Configure an SSO extension on iOS devices

On managed iOS devices, you must create an SSO extension profile to enable Okta FastPass authentication that doesn't show sign-in prompts. The SSO extension forwards requests from a browser or app to Okta Verify. Therefore, the browser or app doesn't prompt users to open Okta Verify.

Before you begin

Ensure that your environment meets these conditions:

Start this task

  1. Integrate Okta with your MDM software. See Integrate Okta with your MDM software.

  2. In Workspace ONE, click RESOURCESProfiles & BaselinesProfiles.
  3. Click ADD, and then select Add Profile.
  4. Click Apple iOS.
  5. In VMware Workspace ONE UEM, go to DevicesProfiles.
  6. Click Device Profile.
  7. Configure the following settings:




    SSO ExtensionExtension TypeGeneric

    Team Identifier


    RealmOkta Device

    Enter your Okta org domain without the protocol scheme.

    For example, enter, not

    Additional Settings
    GeneralNameEnter a name
    Assignment TypeAuto
    Allow RemovalAlways
    Smart Groups

    Create or select an existing Smart Group applicable to the users you've targeted for passwordless authentication:

    • User Group: Create or select one or more User Groups.
    • Platform and Operating System: Apple iOS 13.0.0 or later
  8. Save and publish your changes.


If the SSO extension fails, users click a deep link to open Okta Verify. The SSO extension might fail in these situations:

  • Users try to access an Okta-protected resource from a browser or a native app that uses WebView.
  • The SSO extension MDM profile isn't installed.

User experience

If Okta Verify is installed but not managed by your MDM software, users receive this message: Additional setup required. A wizard guides the users through the device management setup. After they complete the steps, users must sign out of their organization, and then sign in again, before they can access apps protected by Okta.

Next steps

Add an authentication policy rule for mobile