Integrate Okta with Android Device Trust
By setting up an integration with the Android Device Trust endpoint, you can strengthen the security on Android devices. You can configure authentication policies to ensure that only Google-certified Android devices can access Okta-protected apps. Android Device Trust expands the range of standard security posture signals.
Prerequisites
- Sign-In Widget 7.29 or later
- End-user devices are enrolled in Okta Verify 8.3.1.
- Enable the Android Device Trust feature from the Admin Console.
Early Access release. See Enable self-service features.
Add Android Device Trust as an endpoint
-
In the Admin Console, go to .
- On the Endpoint security tab, click Add endpoint integration.
- Select Android Device Trust.
- Select Android.
-
Click Save.
The new Android Device Trust integration appears on the Device Integrations page.
Add a device assurance policy to use Android Device Trust signals
To add the device assurance policy, see Add a device assurance policy.
Due to the integration with Android Device Trust, Okta receives extra signals from the registered Android devices. Therefore you can configure extra assurance conditions in your policy rules:
-
Enforce latest major OS updates available to device: This condition is available if you enabled the Dynamic OS version compliance Early Access feature and set the OS requirement to a dynamic version such as OS version must be at least the latest supported major version.
- Lock screen: Configure the screen lock complexity: None, Low, Medium, or High.
- Google Play Protect: Select the checkbox to make Google Play Protect scans mandatory. Users who disabled scan services on their devices are prompted to enable them again. Configure the maximum risk threshold of the scan:
- Low: No issues were found. This is the most secure option.
- Medium: The scan detected potentially harmful apps.
- High: The scan detected harmful apps or the scan wasn't evaluated. This is the least secure option.
- Device integrity level: Select any of the following options:
- None: Default. The device integrity isn't evaluated during authentication. Change this value if you want the policy to check the device integrity.
- Basic: The device passes basic system integrity checks. Devices on Android 13 or later require Android Platform Key Attestation. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. For example, the device may be running an unrecognized version of Android.
- Standard: The app is running on an Android-powered device with Google Play services. The device passes system integrity checks and meets Android compatibility requirements.
- Strong: The device has Google Play services and a strong guarantee of system integrity according to Android compatibility requirements. Devices on Android 13 or later must have had a security update in the last year.
- USB debugging: Select the checkbox to ensure that USB debugging is disabled. If the user's device doesn't comply with this requirement, they're prompted to turn off debugging from Developer Options.
- Network proxies: Select the checkbox to ensure the user's device doesn't use a network proxy.
- WiFi network security: Select the checkbox to ensure that users access their apps on a secure wireless network. If the network isn't secure, users are prompted to use mobile data to access the Okta-protected resource.
User experience
When a user accesses apps protected by a policy that uses Android Device Trust signals, Okta evaluates the conditions during authentication. If the device doesn't meet the policy requirements, the user can't access the app and receives the message Your device doesn't meet the security requirements.
- Okta Verify users must install the Android Device Policy app before Okta can collect and enforce Android Device Trust signals. Users who don't have the app are prompted to install it as part of the authentication flow. After they install Android Device Policy, users can access their apps. If the installation fails, users are prompted to contact their IT department for troubleshooting. You can advise users to proactively install Android Device Policy from Google Play for a smoother onboarding experience.
- Messages include remediation instructions to help users gain device compliance and therefore access the app.
- If users are denied access due to the Google Play Protect condition not being satisfied, ask them to force stop Okta Verify, reopen it, and then sign in again.