Device Trust for desktop devices

Learn about the changes to Device Trust for desktop devices.

Change summary In Identity Engine, use Okta Verify and a managed certificate to secure your desktop devices.
Admin experience During the upgrade, only desktop (Windows or macOS) devices are transferred to Identity Engine. These desktop devices continue to be managed. However, they don't show up in the Okta Universal Directory as managed devices.

Before you upgrade: Delete Integrated Windows Authentication routing rules.

After you upgrade: The following high-level steps are required to transition from Classic Engine Device Trust to managed devices with Okta Verify. See Replace Desktop Device Trust with Okta FastPass.

  1. Configure Device Integration and generate a new Certificate Authority (CA).

  2. In your Device Management software, import the new CA.

  3. Deploy the new CA to all devices.

  4. Deploy Okta Verify to all devices.

  5. Decommission IWA agents and servers.

  6. Remove the Classic Engine Device Trust platforms.
User experience
  • Users can enroll multiple devices in Okta Verify (in Classic Engine, users can enroll only one device).
  • If the authentication policy has the Hardware protected constraint enabled, users can't authenticate or enroll with Okta Verify push notifications.
  • If users already have an Okta Verify account, it continues to work. A Set up Okta FastPass button appears in the app's Account Details page.

  • In Identity Engine, users can't add more than one Okta Verify account per org. If a user has two accounts in a Classic Engine org, both continue to work after upgrading. A Set up Okta FastPass button appears in both accounts. If the user clicks the button in the second account, an error appears.
Related topics Migrate from Device Trust to Okta FastPass FAQ

Device Trust for mobile devices