Sign users out of devices

Early Access release. See Enable self-service features.

Use the Device Logout feature to sign users out of their devices.

This feature is useful for scenarios where user credentials are compromised or if there's evidence of identity-based threats like session hijacking. You can also use this feature to handle employee lifecycle changes such as leaves of absence or offboarding. If a user is deactivated or suspended, Okta automatically signs the user out from all devices.

Devices perform a best-effort poll every 15 minutes to receive the sign-out command from Okta. This action requires an active connection between the device and your Okta org.

Prerequisites

  • Deploy Device Access SCEP certificates to end user devices.

  • End user devices are protected with Desktop MFA.

    Device Logout is only supported for macOS devices.

  • End user devices have Okta Verify for macOS version 9.46.1 or later installed.

  • Activate Identity Threat Protection with Okta AI in your org to use Universal Logout with Identity Threat Protection.

  • For standard admin roles, only super admins can sign users out of their devices.

  • For Custom admin roles, you need to enable the Device Logout permissions for the admin role:

    1. In the Admin Console, go to SettingsFeatures.

    2. Activate these features:

      • Enable custom admin roles for Okta Device Access permissions

      • Enable custom admin roles for device permissions

    3. When you Create a role, grant both of the following permissions:

      • Log a user out from devices under the User permission group

      • Log users out from devices under the Device permission group

Sign a user out of all devices

Use the following procedure to manually sign out a single user from all of their registered devices. This action is handled through the user's Universal Directory profile.

  1. In the Admin Console, go to DirectoryPeople.

  2. Search for and select a user's name or email address to open their profile.

  3. Optional. Use the Status dropdown menu to filter the results by user status.

  4. Click the user's name to open their profile.

  5. On the profile page, select More Actions, and then select Device Logout.

  6. Click Log out all devices on the confirmation prompt.

Sign a user out of their devices with Universal Logout

Configure the sign-out action for devices within the Desktop MFA app.

  1. In the Admin Console, go to ApplicationsApplications.

  2. Select the Desktop MFA app.

  3. Select the Authentication tab.

  4. In the Logout section, click Edit.

  5. Select Okta system or admin initiates logout.

  6. Click Save.

Universal Logout with Identity Threat Protection

The Universal Logout feature in Identity Threat Protection with Okta AI (ITP) can automatically sign a user out of all of their devices when an entity risk policy triggers a configured condition. See Detection settings for entity risk policy.

  1. Ensure that ITP is activated in your org. See Identity Threat Protection with Okta AI, or contact Okta Support.

  2. When you configure the conditions in the rule for your entity risk policy, select Logout and revoke tokens as the rule action.

  3. Click Save to confirm the policy rule.

Universal Logout with Clear User Sessions

You can also sign a user out of all their devices by clearing the user's session on their Profile page.

  1. In the Admin Console, go to DirectoryPeople.

  2. Search for the user, and then click the user's name to open their Universal Directory profile.

  3. Under the More Actions dropdown menu, select Clear User Sessions.

  4. In the Clear sessions and revoke tokens dialog, select Also include logout enabled apps and Okta API tokens.

  5. Click Clear and revoke to clear the user's session.

View Device Logout System Log events

To view System Log events in the Admin Console, go to ReportsSystem Log and search for the event name.

The System Log records the following events for Device Logout operations:

  • device.desktop_mfa.device_logout.started: Added when Okta or an admin invokes a Device Logout operation for a user.

  • device.desktop_mfa.device_logout.completed: Added when the device completes the user sign-out operation and sends the result to Okta.

  • device.desktop_mfa.configuration.update: Added when an admin changes the Universal Logout configuration for a Desktop MFA app instance. The entry includes the Client ID of the Desktop MFA app instance.

See Event Types in the Okta API documentation.

You can correlate a device.desktop_mfa.device_logout.started event with the device.desktop_mfa.device_logout.completed event using the TraceID value. The TraceID is found in the System DebugContext DebugData recorded for the event.

If Universal Logout triggered the device sign-out operation, you can correlate the event with a user.authentication.universal_logout event also using the TraceID.

Related topics

Universal Logout

Universal Logout supported apps and devices