Okta Device Access

Okta Device Access extends the identity and access management capabilities of Okta to your device's sign-in experience. Using the same authenticators that secure your Okta-protected apps and workforce devices, your users can verify their identity and sign in to their devices with a secure, seamless experience.

For more information about Okta Device Access products and availability, visit the Okta Device Access product page.

Get started

Feature	Description
Device Access certificates	Establish a trusted, cryptographic identity for each device in your org. This enables you to build granular access policies that differentiate between managed and unmanaged endpoints.
Platform SSO for macOS	Unify the sign-in experience on your macOS devices by syncing a user's Okta password with their local account. Or, use a fully passwordless and phishing-resistant sign-in flow with a Secure Enclave-backed Key.
Desktop MFA for macOS	Use strong Okta Multifactor Authentication at the macOS login window to secure every sign-in attempt.
Desktop MFA for Windows	Use strong Okta Multifactor Authentication at the Windows sign-in screen to secure every sign-in attempt.
Device-Bound Single Sign-On	Achieve the highest level of assurance by binding user sessions to a hardware-protected key on the device. This helps to prevent session hijacking and enables a truly passwordless experience.

Additional features

Desktop Password Autofill: When Desktop Password Autofill is enabled, users can sign in to their Windows computer with a passwordless experience using a FIDO2 security key or Okta Verify Push. The user still has a valid password that they can use when authenticators are unavailable, the computer is offline, or if the passwordless sign-in experience fails. See Configure Desktop Password Autofill for Windows.
Self-service password reset: Desktop MFA for Windows allows users to initiate a password reset if they're locked out of their computer. When changing a password with the self-service password reset, the user changes their Okta password, which is then synced with Active Directory or Azure Active Directory. See Enable self-service password reset for Windows.
Desktop MFA recovery: If a user doesn't have access to their MFA authenticators and can't sign in to their computer, they need assistance to regain access. Desktop MFA recovery enables users to contact an IT admin for a time-limited device recovery PIN that grants temporary access to their computer. See Enable Desktop MFA recovery for Windows and Enable Desktop MFA recovery for macOS.
Desktop Password Sync: Users can synchronize their macOS password with their Okta password, eliminating the need to remember another password.
Just-In-Time Local Account Creation: Just-In-Time Local Account Creation allows you to create a local macOS account for a given Okta username and password directly from the macOS login window. This is especially beneficial for shared devices, or workstations that support multiple users. See Just-In-Time Local Account Creation for macOS .
Device Logout for macOS: Device Logout allows you to sign users out of Desktop MFA-protected devices. Device Logout for macOS is useful for scenarios where user credentials are compromised or if there's evidence of identity-based threats like session hijacking. If your org has Identity Threat Protection, you can configure an entity risk policy to automatically trigger the sign-out action.; You can also use this feature to handle employee lifecycle changes such as leaves of absence or offboarding. If a user is deactivated or suspended, Okta automatically signs the user out from all devices protected with Desktop MFA. See Sign users out of devices.