Device management using OIE's new feature ``Okta Device API'' was extremely convenient.

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

product
- Okta Workforce Identity Cloud
- Okta Customer Identity Cloud

Specifications/Technical Information

Specifications/Technical Information
- Workforce Identity Cloud Basic Setup Behavior Guide
- Customer Identity Cloud (Auth0) basic setup behavior guide

solution

solution
- Okta Solutions - Zero Trust with Okta

User stories

support

- Macnica Support

Seminar content

Document request

inquiry

Event/Seminar

video on demand

Device management using the new function "Okta Device API" in OIE was too convenient.

Introduction

Okta's latest platform, Okta Identity Engine (OIE), has made it possible to visualize devices that access Okta and control and manage access availability for each device.

Specifically, by installing "Okta Verify" on the end user's own PC/mobile device, it is now possible to control and manage the user and the device. In addition, you can allow access only to registered devices, and remotely suspend specific devices that have been set and registered.

Displaying a list of devices registered to a specific user (Okta administrator screen)

In addition to the Okta administrator screen (GUI), control management of registered devices can also be performed using APIs. Okta calls this device control management API the "Device API", and this blog will introduce the "Device API" in detail.

Please note that the contents of the Device API described here are based on information as of April 2022 and may be updated in the future.

List of Okta Device APIs

The Device API list is as shown in the table below. Details of each item are described below.

1. Acquire device list/Acquire information of specific device

Get device list
You can filter the device list by using the “search” query parameter.
Specifically, by specifying "search=profile.platform eq "WINDOWS"", you can list only Windows device information.

Details: https://developer.okta.com/docs/reference/api/devices/#list-devices

API for acquiring information on a specific device
The device information that can be obtained is the same as the device list acquisition API.

Details: https://developer.okta.com/docs/reference/api/devices/#get-device-by-id

[Supplement] Device information acquisition items
The profile items in the device information are as shown in the table below. We have verified that the items that can be acquired differ depending on the device. Therefore, please note that some information cannot be obtained for each device. Devices that can be registered (devices on which Okta Verify can be installed) are "Windows", "macOS", "Android", and "iOS".

Details: https://developer.okta.com/docs/reference/api/devices/#device-profile-properties

2. Device disable/enable, suspend/unsuspend

The state of the device changes as shown in the figure below.

What are the characteristics of "suspended" and "disabled" devices?

[Common point]

Kill all active sessions established on the device
Unable to establish new session

[Difference]

"Suspended" is not affected by the link between the device and the user
If "disabled", the link between the device and the user will be broken and the user will need to register again when enabled.

"Suspend" is useful for suspending access to a user's device on leave and needs to be resumed later, while "Disabled" is for final review before deletion or unusable (blacklisted). This is useful when

Also, to remove a device, it must be done from "disabled" and cannot be done from "enabled" or "suspended".

From now on, we will look at the situation during API calls to disable/enable, suspend/suspend, and delete devices.

Disable device
The link between device and user is broken.

Details: https://developer.okta.com/docs/reference/api/devices/#deactivate-device

Device activation
The link between the device and the user will remain broken and the user will need to re-enroll.

Details: https://developer.okta.com/docs/reference/api/devices/#activate-device

Pause device
The link between device and user is maintained.

Details: https://developer.okta.com/docs/reference/api/devices/#suspend-device

Unpause device
No re-registration is required on the part of the user as the link between the device and the user is maintained.

Details: https://developer.okta.com/docs/reference/api/devices/#unsuspend-device

Delete device
The device can be deleted only when the device status is disabled (Deactivate), and an error will occur if the deletion API call is performed in a status other than disabled.
Please note that deleting a device will permanently delete all profile data on the device.

Details: https://developer.okta.com/docs/reference/api/devices/#delete-device

Summary

We introduced the new function "Okta Device API" in OIE.

What was previously possible only on a user-by-user basis is now possible on a device-by-device basis. In addition, batch management is possible using the Device API. In addition, by combining the Device API and the Okta Workflows function, applications such as "obtaining a list of registered devices and saving to a CSV file" and "prohibiting registration of unmanaged devices to Okta" are possible, making Okta usage more flexible than ever before. I feel that I have increased.

In addition, we will introduce application examples of Device API and Okta Workflows in the future, so please look forward to it!

Okta Device API並びにその他Oktaに関しての疑問点、ご興味がございましたら是非弊社までお問い合わせください。

Inquiry/Document request

In charge of Macnica Okta Co., Ltd.

inquiry Document request

TEL：045-476-2010
E-mail：okta@macnica.co.jp

Mon-Fri 8:45-17:30