Risk-based policy-driven security with Device Logout

Automating actions through policies is one of the most effective ways to build robust and comprehensive security. For instance, when an employee leaves the company, all permissions can be promptly revoked via policies to avoid lingering access vulnerabilities. This is especially pertinent to organizations with employee turnover or temporary staff, such as contractors. With automated policies in place, the moment a worker’s time at the company has come to an end, their access to resources and devices is also terminated.

Defining clear security policies helps organizations automate granting and revoking user permissions based on user status, context clues, risk level, and minimum requirements. This helps ensure that users only have access to the resources they require and under the right circumstances, reducing the risk of privilege creep and insider threats.

With Okta Device Access, organizations can extend identity security to corporate devices. Okta Device Access supports a range of features to help secure device login, including Desktop MFA, Desktop Password Sync, Just-in-Time Local Account Creation, and more. With a new feature called Device Logout, managing user and device identities is even easier.

Introducing Device Logout with Okta Device Access

Device Logout is a new security feature that empowers organizations to log out risky or inactive users. By leveraging Desktop MFA, it forces users to reauthenticate, helping to ensure that only legitimate individuals have access.

Device Logout can work alongside Identity Threat Protection for Okta AI, highlighting the power of the Okta Platform as an identity security fabric in practice. With device access management driven by integrated and orchestrated identity security, Device Logout can be leveraged in the following flows:

• An admin can manually trigger Device Logout for a specific user
• An admin can automatically trigger Device Logout when a user is deactivated or suspended in Okta
• An admin can automatically trigger Device Logout for a risky user by configuring an Identity Threat Protection entity risk policy (Identity Threat Protection is required)
• An admin can use Identity Threat Protection to manually log a user out from their device(s) when clearing user sessions from the user’s profile page

With Okta Device Access and Device Logout enabled, a Universal Logout command will automatically log a user out of all applications, active sessions, and, now, their devices. This illustrates the value of Okta’s comprehensive approach to identity security and the power of secure identity orchestration, which unifies risk signals, policies, and automation to respond to threats in real time.

How to start using Device Logout today

Device Logout support for macOS is available today as a self-service Early Access feature with Okta Device Access. You must have access to Identity Threat Protection within your Okta tenant to enable device logout flows that depend on it.

Please refer to the product documentation to learn more about Device Logout. You can also visit the product web pages to learn about Okta Device Access and Identity Threat Protection.