Skip to main content

Create an Okta Device Trust authentication policy

ROLE REQUIRED

Okta Super Administrator

Authentication policies define and enforce access requirements for apps. Following ZeroTek best practices, most apps are well secured using the Any Two Factors default policy.

For applications requiring a higher level of access control, this procedure creates a dedicated authentication policy that enforces Device Trust β€” requiring managed device authentication and denying access to anyone who doesn't meet the criteria.

This procedure has two phases:

  • Phase 1 β€” Test configuration: You will create the policy and its rules, then assign a test application and a test group to validate that Device Trust is working correctly.

  • Phase 2 β€” Production configuration: Once testing is complete, you will remove the test group from the policy rules and add the production applications that should be governed by Device Trust.

BEFORE YOU BEGIN

As part of ZeroTek's Okta Device Trust Setup guide. It assumes you have completed all prior procedures in the guide.

Before starting, identify or create a group in ZeroTek to use for testing Device Trust and add the members you want to use for testing. Following ZeroTek's naming conventions, the group might be called "Policy - Device Trust".

IMPORTANT

Modifying Okta authentication policies is a Protected Action in Okta. Before starting this procedure you must be logged into the Okta Admin Console using either the MSP-Okta Integration account or another secure break-glass account that has Okta Super Administrator privileges.

Okta will prompt you to re-authenticate every time you create or modify an authentication policy rule. This is expected behavior.

Phase 1: Test configuration

Create the authentication policy

  1. In the Okta Admin Console, click Security > Authentication Policies.

  2. Click Add a policy.

  3. In the Name field, type a name for the policy. This article will refer to this policy as "Critical Apps". Optionally add a description, then click Save.

Create a Device Trust requirements rule

  1. Click Add rule.

  2. In the Rule name field, type a name. This article will refer to this rule as "Device Trust - Requirements Rule".

  3. In the User's group membership dropdown, select At least one of the following groups, then assign the name of the group you created for device trust (possibly "Policy - Device Trust").

  4. For Device management is, select Registered and Managed.

  5. For Possession factor constraints, select Require user interaction only.

  6. For the authentication prompt, select When an Okta global session doesn't exist, then click Save.

Create an Any Two Factors rule

During testing, this rule ensures users not in the Device Trust test group can still access applications assigned to this policy.

  1. Click Add rule.

  2. In the Rule name field, type a name. This article will refer to this rule as "Any Two Factor - Non Test Users"

  3. For Possession factor constraints, select Require user interaction.

  4. For the authentication prompt, select When an Okta global session doesn't exist, then click Save.

Create a deny rule and confirm rule order

  1. Beside the existing Catch-all Rule, click Actions > Edit.

  2. In the Access is area, click Denied, then click Save.

  3. Confirm the rules are in the following order:

    • Device Trust - Requirements Rule

    • Any Two Factor - Non Test Users

    • Catch-all Rule

Assign a test application and test

  1. Click the Applications tab, then click Add app.

  2. Click Add beside the application you want to test with, and then click Done.

  3. Confirm the application is assigned to the Critical Apps policy.

  4. Sign in to the test application using an account from the Device Trust test group and verify access is granted.

  5. Sign in from an untrusted or unmanaged device and verify access is blocked.

Phase 2: Production configuration

Once testing is complete and you are satisfied Device Trust is working correctly:

  1. In the Device Trust - Requirements Rule, remove the test group from the User's group membership field. With no group restriction in place, the rule will apply to all users accessing applications assigned to this policy.

  2. Add any additional applications that should be governed by Device Trust to the Critical Apps policy via the Applications tab.

Need help? Contact ZeroTek Support at support@zerotek.com.

Related Articles
Device Trust with ZeroTek | Okta
Okta device assurance policies
Create a device assurance policy for macOS devices
Modify the "Any two factors" authentication policy to support Okta FastPass
Activate endpoint integration for Windows devices in Okta
Did this answer your question?