Device Assurance Policies

The Device Assurance Policies API provides operations to manage device assurance policies in your organization.

List all Device Assurance Policies
OAuth 2.0: okta.deviceAssurance.read

Lists all device assurance policies

Responses
200

OK

403

Forbidden

429

Too Many Requests

get/api/v1/device-assurances
Request samples
Response samples
application/json
[
  • {
    • "createdBy": "string",
    • "createdDate": "string",
    • "id": "string",
    • "lastUpdate": "string",
    • "lastUpdatedBy": "string",
    • "name": "string",
    • "platform": "ANDROID",
    • "_links": {
      }
    }
]

Create a Device Assurance Policy
OAuth 2.0: okta.deviceAssurance.manage

Creates a new Device Assurance Policy

Request
Request Body schema: application/json
required
name
string

Display name of the Device Assurance Policy

platform
string (Platform)
object
include
Array of strings (DiskEncryptionTypeDesktop)
Items Value: "ALL_INTERNAL_VOLUMES"
object (OSVersionFourComponents)

Current version of the operating system (maximum of four components in the versioning scheme)

minimum
string
Array of objects (OSVersionConstraint) [ 1 .. 2 ] items
Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition.

There are two types of OS requirements:

  • Static: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with majorVersionConstraint and minimum.
  • Dynamic: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with majorVersionConstraint and dynamicVersionRequirement.

Note: Dynamic OS requirements are available only if the Dynamic OS version compliance self-service EA feature is enabled. The osVersionConstraints property is only supported for the Windows platform. You can't specify both osVersion.minimum and osVersionConstraints properties at the same time.

Array ([ 1 .. 2 ] items)
object

Contains the necessary properties for a dynamic Windows version requirement

majorVersionConstraint
required
string

Indicates the Windows major version

Enum: Description
WINDOWS_11

The device is on Windows 11

WINDOWS_10

The device is on Windows 10 or an older Windows version

minimum
string

The Windows device version must be equal to or newer than the specified version

object
include
Array of strings (ScreenLockType)
Items Enum: "BIOMETRIC" "NONE" "PASSCODE"
secureHardwarePresent
boolean
object

Settings for third-party signal providers (based on the WINDOWS platform)

object (DTCWindows)

Google Chrome Device Trust Connector provider

object (ChromeBrowserVersion)

Current version of the Chrome Browser

builtInDnsClientEnabled
boolean

Indicates if a software stack is used to communicate with the DNS server

chromeRemoteDesktopAppBlocked
boolean

Indicates whether access to the Chrome Remote Desktop application is blocked through a policy

crowdStrikeAgentId
string

Agent ID of an installed CrowdStrike agent

crowdStrikeCustomerId
string

Customer ID of an installed CrowdStrike agent

deviceEnrollmentDomain
string

Enrollment domain of the customer that is currently managing the device

diskEncrypted
boolean

Indicates whether the main disk is encrypted

keyTrustLevel
string (KeyTrustLevelBrowserKey)

Represents the attestation strength used by the Chrome Verified Access API

Enum: Description
CHROME_BROWSER_HW_KEY

Identity of the device was attested using a key pair that is OS encapsulated by a hardware layer

CHROME_BROWSER_OS_KEY

Identity of the device was attested using a key pair that is simply stored on the device but not in any specific hardware layer

osFirewall
boolean

Indicates whether a firewall is enabled at the OS-level on the device

object (OSVersionFourComponents)

Current version of the operating system (maximum of four components in the versioning scheme)

passwordProtectionWarningTrigger
string (PasswordProtectionWarningTrigger)

Indicates whether the Password Protection Warning feature is enabled

Enum: Description
PASSWORD_PROTECTION_OFF

Password protection warning is off

PASSWORD_REUSE

Password protection warning is triggered by password reuse

PHISHING_REUSE

Password protection warning is triggered by password reuse on a phishing page

realtimeUrlCheckMode
boolean

Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled

safeBrowsingProtectionLevel
string (SafeBrowsingProtectionLevel)

