Device Logout for macOS

Access Management, Device Access, IAM Domains, Identity Security, Identity Threat Protection, Integrations, Workforce Identity Products 3 Minutes

August 2025: This is an Early Access release

Introduction

In today’s fast-paced enterprise environment, ensuring the security of user sessions across devices is more critical than ever.
With employees accessing corporate resources from multiple macOS devices—laptops, desktops, and shared workstations—organizations face increasing risks from unauthorized access, session hijacking, and compromised credentials.

The Okta Device Logout for macOS feature provides a powerful solution by allowing IT administrators to remotely sign users out of all their macOS devices with a single action. This functionality is made possible through the integration of Okta Device Access (ODA) and Identity Threat Protection (ITP), delivering a comprehensive approach to device and identity security.

Devices perform a best-effort poll every 15 minutes to receive the sign-out command from Okta. This action requires an active connection between the device and your Okta org.

Requirements

Before you get started, make sure your environment is ready to take full advantage of these security capabilities:

  • Desktop MFA is activated and properly configured in your Okta tenant.
  • All end-user devices are secured with Desktop MFA protection.
  • Device Access SCEP certificates have been deployed across all end-user devices.
  • Okta Verify for macOS version 9.46.1 (or later) is installed on all applicable devices to ensure compatibility.
  • Identity Threat Protection with Okta AI is enabled in your Okta tenant, unlocking Universal Logout for stronger account protection and threat response.

Enable Early Access Feature

The first step is to activate the Device Logout Early Access feature. To do this, navigate to Settings > Features and enable the feature.

Desktop MFA – Device Logout

To initiate a device logout, go to Directory > People, choose the desired user, and select Device Logout from the More Actions menu.

Click the Log Out All Devices button to initiate the device logout process.

System Logs

To keep track of what’s happening, check the Okta System Log for details on the device logout.
The System Log confirms that the device logout has started successfully.

A successful device logout generates the following entry in the System Log.

Demo – Device Logout

In this demo, we showcase the full capabilities of Okta Device Logout, guiding you through the process of signing a user out of a device.

Universal Logout with Identity Threat Protection

The Device Logout for macOS feature combines both Okta Device Access and Identity Threat Protection . This powerful integration gives you the ability to remotely sign users out of all their macOS devices.

Enabling the Logout Feature

To enable the Logout feature, open your Desktop MFA application.

Navigate to the Authentication tab, scroll down to the Logout section enable the Logout feature and save your settings.

Entity Risk Policy configuration

The next step is to create an Entity Risk Policy and include Device Logout as part of it.
To do this, navigate to Security > Entity Risk Policy.

Select Add Rule to create a new rule within the Entity Risk Policy.
This action allows you to define custom configurations tailored to your organization’s risk management requirements.

To configure a rule, follow these steps:

  1. Enter a Rule Name that reflects the purpose of the policy.
  2. Specify User Groups: Choose an option to define which user groups should be included or excluded from the rule. For instance, in my example, I selected Any Group to apply the rule universally.
  3. Set Detection Criteria: Choose Include at least one of the following detections and select your desired detection type.
  4. Select Any for the Entity Risk Level to capture all risk levels.
  5. Select Logout and Revoke Tokens.
  6. In my configuration, Partial Universal Logout applies to the Desktop MFA application.
  7. Save the rule.

Once the Entity Risk Policy Rule is successfully configured, it will appear in the Entity Risk Policy section of the admin console.
By default, the rule’s status is set to Enabled, meaning it is active and ready to enforce the specified actions in response to detected identity risks.

Demo

In this demo, you will see the combined power of Okta Device Access and Identity Threat Protection. When a threat is detected, the user will be signed out not only of supported applications but also from the device itself.

Published by Arkadiusz Krowczynski (Arki)

Published

Leave a Reply