Prepare to replace your Device Trust setup

Understand your Device Trust replacement options and plan when to enable the new device security framework before and after the Identity Engine upgrade.

Classic Engine Device Trust isn't compatible with Identity Engine. Before upgrading, understand what replaces Device Trust for each platform and plan when to enable the replacement. For turn-off procedures, see Turn off Device Trust feature restrictions.

Device Trust replacements

Table 1. Classic Engine Device Trust replaced by Identity Engine
Platform Classic Engine approach Identity Engine replacement Key difference
Desktop (Windows, macOS) Device Trust with IWA agents Okta Verify with managed certificate and Okta FastPass Certificate-based. Users can enroll multiple devices.
Mobile (iOS, Android) Client-based or SAML-based Device Trust Okta Verify with management attestation No automated migration. Must re-enable post-upgrade.
Workspace ONE (mobile) Workspace ONE SAML-based Device Trust Okta Verify with management attestation Migration support feature is available.

Replacement options by platform

Desktop devices

The replacement for desktop Device Trust is Okta Verify with a managed certificate and Okta FastPass. Enable this after the Identity Engine upgrade.

What changes after migration:

  • IWA agents are decommissioned.
  • A new Certificate Authority is configured and distributed through your MDM.
  • Okta Verify is rolled out to all managed desktop devices.
  • Users see a Set up Okta FastPass button in their account settings.
  • Users can enroll multiple devices, which was previously limited to one.

Post-upgrade migration steps:

  1. Configure Device Integration and establish a new Certificate Authority (CA).
  2. Import the new CA into your device management software.
  3. Deploy the CA across all devices.
  4. Roll out Okta Verify to all devices.
  5. Decommission legacy IWA agents and servers.
  6. Remove Classic Engine Device Trust platforms.

See Device Trust for desktop devices.

Mobile devices

The replacement for mobile Device Trust is Okta Verify with management attestation. Mobile Device Trust has no automated migration path. Turn off Classic Engine mobile Device Trust before upgrading, then re-enable device security using the Identity Engine framework post-upgrade.

What changes after migration:

  • Management attestation verifies that the device is enrolled in your MDM.
  • Managed app configurations replace the Classic Engine Device Trust framework.
  • Manually enable Okta FastPass within Okta Verify post-upgrade.

See Device Trust for mobile devices.

Workspace ONE environments

If you use Workspace ONE SAML-based Device Trust for mobile, a migration support feature is available. Enable Migration Support for Workspace ONE Device Trust for Android and iOS before upgrading. This allows the upgrade to proceed without manually disabling Device Trust first.

See Migrate Workspace ONE SAML-based mobile device trust.

Pre-upgrade blockers

Client-based and SAML-based mobile Device Trust blocks the Identity Engine upgrade. Resolve this before scheduling.

Table 2. Actions to unblock the upgrade
Scenario Action required
Workspace ONE users Enable Migration Support for Workspace ONE Device Trust for Android and iOS.
All other mobile Device Trust configurations Go to Security > Device Trust and turn off iOS and Android Device Trust.

If you can't clear the iOS or Android Device Trust checkboxes, first enable the third-party Device Trust features (iOS, Mac, Windows), and then retry.

Replacement timeline

Table 3. Device Trust replacement phases
Phase Desktop Mobile
Before upgrade Delete IWA routing rules. Turn off mobile Device Trust, or enable the Workspace ONE migration feature.
During upgrade No action is needed. No action is needed.
Immediately after upgrade Verify that desktop devices still have managed status. Verify that mobile devices can authenticate.
Within weeks after upgrade Configure new CA, deploy Okta Verify, set up Okta FastPass. Configure management attestation, deploy the Okta Verify managed configuration.
After migration complete Decommission IWA agents, remove Classic Engine platforms. Confirm all mobile users that are enrolled with Okta Verify.

Device Trust replacement checklist

Before upgrade

  • Identify which platforms use Device Trust (desktop, mobile, or both).
  • Identify your mobile Device Trust type (client-based, SAML-based, or Workspace ONE).
  • Plan the Identity Engine replacement approach for each platform.
  • Delete IWA routing rules from all orgs being upgraded (desktop).
  • Turn off mobile Device Trust or enable the Workspace ONE migration feature (mobile).
  • Review how your SAML apps interact with Device Trust policies, as configurations may be affected after the upgrade.
  • Communicate the transition plan to affected users.
  • Ensure Okta Verify is available for deployment to all managed devices.

After upgrade

  • Configure Device Integration and a new Certificate Authority (desktop).
  • Configure management attestation (mobile).
  • Deploy Okta Verify and the new CA to managed devices.
  • Validate Okta FastPass enrollment for desktop users.
  • Validate management attestation for mobile users.
  • Decommission legacy IWA agents and servers.
  • Remove Classic Engine Device Trust platforms.