Device Assurance Policies

The Device Assurance Policies API provides operations to manage device assurance policies in your organization.

List all device assurance policies
Identity Engine
OAuth 2.0:
  • okta.deviceAssurance.read

Lists all device assurance policies

Responses
200

OK

403

Forbidden

429

Too Many Requests

get/api/v1/device-assurances
Request samples 
Response samples 
application/json
[
  • {
    • "createdBy": "string",
    • "createdDate": "string",
    • "devicePostureChecks": {
      },
    • "displayRemediationMode": "SHOW",
    • "gracePeriod": {
      },
    • "id": "string",
    • "lastUpdate": "string",
    • "lastUpdatedBy": "string",
    • "name": "string",
    • "platform": "ANDROID",
    • "_links": {
      }
    }
]
Create a device assurance policy
Identity Engine
OAuth 2.0: 
  • okta.deviceAssurance.manage
Creates a new device assurance policy


Request 
Request Body schema: application/json
required
object (DevicePostureChecks) 
Represents the Device Posture Checks configuration for the device assurance policy


 
include
Array of arrays
An array of key value pairs including Device Posture Check variableNames


 
displayRemediationMode
string
Represents the remediation mode of this device assurance policy when users are denied access due to device noncompliance


 Enum: Description
HIDE
Hide remediation instructions in the Sign-In Widget


SHOW
Display remediation instructions in the Sign-In Widget


 
object (GracePeriod) 
Represents the Grace Period configuration for the device assurance policy


 
ByDateTimeExpiry (string) or ByDurationExpiry (string)
 
One of:
An ISO 8601 formatted date and time.


string <date-time>  (ByDateTimeExpiry) 
 
type
string
Represents the type of Grace Period configured for the device assurance policy


 Enum: Description
BY_DATE_TIME
The Grace Period configured for this device assurance policy expires at a specified date and time


BY_DURATION
The Grace Period configured for this device assurance policy expires after a specified duration


 
name
string
Display name of the device assurance policy


 
platform
string (Platform) 
 
object
 
include
Array of strings (DiskEncryptionTypeDesktop) 
Items Value: "ALL_INTERNAL_VOLUMES"  
object (OSVersionFourComponents) 
Current version of the operating system (maximum of four components in the versioning scheme)


 
minimum
string
 
Array of objects (OSVersionConstraint)   [ 1 .. 2 ] items 
Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition.


There are two types of OS requirements:


    

  • Static: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with majorVersionConstraint and minimum.
    • 

  • Dynamic: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with majorVersionConstraint and dynamicVersionRequirement.
    • 





Note: Dynamic OS requirements are available only if the Dynamic OS version compliance self-service EA feature is enabled. The osVersionConstraints property is only supported for the Windows platform. You can't specify both osVersion.minimum and osVersionConstraints properties at the same time.




 
 Array ([ 1 .. 2 ] items)
majorVersionConstraint
required
string
Indicates the Windows major version


 Enum: Description
WINDOWS_11
The device is on Windows 11


WINDOWS_10
The device is on Windows 10 or an older Windows version


 
object
Contains the necessary properties for a dynamic Windows version requirement


 
minimum
string
The Windows device version must be equal to or newer than the specified version


 
object
 
include
Array of strings (ScreenLockType) 
Items Enum: "BIOMETRIC" "NONE" "PASSCODE"  
secureHardwarePresent
boolean
 
object
Settings for third-party signal providers (based on the WINDOWS platform)


 
object (DTCWindows) 
Google Chrome Device Trust Connector provider


 
object (ChromeBrowserVersion) 
Current version of the Chrome Browser


 
builtInDnsClientEnabled
boolean
Indicates if a software stack is used to communicate with the DNS server


 
chromeRemoteDesktopAppBlocked
boolean
Indicates whether access to the Chrome Remote Desktop application is blocked through a policy


 
crowdStrikeAgentId
string
Agent ID of an installed CrowdStrike agent


 
crowdStrikeCustomerId
string
Customer ID of an installed CrowdStrike agent


 
deviceEnrollmentDomain
string
Enrollment domain of the customer that is currently managing the device


 
diskEncrypted
boolean
Indicates whether the main disk is encrypted


 
keyTrustLevel
string (KeyTrustLevelBrowserKey) 
Represents the attestation strength used by the Chrome Verified Access API


