Add a device assurance policy

You can define one or more device attributes that you want to evaluate for each platform that you support. There’s no limit to the number of device assurance policies that you can add, but each set of device attributes must have a unique name.

Start this task

  1. In the Admin Console, go to SecurityDevice Assurance Policies.

  2. Click Add a policy.

  3. In the Add device assurance policy dialog, enter the following information:

    • Policy name: Specify a unique name for the set of device attributes that you want to define.

    • Platform: Select the device platform that you want to set device attributes for.

      • Device assurance is only matched if its platform is the same as the end user's device. For example, if device assurance for Windows is added to an authentication policy, the rule isn't matched if the end user is accessing an app from a macOS device. Create separate authentication policies for each platform.

    • Device attribute provider(s): Choose whether your policy uses Okta Verify, Chrome Device Trust, or both services as the posture provider. If you select both providers, there may be some overlap in signals. In this scenario, the signal from Okta is given priority.

  4. Select platform-specific options.

    Platform Platform-specific options
    Android
    • Minimum Android version: Select a preset version from the list, or specify a custom version.

    • Lock screen: If you select this option, the device must have a screen lock. Also, select this checkbox if biometrics is required.

    • Disk encryption: If you select this option, the device disk must be encrypted. Devices with Android 8 or 9 support full-disk encryption. Devices with Android 10, or later, support full-disk encryption only if upgraded from a previous version. Devices with Android 10 and later use file-based encryption.

    • Hardware keystore: If you select this option, the device must support hardware-backed keys.

    • Rooting: If you select this option, Okta denies access on rooted devices.

    ChromeOS

    • Device management: Selecting this option indicates that the device must be enrolled in ChromeOS device management.

    • Minimum ChromeOS version: Enter the minimum version details for ChromeOS.

    • Disk encryption: If you select this option, the device disk must be encrypted.

    • Firewall: If you select this option, then a firewall must be enabled.

    • Screen lock password: If you select this option, the device requires a password to unlock.

    • Screen lock: Select this checkbox to permit screen locking.

    • Minimum Chrome browser version: Enter minimum version details for Chrome browser.

    • Device enrollment domain: Add the domain for device enrollment.

    • Chrome DNS client: Select this checkbox if Chrome DNS client must be enabled.

    • Chrome Remote Desktop app: Select this checkbox if the Chrome Remote Desktop app must be blocked.

    • Safe Browsing protection level: Use the dropdown menu to select a preset value.

    • Site Isolation: Select this checkbox if Site Isolation must be enabled.

    • Password protection warning: Use the dropdown menu to select a preset value.

    • Enterprise-grade URL scanning: Select this checkbox if enterprise-grade URL scanning must be enabled.

    • Key trust level for ChromeOS: Select Device in verified mode from the dropdown menu.

    iOS
    • Minimum iOS version: Select a preset version from the list, or specify a custom version.

    • Lock screen: If you select this option, the device requires a passcode. Also, select the option if Touch ID or Face ID is required.

    • Jailbreak: If you select this option, Okta denies access on jailbroken devices.
    macOS

    • Minimum macOS version: Select a preset version from the list, or specify a custom version.

    • Lock screen: If you select this option, the device requires a password or Touch ID.

    • Disk encryption: If you select this option, the disk must be encrypted. Only internal and system volumes are evaluated for disk encryption. Volumes that are hidden, removable, automounted, or used for recovery aren’t evaluated for disk encryption.

    • Secure Enclave: If you select this option, the device must support Secure Enclave.

    If Chrome Device Trust is selected as the device posture provider, you can configure the following device attributes in addition to the platform attributes:

    • Firewall: Select this checkbox if firewall must be enabled.

    • Minimum Chrome browser version: Enter version details for Chrome browser.

    • Device enrollment domain: Add the domain for device enrollment.

    • Chrome DNS client: Select this checkbox if Chrome DNS client must be enabled.

    • Chrome Remote Desktop app: Select this checkbox if the Chrome Remote Desktop app must be blocked.

    • Safe Browsing protection level: Use the dropdown menu to select a preset value.

    • Site Isolation: Select this checkbox if Site Isolation must be enabled.

    • Password protection warning: Use the dropdown menu to select a preset value.

    • Enterprise-grade URL scanning: Select this checkbox if enterprise-grade URL scanning must be enabled.

    • Key trust level for Chrome: Select a preset value from the dropdown menu.

    Windows

    • Minimum Windows version: Select a preset version from the list, or specify a custom version.

    • Windows Hello must be enabled: If you select this option, users must have Windows Hello enabled on their devices. However, users don’t have to use Windows Hello or enter a password to sign in to apps.

    • Disk encryption: If you select this option, the disk must be encrypted.

    • Trusted Platform Module: If you select this option, the device must support a Trusted Platform Module.

    If Chrome Device Trust is selected as the device posture provider, you can configure the following device attributes in addition to the platform attributes:

    • Lock screen secured: Select this checkbox if the lock screen requires a password, Windows Hello, or a smart card.

    • Firewall: Select this checkbox if firewall must be enabled.

    • Minimum Chrome browser version: Enter version details for Chrome browser.

    • Device enrollment domain: Add the domain for device enrollment.

    • Chrome DNS client: Select this checkbox if Chrome DNS client must be enabled.

    • Chrome Remote Desktop app: Select this checkbox if the Chrome Remote Desktop app must be blocked.

    • Safe Browsing protection level: Use the dropdown menu to select a preset value.

    • Site Isolation: Select this checkbox if site isolation must be enabled.

    • Password protection warning: Use the dropdown menu to select a preset value.

    • Enterprise-grade URL scanning: Select this checkbox if enterprise-grade URL scanning must be enabled.

    • Secure Boot: Select this checkbox if Secure Boot must be enabled.

    • Windows machine domain: Enter a domain.

    • Windows user domain: Enter a domain.

    • Third party software injection: Select this checkbox if third party software injection must be blocked.

    • CrowdStrike - Agent ID: Enter your CrowdStrike Agent ID.

    • CrowdStrike - Customer ID: Enter your CrowdStrike Customer ID.

    • Key trust level for Chrome: Select a preset value from the dropdown menu.

  5. Click Save.

Three signals can be collected from either Okta Verify or Chrome Device Trust. When both Okta Verify and Chrome Device Trust are selected as device posture providers, the following signal attributes appear in the Okta Verify section of the device assurance policy:

  • Minimum OS version

  • Screen lock

  • Disk encryption

Ensure that the appropriate attribute is selected for the device assurance policy you're creating.

Related topics

Device assurance

Add user help for device assurance

Add device assurance to an authentication policy

Add a device assurance policy

Add device assurance policies for ChromeOS and Google Chrome

Delete a device assurance policy