To provide SSO and device trust for desktop devices, additional access policy rules are required in VMware Identity Manager.

Create the access policy for MacOS and Windows 10 with Certificate (Cloud Deployment) and Device Compliance as the authentication methods.

Procedure

  1. In the VMware Identity Manager console, navigate to the Identity & Access Management Policies page.
  2. Click Add Policy.
  3. In the Definition page of the wizard, enter the following information.
    Option Description
    Policy Name A name for the policy
    Description A description for the policy
    Applies to Select Okta.

    This assigns the access policy set to the Okta Application Source. All requests for Okta apps are evaluated with this policy rule set.

  4. Click Next.
  5. In the Configuration page, click Add Policy Rule and configure the policy rule for Windows 10.
    1. Select Windows 10 as the device type in the and user is accessing content from list.
    2. Select Certificate (Cloud Deployment) as the first authentication method.
    3. Select Device Compliance (with AirWatch) as the second factor authentication method.
    4. Click Save.
  6. Click Add Policy Rule and configure the policy rule for MacOS.
    1. Select MacOS as the device type in the and user is accessing content from list.
    2. Select Certificate (Cloud Deployment) as the first authentication method.
    3. Select Device Compliance (with AirWatch) as the second factor authentication method.
    4. Click Save.
  7. Because this new policy overrides the default access policy for Okta applications, also add policy rules for iOS, Android, Workspace ONE App or Hub App, and Web browser to the new policy, similar to the ones you previously added to the default access policy.
    1. Create a policy rule for iOS devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.
      If a user's network range is: ALL RANGES
      and the user is accessing content from: iOS
      Then perform this action: Authenticate using
      then the user may authenticate using: Mobile SSO (iOS)
      If the preceding method fails or is not applicable, then: Okta Auth Method
    2. Create a policy rule for Android devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.
      If a user's network range is: ALL RANGES
      and the user is accessing content from: Android
      Then perform this action: Authenticate using
      then the user may authenticate using: Mobile SSO (Android)
      If the preceding method fails or is not applicable, then: Okta Auth Method
    3. Create a policy rule for Workspace ONE app and Hub app.
      If a user's network range is: ALL RANGES
      and the user is accessing content from: Workspace ONE App or Hub App
      Then perform this action: Authenticate using
      then the user may authenticate using: Mobile SSO (for iOS)
      If the preceding method fails or is not applicable, then: Mobile SSO (for Android)
      If the preceding method fails or is not applicable, then: Okta Auth Method
      
    4. Create a policy rule for Web browsers with Okta as the authentication method.
      If a user's network range is: ALL RANGES
      and the user is accessing content from: Web Browser
      Then perform this action: Authenticate using
      then the user may authenticate using: Okta Auth Method
      
  8. Arrange the policy rules in the following order, listed from top to bottom.
    1. Workspace ONE App or Hub App
    2. Windows 10 or Mac OS
    3. Windows 10 or Mac OS
    4. iOS or Android
    5. iOS or Android
    6. Web browser