One of the biggest challenges for organisations is being able to increase the security posture of their employee’s BYOD devices while respecting their privacy and improving their user experience.
Okta announced recently the new feature called Okta Device Assurance which allow organisations to increase the posture of their BYOD’s users leveraging Okta Verify Application.
Until now organisations had to rely on nothing or on a Mobile Device Management which requires an enrolement in order to have visibility and control over the posture of the device which is heavily pushed back by end users due to the privacy concerns.
In this Article I will take you through how to setup Okta Device Assurance Policy in your Okta Tenant.
To facilitate your policies deployement I have gathered below the Policies available per Platform type.
| Policies/Platforms | IOS | Android | MacOS | Windows |
| Minimum OS version | Use a pre-set version E.g. 15. Customize minimum version. | Use a pre-set version E.g. 12. Customize minimum version. | Use a pre-set version E.g. Monterey (12). Customize minimum version. | Use a pre-set version E.g. Windows 11 (22H2). Customize minimum version. |
| Lock Screen/Biometrics | Passcode must be set. Touch ID or Face ID must be enabled. | Screen lock must be enabled. Biometrics must be enabled. | Password must be set. | Password must be set. Windows Hello must be enabled. |
| Disk Encryption | N/A | Device disk must be encrypted. | Device disk must be encrypted. | Device disk must be encrypted. |
| Hardware Keystore | N/A | Device supports hardware-backed keys. | N/A | N/A |
| Rooting/jailbreak | Device must not be jailbroken. | Device must not be rooted. | N/A | N/A |
| Secure Enclave / Trust Platform Module | N/A | N/A | Device supports Secure Enclave. | Device uses a Trusted Platform Module. |
Prerequisite
1 x Okta Workforce tenant with 1 type of device (As per above table) enrolled with Okta Verify.
I will be using an Android device for testing in this article.
Adding a device assurance policy
In your Okta Admin console tenant go to Security –> Device Assurance Policies and then click on “Add a policy”
You can configure multiple level of assurance depending on your security criteria. In this exemple we will create a BYOD Android high assurance policy that requires a higher level or security posture requirements.
It is time now to configure an Application Policy to apply the BYOD Android High Assurance rule which means that in order to be able to access the Application the device will need to meet the above criteria configured or it will be denied or fall back depending on how you want to secure your access.
This Rule has now been assigned to the Okta Dashboard and will require the Device Assurance to meet the requirement as per previous set.
In order to test we will be using an Android Device that has Biometric and screenlock turned off.
I will now from this device go to okta Verify app and access the Dashboard. When trying to sign in I know get the message below:
To be able to see the device posture from a user end to see what you have to do to comply, you can do so by clicking the icon below in Okta verify app:
For more details on this capability check out the online help here:
https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/device-assurance.htm
