Troubleshoot Device Trust after upgrade

Consider the following troubleshooting and verification procedures when you migrate from Device Trust (Classic Engine) to Okta FastPass:

Device Trust deactivation error

In Identity Engine, you need authentication policies for devices that aren't trusted. If you didn't configure these correctly, you receive an error when you try to deactivate Device Trust (Classic Engine. The error message varies, depending on affected authentication policies.

For example, your Device Trust (Classic Engine) app sign-on policy might have the following configuration:

  • CLIENT: Windows and/or macOS
  • Device Trust: Not trusted
  • ACCESS: Denied

This policy migrated to Identity Engine as:

  • AND Device state is: Registered
  • AND Device management is: Not managed
  • THEN Access is: Denied

The following images illustrate these two configurations:

Classic Engine app sign-on policy

Identity Engine authentication policy

Before you delete the legacy Device Trust configuration, revise the Identity Engine authentication policy to deny access to devices that aren't enrolled in Okta FastPass.

  1. Create one or more Allow rules to define when to allow access to the app. Assign these rules the highest priority.
  2. Create a Denied catch-all rule that applies to users who don't match the permissive rules you created in step 1. Assign the Denied catch-all rule the lowest priority, just above the Okta default rule.

Your first rule should allow registered, managed devices:

  • AND Device state is: Registered
  • AND Device management is: Managed
  • THEN Access is: Allow

A later rule should deny all other devices.

  • AND Device state is: Any
  • THEN Access is: Deny

Example 1:

Rule Rule name User group IF THEN
1 Group A managed A Require registered, managed devices Allow with 1FA
2 Group A other A Any device state Allow with 2FA
3 Group B managed B Require registered, managed devices Allow with 1FA
4 Catch-all Rule Any Any Denied

Example 2:

Troubleshoot Windows devices

Verify that Integrated Windows Authentication (IWA) works as expected

On the client device, go to the following URLs (replace [IWA_DOMAIN_NAME] with your IWA domain name), and verify that it works as expected:

  • http://[IWA_DOMAIN_NAME]/IWA/iwa_test.aspx
  • Verify that it appears correctly in the browser.

  • http://[IWA_DOMAIN_NAME]/IWA/authenticatd.aspx
  • Verify that Userid, UserPrincipalname, UserprincipalName(Transformed), and Security Identifier appear.

  • http://[IWA_DOMAIN_NAME]/IWA/auth.aspx
  • Verify that you go to the Okta sign-in page.

Verify that a Device Trust client is deployed to the client device

  1. In Windows, click StartAdd or remove programs.
  2. Search for Okta Device Registration Task.

Verify that a Device Trust mutual TLS client certificate is installed

  1. In the Microsoft Management Console (MMC), open the Certificate Manager (click Startcertmgr.msc).

  2. Verify that an Okta MTLS - [userName] certificate is present.

    If the certificate wasn't present, open Task Scheduler (click StartTask Scheduler) and run okta-devicetrust-usertask.

Verify that Device Trust Enrollment works as expected

  1. In the Microsoft Management Console (MMC), open the Certificate Manager (click Startcertmgr.msc).
  2. Delete the Okta MTLS - [username] certificate.
  3. Open a Command Prompt.
  4. Change directories to “Program Files\Okta\DeviceTrust”.
  5. Run OktaDeviceReg.exe --user --verbose --force.
  6. A new command window appears.

  7. Verify that errors don't exist, and that a new certificate is enrolled on the client device.

Verify that a rule requires registered and managed devices

  1. In the Admin Console, go to SecurityAuthentication Policies.
  2. Select the policy that you want to update.
  3. Click the Rules tab.
  4. View the policy information, and then verify that one of the rules in the policy specifies:
    • Device: Registered, Managed
    • User must authenticate with: Any 1 factor type

Review the Admin System logs

Go to Enforce Okta Device Trust for managed Windows computers, and see the TroubleshootingBasic TroubleshootingSystemLog section.

If you're using a Trusted Platform Module (TPM), see Enhance Windows Device Trust security with Trusted Platform Module (TPM).

Troubleshoot macOS devices

Verify that a Device Trust client is deployed to the client device. See "To verify installation from a terminal" at Enforce Okta Device Trust for Jamf Pro-managed macOS device.

Related topics

Device Trust for mobile devices