 Enum: Description
CHROME_BROWSER_HW_KEY
Identity of the device was attested using a key pair that is OS encapsulated by a hardware layer


CHROME_BROWSER_OS_KEY
Identity of the device was attested using a key pair that is simply stored on the device but not in any specific hardware layer


 
osFirewall
boolean
Indicates whether a firewall is enabled at the OS-level on the device


 
object (OSVersionFourComponents) 
Current version of the operating system (maximum of four components in the versioning scheme)


 
passwordProtectionWarningTrigger
string (PasswordProtectionWarningTrigger) 
Indicates whether the Password Protection Warning feature is enabled


 Enum: Description
PASSWORD_PROTECTION_OFF
Password protection warning is off


PASSWORD_REUSE
Password protection warning is triggered by password reuse


PHISHING_REUSE
Password protection warning is triggered by password reuse on a phishing page


 
realtimeUrlCheckMode
boolean
Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled


 
safeBrowsingProtectionLevel
string (SafeBrowsingProtectionLevel) 
Represents the current value of the Safe Browsing protection level


 Enum: Description
NO_SAFE_BROWSING
Safe Browsing is never active


STANDARD_PROTECTION
Safe Browsing is active in the standard mode


ENHANCED_PROTECTION
Safe Browsing is active in the enhanced mode


 
screenLockSecured
boolean
Indicates whether the device is password-protected


 
secureBootEnabled
boolean
Indicates whether the device's startup software has its Secure Boot feature enabled


 
siteIsolationEnabled
boolean
Indicates whether the Site Isolation (also known as Site Per Process) setting is enabled


 
thirdPartyBlockingEnabled
boolean
 Deprecated 
Indicates whether Chrome is blocking third-party software injection


 
windowsMachineDomain
string
Windows domain that the current machine has joined


 
windowsUserDomain
string
Windows domain for the current OS user


 
Responses 
200
OK


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/device-assurances
Request samples 
application/json
{
  • "name": "Device assurance Android",
  • "osVersion": {
    • "minimum": 12
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true
}
Response samples 
application/json
{
  • "id": "dae3m8o4rWhwReDeM1c5",
  • "name": "Device assurance Android",
  • "lastUpdate": "2022-01-01T00:00:00.000Z",
  • "createdUpdate": "2022-01-01T00:00:00.000Z",
  • "lastUpdatedBy": "00u217pyf72CdUrBt1c5",
  • "createdBy": "00u217pyf72CdUrBt1c5",
  • "osVersion": {
    • "minimum": "12.4.5"
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true,
  • "_links": {}
}
Retrieve a device assurance policy
Identity Engine
OAuth 2.0: 
  • okta.deviceAssurance.read
Retrieves a device assurance policy by deviceAssuranceId


Request 
path Parameters
deviceAssuranceId
required
string
Id of the device assurance policy


 
Responses 
200
OK


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/device-assurances/{deviceAssuranceId}
Request samples 
Response samples 
application/json
{
  • "id": "dae3m8o4rWhwReDeM1c5",
  • "name": "Device assurance Android",
  • "lastUpdate": "2022-01-01T00:00:00.000Z",
  • "createdUpdate": "2022-01-01T00:00:00.000Z",
  • "lastUpdatedBy": "00u217pyf72CdUrBt1c5",
  • "createdBy": "00u217pyf72CdUrBt1c5",
  • "osVersion": {
    • "minimum": "12.4.5"
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true,
  • "_links": {}
}
Replace a device assurance policy
Identity Engine
OAuth 2.0: 
  • okta.deviceAssurance.manage
Replaces a device assurance policy by deviceAssuranceId


Request 
path Parameters
deviceAssuranceId
required
string
Id of the device assurance policy


