational operators directly as these perform a literal comparison of the strings. For example, device.provider.osVersion.versionGreaterThan > '14.2.1' could result in an incorrect evaluation such as '2.0.0' > '10.3.1' |
|
device.profile.platform Type: String |
Obtains the value of the device profile's operating system. |
IOS, ANDROID, WINDOWS, MACOS, MOBILE_OTHER, DESKTOP_OTHER, or CHROMEOS |
|
device.profile.registered Type: Boolean |
Obtains the value of the device profile's registered attribute. |
true |
|
device.profile.secureHardwarePresent Type: Boolean |
Obtains the value of the device profile's secure hardware present attribute. This checks for chip presence, in the form of a Trusted Platform Module (TPM) or Secure Enclave. It doesn't check whether there are tokens on the secure hardware. |
true or false |
|
device.profile.serialNumber Type: String |
Obtains the value of the device profile's serial number attribute. |
VMware-56 5d e2 35 bd d8 66 75-5a bc 10 06 4c 6a fb 85 |
|
device.profile.sid Type: String |
Obtain the value of the device profile's security identifier (SID) attribute. This is only available with Windows devices. |
S-1-5-21-1016203815-1917570059-4244971090-500 |
|
device.profile.tpmPublicKeyHash Type: String |
Obtains the value of the device profile's Trusted Platform Module (TPM) public key hash attribute. |
18e3b568aeb17b4e75f3838d6b01ffe63c52d976950943a10968761b5bfe3f4d |
|
device.profile.udid Type: String |
Obtains the value of the device profile's unique device ID (UDID) attribute. This is only available with certain managed scenarios. |
35E24D56-D8BD-7566-1ABC-10064C6AFB85 |
Operators
Use operators in your custom expression to handle decisions. Any Okta Expression Language operator can be used in a custom expression. The following table lists commonly used operators:
| Operator | Description |
|---|---|
| && | Signifies an AND function. |
| || | Signifies an OR function. |
| ! | Signifies a NOT function. |
| <, >, <=, and >= | Signifies relational operators. |
| == | Checks for equality. |
| != | Checks for inequality. |
See Okta Expression Language for a complete list of Okta Expression Language functions.
Important considerations
- Always include device.profile.registered == true if you want to include device conditions in your custom expression.
- In general, device attributes can only be used if Okta FastPass is enabled.
- Device attributes can only be evaluated if Okta Verify is installed.
Related topics
Add a custom expression to an app sign-in policy