To provide SSO and device trust for desktop devices, additional access policy rules are required in Workspace ONE Access.

Create the access policy for MacOS and Windows 10 with Certificate (Cloud Deployment) and Device Compliance as the authentication methods.

Important: Do not use the Device Compliance (with AirWatch) authentication method for apps that are configured with Device Trust in Okta. The Device Compliance authentication method is not compatible with apps using Okta Device Trust.

Procedure

  1. In the Workspace ONE Access console, select Resources > Policies.
  2. Click Add Policy.
  3. In the Definition page of the wizard, enter the following information.
    Option Description
    Policy Name A name for the policy
    Description A description for the policy
    Applies to Select Okta.

    This assigns the access policy set to the Okta Application Source. All requests for Okta apps are evaluated with this policy rule set.

  4. Click Next.
  5. In the Configuration page, click Add Policy Rule and configure the policy rule for Windows 10.
    1. Select Windows 10 as the device type in the and user is accessing content from list.
    2. Set the authentication method as follows:
      then perform this action: Authenticate using
      then the user may authenticate using: Certificate (Cloud Deployment)
      and: Device Compliance (with AirWatch)
      Note: If Okta Device Trust is configured, do not use the Device Compliance (with AirWatch) authentication method. Instead, use Okta authentication as the fallback authentication method:
      then perform this action: Authenticate using
      then the user may authenticate using: Certificate (Cloud Deployment)
      If the preceding method fails or is not applicable, then: Okta Auth Method
    3. Click Save.
  6. Click Add Policy Rule and configure the policy rule for macOS.
    1. Select macOS as the device type in the and user is accessing content from list.
    2. Set the authentication method as follows:
      then perform this action: Authenticate using
      then the user may authenticate using: Certificate (Cloud Deployment)
      and: Device Compliance (with AirWatch)
      Note: If Okta Device Trust is configured, do not use the Device Compliance (with AirWatch) authentication method. Instead, use Okta authentication as the fallback authentication method:
      then perform this action: Authenticate using
      then the user may authenticate using: Certificate (Cloud Deployment)
      If the preceding method fails or is not applicable, then: Okta Auth Method
    3. Click Save.
  7. Because this new policy overrides the default access policy for Okta applications, also add policy rules for iOS, Android, Apps on Workspace ONE Intelligent Hub, and Web Browser to the new policy, similar to the ones you previously added to the default access policy.
    1. Create a policy rule for iOS devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.
      If a user's network range is: ALL RANGES
      and the user is accessing content from: iOS
      then perform this action: Authenticate using
      then the user may authenticate using: Mobile SSO (iOS)
      If the preceding method fails or is not applicable, then: Okta Auth Method
    2. Create a policy rule for Android devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.
      If a user's network range is: ALL RANGES
      and the user is accessing content from: Android
      then perform this action: Authenticate using
      then the user may authenticate using: Mobile SSO (Android)
      If the preceding method fails or is not applicable, then: Okta Auth Method
    3. Create a policy rule for Apps on Workspace ONE Intelligent Hub.
      If a user's network range is: ALL RANGES
      and the user is accessing content from: Apps on Workspace ONE Intelligent Hub
      then perform this action: Authenticate using
      then the user may authenticate using: Mobile SSO (for iOS)
      If the preceding method fails or is not applicable, then: Mobile SSO (for Android)
      If the preceding method fails or is not applicable, then: Okta Auth Method
      
    4. Create a policy rule for Web browsers with Okta as the authentication method.
      If a user's network range is: ALL RANGES
      and the user is accessing content from: Web Browser
      then perform this action: Authenticate using
      then the user may authenticate using: Okta Auth Method
      
  8. Arrange the policy rules in the following order, listed from top to bottom.
    1. Apps on Workspace ONE Intelligent Hub
    2. Windows 10 or macOS
    3. Windows 10 or macOS
    4. iOS or Android
    5. iOS or Android
    6. Web browser