Represents the current value of the Safe Browsing protection level

Enum: Description
NO_SAFE_BROWSING

Safe Browsing is never active

STANDARD_PROTECTION

Safe Browsing is active in the standard mode

ENHANCED_PROTECTION

Safe Browsing is active in the enhanced mode

screenLockSecured
boolean

Indicates whether the device is password-protected

secureBootEnabled
boolean

Indicates whether the device's startup software has its Secure Boot feature enabled

siteIsolationEnabled
boolean

Indicates whether the Site Isolation (also known as Site Per Process) setting is enabled

thirdPartyBlockingEnabled
boolean

Indicates whether Chrome is blocking third-party software injection

windowsMachineDomain
string

Windows domain that the current machine has joined

windowsUserDomain
string

Windows domain for the current OS user

Responses
200

OK

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/device-assurances
Request samples
application/json
{
  • "name": "Device Assurance Android",
  • "osVersion": {
    • "minimum": 12
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true
}
Response samples
application/json
{
  • "id": "dae3m8o4rWhwReDeM1c5",
  • "name": "Device Assurance Android",
  • "lastUpdate": "2022-01-01T00:00:00.000Z",
  • "createdUpdate": "2022-01-01T00:00:00.000Z",
  • "lastUpdatedBy": "00u217pyf72CdUrBt1c5",
  • "createdBy": "00u217pyf72CdUrBt1c5",
  • "osVersion": {
    • "minimum": "12.4.5"
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true,
  • "_links": {}
}

Retrieve a Device Assurance Policy
OAuth 2.0: okta.deviceAssurance.read

Retrieves a Device Assurance Policy by deviceAssuranceId

Request
path Parameters
deviceAssuranceId
required
string

Id of the Device Assurance Policy

Responses
200

OK

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/device-assurances/{deviceAssuranceId}
Request samples
Response samples
application/json
{
  • "id": "dae3m8o4rWhwReDeM1c5",
  • "name": "Device Assurance Android",
  • "lastUpdate": "2022-01-01T00:00:00.000Z",
  • "createdUpdate": "2022-01-01T00:00:00.000Z",
  • "lastUpdatedBy": "00u217pyf72CdUrBt1c5",
  • "createdBy": "00u217pyf72CdUrBt1c5",
  • "osVersion": {
    • "minimum": "12.4.5"
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true,
  • "_links": {}
}

Replace a Device Assurance Policy
OAuth 2.0: okta.deviceAssurance.manage

Replaces a Device Assurance Policy by deviceAssuranceId

Request
path Parameters
deviceAssuranceId
required
string

Id of the Device Assurance Policy

Request Body schema: application/json
required
name
string

Display name of the Device Assurance Policy

platform
string (Platform)
object
include
Array of strings (DiskEncryptionTypeDesktop)
Items Value: "ALL_INTERNAL_VOLUMES"
object (OSVersionFourComponents)

Current version of the operating system (maximum of four components in the versioning scheme)

minimum
string
Array of objects (OSVersionConstraint) [ 1 .. 2 ] items
Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition.

There are two types of OS requirements:

  • Static: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with majorVersionConstraint and minimum.
  • Dynamic: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with majorVersionConstraint and dynamicVersionRequirement.

Note: Dynamic OS requirements are available only if the Dynamic OS version compliance self-service EA feature is enabled. The osVersionConstraints property is only supported for the Windows platform. You can't specify both osVersion.minimum and osVersionConstraints properties at the same time.

