Prepare to replace your Device Trust setup
Understand your Device Trust replacement options and plan when to enable the new device security framework before and after the Identity Engine upgrade.
Classic Engine Device Trust isn't compatible with Identity Engine. Before upgrading, understand what replaces Device Trust for each platform and plan when to enable the replacement. For turn-off procedures, see Turn off Device Trust feature restrictions.
Device Trust replacements
| Platform | Classic Engine approach | Identity Engine replacement | Key difference |
|---|---|---|---|
| Desktop (Windows, macOS) | Device Trust with IWA agents | Okta Verify with managed certificate and Okta FastPass | Certificate-based. Users can enroll multiple devices. |
| Mobile (iOS, Android) | Client-based or SAML-based Device Trust | Okta Verify with management attestation | No automated migration. Must re-enable post-upgrade. |
| Workspace ONE (mobile) | Workspace ONE SAML-based Device Trust | Okta Verify with management attestation | Migration support feature is available. |
Replacement options by platform
- Desktop devices
-
The replacement for desktop Device Trust is Okta Verify with a managed certificate and Okta FastPass. Enable this after the Identity Engine upgrade.
What changes after migration:
- IWA agents are decommissioned.
- A new Certificate Authority is configured and distributed through your MDM.
- Okta Verify is rolled out to all managed desktop devices.
- Users see a Set up Okta FastPass button in their account settings.
- Users can enroll multiple devices, which was previously limited to one.
Post-upgrade migration steps:
- Configure Device Integration and establish a new Certificate Authority (CA).
- Import the new CA into your device management software.
- Deploy the CA across all devices.
- Roll out Okta Verify to all devices.
- Decommission legacy IWA agents and servers.
- Remove Classic Engine Device Trust platforms.
See Device Trust for desktop devices.
Note: If your app sign-in policy has the hardware protection constraint enabled, users can't authenticate or enroll with Okta Verify push notifications. Review your policies before enabling Okta FastPass. - Mobile devices
-
The replacement for mobile Device Trust is Okta Verify with management attestation. Mobile Device Trust has no automated migration path. Turn off Classic Engine mobile Device Trust before upgrading, then re-enable device security using the Identity Engine framework post-upgrade.
What changes after migration:
- Management attestation verifies that the device is enrolled in your MDM.
- Managed app configurations replace the Classic Engine Device Trust framework.
- Manually enable Okta FastPass within Okta Verify post-upgrade.
- Workspace ONE environments
-
If you use Workspace ONE SAML-based Device Trust for mobile, a migration support feature is available. Enable Migration Support for Workspace ONE Device Trust for Android and iOS before upgrading. This allows the upgrade to proceed without manually disabling Device Trust first.
Pre-upgrade blockers
Client-based and SAML-based mobile Device Trust blocks the Identity Engine upgrade. Resolve this before scheduling.
| Scenario | Action required |
|---|---|
| Workspace ONE users | Enable Migration Support for Workspace ONE Device Trust for Android and iOS. |
| All other mobile Device Trust configurations | Go to and turn off iOS and Android Device Trust. |
If you can't clear the iOS or Android Device Trust checkboxes, first enable the third-party Device Trust features (iOS, Mac, Windows), and then retry.
Replacement timeline
| Phase | Desktop | Mobile |
|---|---|---|
| Before upgrade | Delete IWA routing rules. | Turn off mobile Device Trust, or enable the Workspace ONE migration feature. |
| During upgrade | No action is needed. | No action is needed. |
| Immediately after upgrade | Verify that desktop devices still have managed status. | Verify that mobile devices can authenticate. |
| Within weeks after upgrade | Configure new CA, deploy Okta Verify, set up Okta FastPass. | Configure management attestation, deploy the Okta Verify managed configuration. |
| After migration complete | Decommission IWA agents, remove Classic Engine platforms. | Confirm all mobile users that are enrolled with Okta Verify. |
Device Trust replacement checklist
Before upgrade
- Identify which platforms use Device Trust (desktop, mobile, or both).
- Identify your mobile Device Trust type (client-based, SAML-based, or Workspace ONE).
- Plan the Identity Engine replacement approach for each platform.
- Delete IWA routing rules from all orgs being upgraded (desktop).
- Turn off mobile Device Trust or enable the Workspace ONE migration feature (mobile).
- Review how your SAML apps interact with Device Trust policies, as configurations may be affected after the upgrade.
- Communicate the transition plan to affected users.
- Ensure Okta Verify is available for deployment to all managed devices.
After upgrade
- Configure Device Integration and a new Certificate Authority (desktop).
- Configure management attestation (mobile).
- Deploy Okta Verify and the new CA to managed devices.
- Validate Okta FastPass enrollment for desktop users.
- Validate management attestation for mobile users.
- Decommission legacy IWA agents and servers.
- Remove Classic Engine Device Trust platforms.