Device management using the new function "Okta Device API" in OIE was too convenient.

Introduction

Okta's latest platform, Okta Identity Engine (OIE), has made it possible to visualize devices that access Okta and control and manage access availability for each device.

Specifically, by installing "Okta Verify" on the end user's own PC/mobile device, it is now possible to control and manage the user and the device. In addition, you can allow access only to registered devices, and remotely suspend specific devices that have been set and registered.

List devices (Okta admin screen)

<Device list display (Okta administrator screen)>

Displaying a list of devices registered to a specific user (Okta administrator screen)

<Display a list of devices registered to a specific user (Okta administrator screen)>

In addition to the Okta administrator screen (GUI), control management of registered devices can also be performed using APIs. Okta calls this device control management API the "Device API", and this blog will introduce the "Device API" in detail.

Please note that the contents of the Device API described here are based on information as of April 2022 and may be updated in the future.

List of Okta Device APIs

The Device API list is as shown in the table below. Details of each item are described below.

The Device API list is as shown in the table below. Details of each item are described below.

1. Acquire device list/Acquire information of specific device

Get device list
You can filter the device list by using the “search” query parameter.
Specifically, by specifying "search=profile.platform eq "WINDOWS"", you can list only Windows device information.

API for acquiring information on a specific device
The device information that can be obtained is the same as the device list acquisition API.

[Supplement] Device information acquisition items
The profile items in the device information are as shown in the table below. We have verified that the items that can be acquired differ depending on the device. Therefore, please note that some information cannot be obtained for each device. Devices that can be registered (devices on which Okta Verify can be installed) are "Windows", "macOS", "Android", and "iOS".

2. Device disable/enable, suspend/unsuspend

The state of the device changes as shown in the figure below.

Device disable/enable, suspend/unsuspend

What are the characteristics of "suspended" and "disabled" devices?

[Common point]

  • Kill all active sessions established on the device
  • Unable to establish new session

[Difference]

  • "Suspended" is not affected by the link between the device and the user
  • If "disabled", the link between the device and the user will be broken and the user will need to register again when enabled.

"Suspend" is useful for suspending access to a user's device on leave and needs to be resumed later, while "Disabled" is for final review before deletion or unusable (blacklisted). This is useful when

Also, to remove a device, it must be done from "disabled" and cannot be done from "enabled" or "suspended".

From now on, we will look at the situation during API calls to disable/enable, suspend/suspend, and delete devices.

Disable device
The link between device and user is broken.

Device activation
The link between the device and the user will remain broken and the user will need to re-enroll.

Pause device
The link between device and user is maintained.

Unpause device
No re-registration is required on the part of the user as the link between the device and the user is maintained.

Delete device
The device can be deleted only when the device status is disabled (Deactivate), and an error will occur if the deletion API call is performed in a status other than disabled.
Please note that deleting a device will permanently delete all profile data on the device.

Summary

We introduced the new function "Okta Device API" in OIE.

What was previously possible only on a user-by-user basis is now possible on a device-by-device basis. In addition, batch management is possible using the Device API. In addition, by combining the Device API and the Okta Workflows function, applications such as "obtaining a list of registered devices and saving to a CSV file" and "prohibiting registration of unmanaged devices to Okta" are possible, making Okta usage more flexible than ever before. I feel that I have increased.

In addition, we will introduce application examples of Device API and Okta Workflows in the future, so please look forward to it!

Okta Device API並びにその他Oktaに関しての疑問点、ご興味がございましたら是非弊社までお問い合わせください。

Inquiry/Document request

In charge of Macnica Okta Co., Ltd.

Mon-Fri 8:45-17:30