Insights from our experience: Okta deploys Okta Device Access

Last year, Okta successfully deployed Okta Device Access in a phased rollout, bringing the best of Okta’s simple, secure authentication experience to the device login touchpoint. What better way is there to stand behind the value of our solution than by leveraging our technology internally at Okta?

Okta Device Access offers many critical Identity Security features for secure device login and beyond. For many people, the first login of any workday is into the device, so that touchpoint must be secured. However, implementing additional security measures can create anxiety for end users and admins. Such was the case for us. However, careful planning prepared us to address issues as they came.

With most of the Okta workforce using macOS computers, we started our Okta Device Access adoption journey by rolling out Desktop MFA. By the end of the planned rollout timeline, 100% of impacted employees were compliant. As your organization considers and embarks on deploying Okta Device Access, consider the knowledge we gleaned to create a smoother experience.

Okta’s rollout plan for Desktop MFA

Our successful rollout of Desktop MFA for macOS resulted from a multi-pronged corporate communications strategy that included emails and newsletters from our internal technology team to impacted workforce members. We also created step-by-step instructions for end users to enroll in Desktop MFA successfully and shared detailed FAQ documentation for users to reference. This upfront effort provided a solid foundation before the start of product deployment.

At a high level, we structured the rollout as follows:

1. We first identified an initial User Acceptance Testing (UAT) group of under 100 users to get their feedback on Desktop MFA.
2. Then, we initiated broader product deployment by identifying impacted Okta employees and slotting them into four distinct rollout groups based on their functions.
3. The Okta technology team announced their plans to deploy Desktop MFA internally and continued to spread the word and share end-user content throughout the timeline of the rollout.
4. We phased the rollout over four weeks, where each rollout group subsequently received MDM-driven, Okta-customized enrollment prompts and reminders on their computers at the start of their designated week.
5. We also provided a grace period to allow end users to finish their enrollment before we fully enforced enrollment and employees were at risk of being locked out of their computers.
6. The Okta technology team made themselves available for questions and troubleshooting over a dedicated Slack channel.
7. To track user enrollment, the Okta technology team wrote MDM extension attributes to report whether a user had enrolled in Desktop MFA, how many users were enrolled, and whether the Desktop MFA deployment was healthy on the device. These reports helped the team find any edge cases that required additional attention and update leadership on deployment progress and compliance.

What’s that saying about “best-laid plans”?

No deployment journey is without a few hitches; we were no exception. Although we tried our best to guess the end-user challenges, we missed a few. Here are some examples:

• In several cases, employees first needed to address updates to their mobile device management (MDM) configurations before they could successfully enroll in Desktop MFA.
• During the rollout, Apple released the new iPhone 16, so a group of users with new devices suddenly needed their enrollments transferred.
• In other cases, employees needed to re-add their Okta accounts to the Okta Verify mobile application (i.e., iOS and Android) to make it their primary authenticator.
• Surprisingly, the most common question was how users could ensure they had successfully enrolled in Desktop MFA, which we quickly addressed through the established communications channels.

Most user questions were about the user experience, such as what to expect at login, how often they would be prompted for a second factor, and so on. As the rollout progressed and users raised questions, we refined our support documentation for end users and made announcements as needed to anticipate any issues that could impact a group of users. Beyond improving our security posture, this experience proved an excellent opportunity to gather helpful feedback on the overall product design and user experience, which has helped inform the Okta Device Access roadmap.

What’s next for Okta Device Access at Okta

The value of Okta Device Access goes beyond Desktop MFA for macOS, and we plan to roll out additional features, including Desktop MFA for Windows, to round out coverage for the rest of the Okta workforce. We’re also looking to enable the new Okta Device Access recovery flows, which will address accidental lockout and reduce the burden on the Okta support team.

We also have a robust roadmap to mature Okta Device Access as a solution and simplify the deployment experience. This roadmap includes providing greater visibility for admins to oversee end-user enrollment with more detailed device profiles in Universal Directory.

If you’re currently in the process of deploying Okta Device Access, please join the Okta Device Access Discussion Group to ask questions or sign up for a meeting with an Okta specialist for more one-on-one attention. The product documentation provides all the instructions for deploying Okta Device Access.

If you’re considering Okta Device Access and looking to learn more about how your organization can benefit, please visit the Okta Device Access page.