Turn off Device Trust feature restrictions

Identify your Device Trust implementation and turn it off before upgrading from Classic Engine to Identity Engine.

About this task

Identity Engine doesn't support Classic Engine Device Trust. Before upgrading, you must turn off Device Trust in your org. The steps depend on which Device Trust implementation you use and which platforms (desktop, mobile, or both) are configured. For replacement planning after the upgrade, see Device Trust for mobile devices and Device Trust for desktop devices.

Before you begin

  • Document your current Device Trust configuration from the Admin Console.
  • Inventory all devices with Device Trust certificates using your MDM.
  1. Identify your Device Trust implementation.
    Table 1. Device Trust implementation identification
    Implementation Platforms How to identify
    Client-based Device Trust iOS, Android Security > Device Trust shows iOS or Android enabled
    SAML-based Device Trust iOS, Android SAML Device Trust feature flags are enabled
    Workspace ONE Device Trust iOS, Android Workspace ONE integration configured with Device Trust
    Desktop Device Trust with IWA Windows, macOS IWA routing rules exist in the org
    Jamf Pro managed Device Trust macOS Jamf Pro integration with Device Trust certificates

    Go to Security > Device Trust in the Admin Console to check which platforms are enabled.

  2. Determine the required actions for your setup.
    Table 2. Device Trust turn-off paths by setup
    Setup Required actions before upgrade
    Mobile only (client-based or SAML-based) Turn off mobile Device Trust
    Desktop only (IWA) Delete IWA routing rules
    Both mobile and desktop Turn off mobile Device Trust and delete IWA routing rules
    Workspace ONE (mobile) Enable migration support feature, or turn off mobile Device Trust
    Jamf Pro (macOS) Uninstall Device Trust. Jamf Pro Device Trust reached end of life in October 2024.
  3. Optional: Turn off mobile Device Trust.

    Confirm that users have the latest version of Okta Verify installed before continuing.

    See Turn off Device Trust on mobile devices for detailed steps.

  4. Optional: Turn off Workspace ONE Device Trust.

    If you use Workspace ONE SAML-based Device Trust, choose one of the following options.

    Table 3. Workspace ONE Device Trust options
    Option When to use
    Enable migration support feature Upgrade without manually disabling Device Trust first. Available since June 2024.
    Manually disable Fully remove the configuration before upgrading.

    To use the migration support feature, enable Migration Support for Workspace ONE Device Trust for Android and iOS in your org, then proceed with the upgrade.

    To manually disable, follow the steps in the previous "Turn off mobile Device Trust" section.

    See Migrate Workspace ONE SAML-based mobile device trust for more details.

  5. Optional: Delete IWA routing rules.
  6. Optional: Uninstall Jamf Pro Device Trust.

    Okta Device Trust for Jamf Pro managed macOS devices reached end of life in October 2024.

    1. Remove the Device Trust certificate profile from Jamf Pro.
    2. Uninstall Device Trust from managed macOS devices.
  7. Verify that Device Trust is disabled.
    • Confirm that no IWA routing rules remain in the org.
    • Confirm that Security > Device Trust shows no platforms enabled.
    • Confirm that the Identity Engine Upgrade Hub no longer shows Device Trust as a blocker.
    • Test that users can still sign in without Device Trust enforcement.
Issue Resolution
iOS or Android Device Trust checkboxes can't be cleared Enable the third-party Device Trust features (iOS, Mac, Windows) first, then retry disabling.
Upgrade Hub still shows Device Trust as a blocker after disabling Select Check eligibility to refresh the validator status.