In the modern device management and information security, it’s important to ensure users have compliant devices prior to accessing company data. This is becoming more and more common as more companies use SaaS apps protected by Single-Sign On (SSO) or SAML integration with Identity Providers (IDP).
Many organizations use Okta as an IDP and Intune as a mobile device management (MDM) tool. There is a supported method to make Intune enrollment a requirement in order for an Okta app to be authenticated to on that device. I’ll walk through the steps to demonstrate the configuration for iOS and Android devices.
The official documentation from Okta is here:
However, the documentation is a bit lacking in real world implementation which is why I decided to write this walkthrough.
iOS: I’ve tested this on the current iOS version 14.0+. You must have Okta Mobile as an available/assigned app via Intune.
Android: According to Okta, Android 5.1 or higher is supported. However, in my testing, Android 10 and 11 are not currently supported. You must also be using Android Enterprise for enrollment and not Device Administrator. You must add Okta Mobile as an available/assigned app via the Managed Google Play store before going on.
Intune: You must have the proper licensing with Microsoft for Intune. Users must be assigned the license.
Okta: Device trust requires Adaptive MFA licensing with Okta.
In the Okta Admin console, navigate to Security -> Device Trust. Enable iOS and Android Device trust. Make sure you save the Secret Key! For the enrollment link, I just put the link to the app store to download the Company Portal app. If you have a custom enrollment page, feel free to put the URL in there when configuring.
Navigate to Microsoft Endpoint Manager. Go to Apps -> App configuration policies. You’ll be creating two “Managed devices” policies.
Click the “+Add” and select Managed Devices.
Create a name for your policy, add a description, and select your operating system. Let’s start with Android. For me, I only have personally-owned Android devices so I select Personally-Owned Work Profiles Only. This setting may depend on your company. If you followed the prerequisites correctly, Okta Mobile will be an option when you click “Select App”
For the Configurations Settings, select “Use configuration designer.” You’ll enter in your Android Secret Key. For username, I put in “@[companydomain].com. You can put whatever you want here. This is the value that gets pre-filled in the Okta Mobile app for the users once the configurations have been synced. Under Domain, put your Okta domain (i.e. companyname.okta.com) or custom domain if you have one.
Select the users/groups that will get this policy. You can scope this to a test group if you are testing the configuration first.
For iOS, the steps are repeated. The documentation from Okta on iOS is not very clear so this is where I had to do some playing around with the settings. Use Managed device policy and the configuration designer. Manually enter in the Configuration key and Value type like in my example. The values are going to be the same as the Android configuration. Assign it to the users and groups you want to have the app policy.
Once you’ve completed these steps, go back to the Okta Admin console. You’ll have to create a sign-on policy for the application you want to enforce Device Trust on.
Pick the app you want to test or deploy Device Trust to and go to “Sign On.” Select “Add Rule” under Sign On Policy. There are many ways to configure this. You can assign it to all users using the app. During testing, I assigned it to a local Okta testing group. For location, I use “Anywhere” but you can choose to exclude trusted network zones if you wish. In this case, it will only apply to iOS and Android so select those under client.
Finally, for Device Trust, I configure mine for “Not trusted” to deny access. This means if the device is not enrolled in Intune, it will not get the custom Okta Mobile app configuration with the Secret Key we configured previously.
Once you save the policy, make sure that is a higher priority than your default or other rules.
That’s it! You should have Device Trust enabled now for a specific app in Okta to require Intune MDM as a compliance requirement prior to accessing it on iOS or Android.
Do not enable Device Trust for O365. This will cause you to be unable to enroll because it will require Device Trust for the Company Portal (which you obviously need in order for this whole chain of work to happen).
Also, you’ll still need to rely on Intune for on-going device attestation. Okta is just an IDP so once you’ve been giving access, it doesn’t look again to see if you should continue to have access if the device risk changes. The only way to revoke access it to disable the Okta credentials.
Thanks for reading and let me know if there are any questions!