Device Trust is a concept in cybersecurity with a relatively simple premise; if a device can prove its identity, it can be trusted to have greater access to resources. If you know the source of a device and it’s postured with antivirus software, you can let it access more resources because it’s more secure than unmanaged devices.
Okta Device Trust is a management solution used to enable organizations to further protect their classified corporate information by limiting access of Okta-integrated applications to managed devices. One of the most effective methods organizations have found for establishing device trust through authentication is by replacing credentials with certificates.
As workers around the world transition further away from traditional office spaces, they are less reliant on on-premise directories for security management. Employees are now just as likely to be working from home, at a coffee shop, or at an airport than in an actual office building. Organizations are looking for creative new ways to onboard and authenticate their users, such as a finance tech company exploring new options for BYOD Wi-Fi onboarding.
40% of respondents in a Verizon survey say that mobile devices are the company’s biggest security risk. Device Trust ensures that your end users are accessing applications from a device that you know is trusted, even when they are on the go.
In this article, we’re going to explain exactly what device trust is and how to properly deploy it on Windows devices.
What Is Okta Device Trust?
Okta’s device trust refers to the ability to enforce device management to devices trying to access an organization’s application. If a device is managed by an endpoint management tool, end users can access Okta-based apps. For example, a Windows device would typically mean a device is managed by a management tool or a mobile device management profile like Jamf or Workspace One.
The process of device trust for Windows is:
- A Windows device is confirmed in Active Directory through an Okta client. If the check passes, they are given an access token.
- The token is used to confirm the device+user pair with the Okta CA.
- The Okta CA distributes a certificate to the Windows device.
- Access to applications is granted by leveraging the certificate.
Okta Device Trust for Windows ensures that only end-users with properly managed Windows devices can use SSO for applications in the cloud, and it protects organizational data even when accessing company resources remotely.
How To Set Up Okta Device Trust On Windows
Before you begin setting up Okta Device Trust on Windows, there are a few things you need to make sure are configured properly. You must make sure that certificates are installed on targeted computers and that you are connected to your company’s network.
STEP 1 — Enable the global Device Trust setting for your org
- In the Admin Console, go to Security > Device Trust.
- In the Windows Device Trust section, click Edit.
- Select Enable Windows Device Trust.
- Optional – In the Learn more link field, you can enter an externally accessible redirect URL where end-users with untrusted devices can find more information. The security message shown to these end-users will include a Learn more link that redirects to your specified URL.
- If you choose not to specify a URL in this optional field, end-users are shown the same message but without the Learn more link.
- Click Save.
- Proceed to STEP 2.
STEP 2 — Enroll the Device Trust certificate on domain-joined Windows computers
- Install a Device Trust-supported version of the Okta IWA web app in your AD domain.
- Obtain and install the Device Registration Task.
- Verify certificate enrollment before you configure the Trusted option in App Sign-On Policy rules.
- Optional – Use GPO to configure browsers to select the certificate automatically.
STEP 3 — Configure app Sign-On policy rules in Okta
By default, all Client options in the App Sign-On Rule dialog box are pre-selected. To configure more granular access to the app, create rules that reflect:
- Who users are and/or the groups to which they belong
- Whether they are on or off-network or within a defined network zone
- The type of client running on their device (Office 365 apps only)
- The platform of their mobile or desktop device
- Whether or not their devices are Trusted
How Do I Apply Device Trust Without Okta?
If your organization wants to implement a device trust solution without Okta, you can still do so using a certificate-based solution. Digital X.509 certificates are perfect for device trust because they are inextricably tied to the identity of a user or device, allowing you to verify a client is who they say they are, regardless of their proximity to your on-premise server.
Once certificates have been pushed to managed devices, you can use GPO or Intune as your MDM to implement policies that secure, monitor, and manage end-user mobile devices and use a RADIUS server to ensure proper authentication.
Device Trust With SecureW2
When it comes to simplifying certificate configuration, SecureW2 is second to none. SecureW2 allows you to easily manage the entire certificate lifecycle, from issuance to revocation. And our SCEP solutions allow MDM providers like Intune to be equipped with certificates with no end-user interaction.
Our Cloud RADIUS provides everything you need for authentication and has a host of industry-exclusive features. Our Cloud RADIUS not only references the certificate revocation list but can also perform a dynamic lookup to the directory at the moment of authentication to enforce real-time policy updates.
If an organization wants to implement Device Trust, certificates are the perfect authentication option to enable it. Certificates identify both the user and device so you know who is connecting. As a result, admins can create highly specific use policies that are always accurately applied to users when they authenticate.
A state-of-the-art Cloud RADIUS solution combined with digital certificate-based authentication and MDM posturing is the most effective way to protect your network. Check out our pricing page to see if our solutions can help secure your network.