The Production Line: Device Trust
In this edition of The Production Line, we’re stepping through an ambitious feature that works to solve a problem almost every modern enterprise organization will have to face: the future of work. In 2017, Device Trust started life as a beta with a complex mandate: be a desktop and mobile solution that allows organizations to access sensitive applications from a device they know is managed by an Enterprise Mobility Management (EMM) solution. So, if you're using solutions like VMware Workspace ONE, System Center Configuration Manager, Jamf Pro and others, you can utilize Okta Device Trust to ensure that mobile devices and desktops are managed by these solutions before end users access Okta managed apps.
What is Device Trust?
If you’re an IT professional of any sort, you’ve at least heard the concept of Zero Trust. You’ll also know that this concept was not born in a vacuum—end users expect seamless, consumer-like access experiences even on corporate apps, from wherever they happen to be. This expectation has forced all but the most archaic of companies to move away from a perimeter-based approach, and towards a software-defined, user-centric one. Setting Zero Trust aspirations aside, this new normal raises questions for both old and new organizations.
Okta Device Trust is part of our contextual access management solution. It allows organizations to protect sensitive corporate resources across a broad set of clients, platforms and browsers. It can do this by allowing only user managed devices to access Okta-integrated apps. The technical approaches to Device Trust include client- and SAML-based options over desktop and mobile, allowing you to choose the deployment method that best suits your organization.
Why did we build it?
When we spoke to customers about their key issues in allowing for a workforce outside the perimeter, three key concerns emerged. Customers wanted to
- Prevent unmanaged devices from accessing Okta integrated apps.
- Protect their enterprise data when there's no defined network boundary.
- Deliver a better end user experience by providing less MFA prompts for IT-managed devices on their networks.
Device Trust was built to target the broadest range of platforms through which end users are accessing their apps. If this sounds easy, it’s not, as there's really no one solution that fits every organization.
The crux of the solution was to allow for IT and security teams to have better control over managing device-based access to Okta-integrated applications. So while it’s likely that employees, partners or contractors may have more than one device—and regardless of what that device may be—connecting to any apps sitting behind Okta requires enrollment into an EMM solution. In essence, when a user goes to login to an app, it delegates to Okta for that access decision. Then, Okta considers the risk by assessing the managed vs. unmanaged state of the device. If the device is managed, the user is able to login seamlessly. If unmanaged, admins can choose to either prompt for enrollment to the EMM solution, or simply prompt the user for an MFA option.
With Device Trust, we built on a technical approach that allows for broad application coverage, so we're not just targeting major applications that your end users might use—it supports all of Okta’s best-of-breed applications.
What has been the customer reaction to the feature?
We have Okta customers who’ve been using Device Trust from a few weeks to over 17 months. Here are a few of their comments we’ve captured:
– Device Trust helps us manage the specific devices allowing our applications to run. We don't need to worry about them getting hacked or needing to enforce extra security policies, or whether the devices are hidden with malware, etc.
– Device Trust allows us to work with our MobileIron team to manage corporate and BYODs. It also allows us to restrict access to sensitive corporate resources [in a way] that would be harder otherwise.
– It makes it easier. I can be more relaxed and not worry about intrusions.
– Loving it for Windows. Rolling out mobile soon.
– We use it to limit the MFA of users who are on managed machines.
Also, when asked the question, Are you interested in moving towards a Zero Trust environment?, every respondent expressed interest in moving towards one:
– We are very interested. Most of our current projects are targeted towards building a zero trust environment.
– Yes, it is on our roadmap for 2020.
But we’re not done…
As mentioned above, Device Trust has been around for a while. Stay tuned for a new framework that we’ll be rolling out as a beta in 2020. And if that prospect sounds exciting to you, you won’t want to miss Oktane20, where we’ll be announcing the update and all its details—so consider registering!
Missed a previous post? For more behind-the-scenes looks at our products, read them all: