Manage user devices authorised to access applications

OIE, Okta Identity Engine 2 Minutes

Fine grained Device level authorisation was not really possible before devices became a first class citizen in the Okta Identity Engine.

User Devices (with Okta FastPass installed) could always be Suspended or Deactivated in OIE (Directory → Devices), but this would prevent the user from using their device to access any applications in Okta.

Suspend or Deactivate a device in Okta

This article will show you how to control what user devices are authorised to access what applications – without having to Suspend or Deactivate the device in Okta.

It requires Okta Fastpass to be installed on the users device. Okta Fastpass is an app (iOS/Android/Windows/Macs) that allows a user to sign into applications without requiring a password.

Let’s get started!

Contents:

Setup

This section covers the steps to setup Okta and the required application security policies to achieve user device level authorisation.

Create a String array attribute to hold device ID’s

  • Navigate to Directory → Profile Editor. Create a new String Array attribute for the ‘Okta’ user Profile called ‘byodDevices’. This attribute will hold the device ID’s that are authorised (or allowed) to access applications.
  • Populate the String array for the user with the users Device UUID that is allowed to access the application as shown below. The users Device UUID can be found under Directory → Devices OR using the Okta Devices API
Add Device UUID’s to the ‘Allowed’ list

Create an Application Security rule to authorise devices

Navigate to Security → Authentication Policies. Click the Authentication policy in which you would like to restrict certain devices.

  • Make sure ‘Device State’ is Registered
  • Device Management can be ‘Managed or Unmanaged’
Device state should be ‘Registered’
  • Add the following expression into the ‘Custom Expression’ textbox:

device.profile.registered==true && user.profile.byodDevices.contains(device.profile.udid)

  • Make sure Access is ‘Allowed after successful authentication’
  • And the User must Authenticate with a ‘Possession factor’

Testing the setup

Using a device which has its device UUID populated against the user profile (in Step 1), access the application you have created a security rule for. You should be allowed access to the application (because of the custom expression language)

Negative testing:

Remove the device UUID registered against the user profile.

Close and reopen the application you have created the rule for, you should be prompted for Okta verify, but should then be denied access.

Fastpass Authorisation error
Application authorisation message

Thanks to my friend Yoshi for letting me know that ‘device.id’ can also be used instead of ‘device.profile.uuid’. This is useful because Android devices will not have a UUID.

Published by pauldevis

I've been doing Identity and Access Management and API security for the last 15 years. When I'm not at work, you'll find me surfing at Bondi or motorbiking.

Published

Leave a Reply