Array ([ 1 .. 2 ] items)
object

Contains the necessary properties for a dynamic Windows version requirement

majorVersionConstraint
required
string

Indicates the Windows major version

Enum: Description
WINDOWS_11

The device is on Windows 11

WINDOWS_10

The device is on Windows 10 or an older Windows version

minimum
string

The Windows device version must be equal to or newer than the specified version

object
include
Array of strings (ScreenLockType)
Items Enum: "BIOMETRIC" "NONE" "PASSCODE"
secureHardwarePresent
boolean
object

Settings for third-party signal providers (based on the WINDOWS platform)

object (DTCWindows)

Google Chrome Device Trust Connector provider

object (ChromeBrowserVersion)

Current version of the Chrome Browser

builtInDnsClientEnabled
boolean

Indicates if a software stack is used to communicate with the DNS server

chromeRemoteDesktopAppBlocked
boolean

Indicates whether access to the Chrome Remote Desktop application is blocked through a policy

crowdStrikeAgentId
string

Agent ID of an installed CrowdStrike agent

crowdStrikeCustomerId
string

Customer ID of an installed CrowdStrike agent

deviceEnrollmentDomain
string

Enrollment domain of the customer that is currently managing the device

diskEncrypted
boolean

Indicates whether the main disk is encrypted

keyTrustLevel
string (KeyTrustLevelBrowserKey)

Represents the attestation strength used by the Chrome Verified Access API

Enum: Description
CHROME_BROWSER_HW_KEY

Identity of the device was attested using a key pair that is OS encapsulated by a hardware layer

CHROME_BROWSER_OS_KEY

Identity of the device was attested using a key pair that is simply stored on the device but not in any specific hardware layer

osFirewall
boolean

Indicates whether a firewall is enabled at the OS-level on the device

object (OSVersionFourComponents)

Current version of the operating system (maximum of four components in the versioning scheme)

passwordProtectionWarningTrigger
string (PasswordProtectionWarningTrigger)

Indicates whether the Password Protection Warning feature is enabled

Enum: Description
PASSWORD_PROTECTION_OFF

Password protection warning is off

PASSWORD_REUSE

Password protection warning is triggered by password reuse

PHISHING_REUSE

Password protection warning is triggered by password reuse on a phishing page

realtimeUrlCheckMode
boolean

Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled

safeBrowsingProtectionLevel
string (SafeBrowsingProtectionLevel)

Represents the current value of the Safe Browsing protection level

Enum: Description
NO_SAFE_BROWSING

Safe Browsing is never active

STANDARD_PROTECTION

Safe Browsing is active in the standard mode

ENHANCED_PROTECTION

Safe Browsing is active in the enhanced mode

screenLockSecured
boolean

Indicates whether the device is password-protected

secureBootEnabled
boolean

Indicates whether the device's startup software has its Secure Boot feature enabled

siteIsolationEnabled
boolean

Indicates whether the Site Isolation (also known as Site Per Process) setting is enabled

thirdPartyBlockingEnabled
boolean

Indicates whether Chrome is blocking third-party software injection

windowsMachineDomain
string

Windows domain that the current machine has joined

windowsUserDomain
string

Windows domain for the current OS user

Responses
200

OK

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/device-assurances/{deviceAssuranceId}
Request samples
application/json
{
  • "name": "Device Assurance Android",
  • "osVersion": {
    • "minimum": 12
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true
}
Response samples
application/json
{
  • "id": "dae3m8o4rWhwReDeM1c5",
  • "name": "Device Assurance Android",
  • "lastUpdate": "2022-01-01T00:00:00.000Z",
  • "createdUpdate": "2022-01-01T00:00:00.000Z",
  • "lastUpdatedBy": "00u217pyf72CdUrBt1c5",
  • "createdBy": "00u217pyf72CdUrBt1c5",
  • "osVersion": {
    • "minimum": "12.4.5"
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true,
  • "_links": {}
}

Delete a Device Assurance Policy
OAuth 2.0: okta.deviceAssurance.manage

Deletes a Device Assurance Policy by deviceAssuranceId. If the Device Assurance Policy is currently being used in the org Authentication Policies, the delete will not be allowed.

Request
path Parameters
deviceAssuranceId
required
string

Id of the Device Assurance Policy

Responses
204

No Content

403

Forbidden

404

Not Found

409

Conflict

429

Too Many Requests

delete/api/v1/device-assurances/{deviceAssuranceId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}