Configure app sign-on policy rules in the Okta Admin console.

To configure granular access to the app, selectively apply conditions as you create one or more prioritized rules based on:

  • Who users are and the groups to which they belong
  • Whether they are on or off network or within a defined network zone
  • The type of client running on their device (Office 365 apps only)
  • The platform of their mobile or desktop device
  • Whether or not their devices are trusted

To follow an allowlist approach to creating Sign On policy rules:

  1. Create one or more permissive rules to support the scenarios that will allow access to the app, then assign those rules the highest priority.
  2. Create a Deny catch-all rule that will apply to users who do not match the permissive scenarios you created in Step 1. Assign the Deny catchall rule the lowest priority, just above Okta's Default Rule. In the allowlist approach described here, the Default rule is never reached because it is effectively negated by the Deny catchall rule.

If you deactivate Device Trust, follow these guidelines:

  • Do not deselect the Device Trust setting on the Security > Device Trust page if you have also configured an app sign-on policy on the Applications > app > Sign On Policy page that allows trusted devices. Otherwise, your Device Trust configuration will be in an inconsistent state.

    To deactivate Device Trust for your org, first remove any app sign-on policies that contain a Device Trust setting, then deselect Device Trust on the Security > Device Trust page.

  • If you ask Okta to deactivate the Device Trust solution for your org (which is separate from the Enable Device Trust setting that you enabled on the Security > Device Trust page), make sure to first change the Device Trust setting in the app sign-on policy rules to Any. If you do not make this change and then later have Okta re-enable the Device Trust solution for your org, the Device Trust setting in app sign-on policy rules will take effect immediately, which you may not have expected.

For additional information about creating sign-on policy rules, see


Log in to the Okta Admin console as an App, Org, or Super admin, as only these roles can configure app sign-on policies.


  1. In the Okta Admin console, click the Applications tab, then click the SAML or WS-Fed-enabled app that you want to protect with Device Trust.
  2. Click the Sign On tab, scroll down to the Sign On Policy section, and click Add Rule.
  3. Configure one or more rules using the example allowlist as a guide.
    Note: By default, all Client options in the App Sign On Rule dialog box are preselected. You cannot select the Trusted and Not trusted options in the Device Trust section unless you deselect the following options in the Client section:
    • Exchange ActiveSync or Legacy Auth client
    • Other mobile (e.g. BlackBerry)
    • Other desktop (e.g. Linux)

Example: Sample Allowlist

Users with untrusted devices are guided through Workspace ONE enrollment or redirected to the destination of the Enrollment link configured in Enable Device Trust Settings in Okta.

Example Rule 1: Web browser; Modern Auth; iOS and/or Android; Trusted; Allow access + MFA

Example Rule 2: Web browser; Modern Auth; All platforms except iOS and/or Android; Any Trust; Allow access + MFA

Example Rule 3: Web browser; Modern Auth; iOS and/or Android; Not Trusted; Deny access

Rule 4: Default sign on rule – Any client, All platforms; Any Trust; Allow access

Note: This allowlist example shows Device Trust rules for managing access to Office 365. For other apps, note that the section If the user's client is any of these is not present.