Add device assurance policies for ChromeOS and Google Chrome

Okta’s device assurance policies determine access privileges within an org. These policies consider various factors such as device signals, compliance, and security posture to evaluate the trustworthiness of a device. When the Chrome Device Trust connector is configured, you can gather essential device posture signals from the Chrome browser or ChromeOS, ensuring a more comprehensive assessment of the device's security state.

Before you begin

Set up the Chrome Device Trust connector in the Okta Admin Console and in the Google Admin console before completing the tasks on this page. Signals from ChromeOS require devices to be enrolled in device management in the Google Admin console, and signals from macOS and Windows require Chrome browser to be enrolled in browser management in the Google Admin console.

Tasks

Create a device assurance policy for ChromeOS

  1. In the Okta Admin Console, go to Security Device Assurance Policies.

  2. Click Add a policy.

  3. Give the policy a unique name, and then select ChromeOS as the platform.

  4. Configure attributes for the ChromeOS device assurance policy:

    • Device management: The device must be enrolled in ChromeOS device management.
    • Minimum ChromeOS version: Enter the minimum version details for ChromeOS.

    • Disk encryption: Select the checkbox if the device disk must be encrypted.

    • Firewall: Select this checkbox if a firewall must be enabled.

    • Screen lock password: If you select this option, the device requires a password to unlock.

    • Screen lock: Select this checkbox to permit screen locking.

    • Minimum Chrome browser version: Enter version details for the minimum Chrome browser version allowed by the policy.

    • Device enrollment domain: Add the domain for device enrollment.

    • Chrome DNS client: Select this checkbox if Chrome DNS client must be enabled.

    • Chrome Remote Desktop app: Select this checkbox if the Chrome Remote Desktop app must be blocked.

    • Safe Browsing protection level: Use the dropdown menu to select a preset value.

    • Site Isolation: Select this checkbox if Site Isolation must be enabled.

    • Password protection warning: Use the dropdown menu to select a preset value.

    • Enterprise-grade URL scanning: Select this checkbox if enterprise-grade URL scanning must be enabled.

    • Key trust level for ChromeOS: Select Device in verified mode from the dropdown menu.

  5. Click Save.

Create a device assurance policy for managed Chrome browsers

  1. In the Okta Admin Console, go to Security Device Assurance Policies.

  2. Click Add a policy.

  3. Give the policy a unique name, and then select macOS or Windows as the platform.

  4. Select Chrome Device Trust as the Device attribute provider.

    If you select both Okta Verify and Chrome Device Trust as providers, there may be some overlap in signals. In this scenario, the signal from Okta is given priority.

  5. Configure the attributes for the Chrome Device Trust device assurance policy. Attribute options vary based on the platform selected. See Add a device assurance policy.

  6. Click Save.

  7. Optional. Repeat these steps to add a second device assurance policy for Chrome Device Trust on another platform.

When an end user signs in to their ChromeOS device from the sign-in screen, they're performing single sign-on (SSO) for all their Google Workspace applications. This means using a device assurance policy for Workspace on ChromeOS is only evaluated at the first sign-in attempt, which is the ChromeOS sign-in screen. To avoid device lockout, Okta recommends assigning a baseline device assurance policy to Workspace on ChromeOS, and then adding more security controls for non-Workspace applications.

Add a macOS device assurance policy for Chrome Device Trust signals

The Chrome Device Trust connector only sends signals from macOS devices that are equipped with Secure Enclave.

  1. In the Okta Admin Console, go to Security Device Assurance Policies.

  2. Click Add a policy.

  3. Enter a Policy name, and then choose macOS as the Platform.

  4. Okta Verify is selected as the Device attribute provider by default. Select Chrome Device Trust, and clear the Okta Verify checkbox if you want Google to solely provide the device posture. You can also select both Okta Verify and Chrome Device Trust as device attribute providers. This may cause some overlap in signals. In this scenario, the signal from Okta Verify is given priority.

  5. Select the policy attributes:

    • Minimum macOS version: Select a preset version from the list, or specify a custom version.

    • Screen lock password: If you select this option, the screen lock must require a password.

    • Disk encryption: If you select this option, the disk must be encrypted. Only internal and system volumes are evaluated for disk encryption. Volumes that are hidden, removable, automounted, or used for recovery aren’t evaluated for disk encryption.

    • Firewall: Select this checkbox if a firewall must be enabled.

    • Minimum Chrome browser version: Enter version details for the minimum Chrome browser version allowed by the policy.

    • Device enrollment domain: Add the domain for device enrollment.

    • Chrome DNS client: Select this checkbox if Chrome DNS client must be enabled.

    • Chrome Remote Desktop app: Select this checkbox if the Chrome Remote Desktop app must be blocked.

    • Safe Browsing protection level: Use the dropdown menu to select a preset value.

