Fine grained Device level authorisation was not really possible before devices became a first class citizen in the Okta Identity Engine.
User Devices (with Okta FastPass installed) could always be Suspended or Deactivated in OIE (Directory → Devices), but this would prevent the user from using their device to access any applications in Okta.
This article will show you how to control what user devices are authorised to access what applications – without having to Suspend or Deactivate the device in Okta.
It requires Okta Fastpass to be installed on the users device. Okta Fastpass is an app (iOS/Android/Windows/Macs) that allows a user to sign into applications without requiring a password.
Let’s get started!
This section covers the steps to setup Okta and the required application security policies to achieve user device level authorisation.
Create a String array attribute to hold device ID’s
- Navigate to Directory → Profile Editor. Create a new String Array attribute for the ‘Okta’ user Profile called ‘byodDevices’. This attribute will hold the device ID’s that are authorised (or allowed) to access applications.
- Populate the String array for the user with the users Device UUID that is allowed to access the application as shown below. The users Device UUID can be found under Directory → Devices OR using the Okta Devices API
Create an Application Security rule to authorise devices
Navigate to Security → Authentication Policies. Click the Authentication policy in which you would like to restrict certain devices.
- Make sure ‘Device State’ is Registered
- Device Management can be ‘Managed or Unmanaged’
- Add the following expression into the ‘Custom Expression’ textbox:
device.profile.registered==true && user.profile.byodDevices.contains(device.profile.udid)
- Make sure Access is ‘Allowed after successful authentication’
- And the User must Authenticate with a ‘Possession factor’
Testing the setup
Using a device which has its device UUID populated against the user profile (in Step 1), access the application you have created a security rule for. You should be allowed access to the application (because of the custom expression language)
Remove the device UUID registered against the user profile.
Close and reopen the application you have created the rule for, you should be prompted for Okta verify, but should then be denied access.
Thanks to my friend Yoshi for letting me know that ‘device.id’ can also be used instead of ‘device.profile.uuid’. This is useful because Android devices will not have a UUID.