    • Site Isolation: Select this checkbox if site isolation must be enabled.

    • Password protection warning: Use the dropdown menu to select a preset value.

    • Enterprise-grade URL scanning: Select this checkbox if enterprise-grade URL scanning must be enabled.

    • Key trust level for Chrome: Use the dropdown menu to select a preset value.

  6. Click Save.

Add a Windows device assurance policy for Chrome Device Trust signals

  1. In the Okta Admin Console, go to Security Device Assurance Policies.

  2. Click Add a policy.

  3. Enter a Policy name, and then choose Windows as the Platform.

  4. Okta Verify is selected as the Device attribute provider by default. Select Chrome Device Trust, and clear the Okta Verify checkbox if you want only Chrome Device Trust to provide the device posture. You can also select both Okta Verify and Chrome Device Trust as device attribute providers. This may cause some overlap in signals. In this scenario, the signal from Okta Verify is given priority.

  5. Select the policy attributes:

    • Minimum Windows version: Select a preset version from the list, or specify a custom version.

    • Lock screen secured: Select this option if the lock screen must be secured by a password, Windows Hello, or a smart card.

    • Disk encryption: If you select this option, the disk must be encrypted. Only internal and system volumes are evaluated for disk encryption. Volumes that are hidden, removable, automounted, or used for recovery aren’t evaluated for disk encryption.

    • Firewall: Select this checkbox if the firewall must be enabled.

    • Minimum Chrome browser version: Enter version details for the minimum Chrome browser version allowed by the policy.

    • Device enrollment domain: Add the domain for device enrollment.

    • Chrome DNS client: Select this checkbox if Chrome DNS client must be enabled.

    • Chrome Remote Desktop app: Select this checkbox if the Chrome Remote Desktop app must be blocked.

    • Safe Browsing protection level: Use the dropdown menu to select a preset value.

    • Site Isolation: Select this checkbox if Site Isolation must be enabled.

    • Password protection warning: Use the dropdown menu to select a preset value.

    • Enterprise-grade URL scanning: Select this checkbox if enterprise-grade URL scanning must be enabled.

    • Secure Boot: Select this checkbox if Secure Boot must be enabled.

    • Windows machine domain: Enter the domain of the Windows machine.

    • Windows user domain: Enter the domain for user accounts.

    • Third party software injection: Select this checkbox if third party software injection must be blocked.

    • CrowdStrike - Agent ID: Enter your CrowdStrike Agent ID. This value must be in lowercase, and without hyphens.

    • CrowdStrike - Customer ID: Enter your CrowdStrike Customer ID. This value must be in lowercase, and without hyphens.

    • Key trust level for Chrome: Use the dropdown menu to select a preset value.

  6. Click Save.

Add device assurance to an authentication policy

Adding device assurance to an authentication policy rules allow you to establish minimum requirements for unmanaged devices that have access to systems and applications in your organization. If you configure the policy rule to include multiple conditions, any of those conditions can trigger the rule.

  1. In the Okta Admin Console, go to Security Authentication Policies.

  2. Select a policy, and then click Add Rule.

  3. To add device assurance to an existing policy rule, select the policy rule you want to modify, and then click Edit.

  4. For AND Device assurance policy is, select Any of the following Device Assurance conditions, and then enter the name of a device assurance you created previously.
    • You can add multiple platform-specific device assurance policies.
    • If you add multiple device assurance attributes to the same rule, they’re considered OR conditions.
    • If the rule has other conditions, all conditions defined for the rule must be met for the rule to be applied.
  5. Specify any additional conditions and your desired outcome when the conditions are met.
  6. Click Create Rule or Save to save your changes.

Troubleshooting

Ensure that the following is true:

  • The Chrome Device Trust integration is configured correctly in the Okta Admin Console.

  • A device assurance policy with Chrome Device Trust as the attribute provider exists.

  • The device assurance policy is added to an app sign-on policy.

  • The ChromeOS device and user are in the same organizational unit as the Okta provider configuration.

  • The user isn't using a private or incognito browser.

Run an authorization scenario for the account, and then view the System Log for the Chrome Device Trust events.

System Logs

You can view the System Log to ensure Chrome Device Trust signals are collected. Chrome Device Trust signals are available in the System Log when you expand the device option under the Device Integrator key. Look for the following events:

  • factors user.session.start

  • user.authentication.verify

  • policy.evaluate_sign_on

  • user.authentication.auth_via_mfa

Note that user.authentication.auth_via_mfa only appears if your app sign-on policy requires multifactor authentication. See Device Assurance Policies API documentation.

Related topics

Integrate Okta with ChromeOS and Chrome browser

Set up the Chrome Device Trust connector

Add device assurance to an authentication policy

Remediation messages for device assurance

Device assurance