 
Request Body schema: application/json
required
object (DevicePostureChecks) 
Represents the Device Posture Checks configuration for the device assurance policy


 
include
Array of arrays
An array of key value pairs including Device Posture Check variableNames


 
displayRemediationMode
string
Represents the remediation mode of this device assurance policy when users are denied access due to device noncompliance


 Enum: Description
HIDE
Hide remediation instructions in the Sign-In Widget


SHOW
Display remediation instructions in the Sign-In Widget


 
object (GracePeriod) 
Represents the Grace Period configuration for the device assurance policy


 
ByDateTimeExpiry (string) or ByDurationExpiry (string)
 
One of:
An ISO 8601 formatted date and time.


string <date-time>  (ByDateTimeExpiry) 
 
type
string
Represents the type of Grace Period configured for the device assurance policy


 Enum: Description
BY_DATE_TIME
The Grace Period configured for this device assurance policy expires at a specified date and time


BY_DURATION
The Grace Period configured for this device assurance policy expires after a specified duration


 
name
string
Display name of the device assurance policy


 
platform
string (Platform) 
 
object
 
include
Array of strings (DiskEncryptionTypeDesktop) 
Items Value: "ALL_INTERNAL_VOLUMES"  
object (OSVersionFourComponents) 
Current version of the operating system (maximum of four components in the versioning scheme)


 
minimum
string
 
Array of objects (OSVersionConstraint)   [ 1 .. 2 ] items 
Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition.


There are two types of OS requirements:


    

  • Static: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with majorVersionConstraint and minimum.
    • 

  • Dynamic: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with majorVersionConstraint and dynamicVersionRequirement.
    • 





Note: Dynamic OS requirements are available only if the Dynamic OS version compliance self-service EA feature is enabled. The osVersionConstraints property is only supported for the Windows platform. You can't specify both osVersion.minimum and osVersionConstraints properties at the same time.




 
 Array ([ 1 .. 2 ] items)
majorVersionConstraint
required
string
Indicates the Windows major version


 Enum: Description
WINDOWS_11
The device is on Windows 11


WINDOWS_10
The device is on Windows 10 or an older Windows version


 
object
Contains the necessary properties for a dynamic Windows version requirement


 
minimum
string
The Windows device version must be equal to or newer than the specified version


 
object
 
include
Array of strings (ScreenLockType) 
Items Enum: "BIOMETRIC" "NONE" "PASSCODE"  
secureHardwarePresent
boolean
 
object
Settings for third-party signal providers (based on the WINDOWS platform)


 
object (DTCWindows) 
Google Chrome Device Trust Connector provider


 
object (ChromeBrowserVersion) 
Current version of the Chrome Browser


 
builtInDnsClientEnabled
boolean
Indicates if a software stack is used to communicate with the DNS server


 
chromeRemoteDesktopAppBlocked
boolean
Indicates whether access to the Chrome Remote Desktop application is blocked through a policy


 
crowdStrikeAgentId
string
Agent ID of an installed CrowdStrike agent


 
crowdStrikeCustomerId
string
Customer ID of an installed CrowdStrike agent


 
deviceEnrollmentDomain
string
Enrollment domain of the customer that is currently managing the device


 
diskEncrypted
boolean
Indicates whether the main disk is encrypted


 
keyTrustLevel
string (KeyTrustLevelBrowserKey) 
Represents the attestation strength used by the Chrome Verified Access API


 Enum: Description
CHROME_BROWSER_HW_KEY
Identity of the device was attested using a key pair that is OS encapsulated by a hardware layer


CHROME_BROWSER_OS_KEY
Identity of the device was attested using a key pair that is simply stored on the device but not in any specific hardware layer


 
osFirewall
boolean
Indicates whether a firewall is enabled at the OS-level on the device


 
object (OSVersionFourComponents) 
Current version of the operating system (maximum of four components in the versioning scheme)


 
passwordProtectionWarningTrigger
string (PasswordProtectionWarningTrigger) 
Indicates whether the Password Protection Warning feature is enabled


 Enum: Description
PASSWORD_PROTECTION_OFF
Password protection warning is off


PASSWORD_REUSE
Password protection warning is triggered by password reuse


PHISHING_REUSE
Password protection warning is triggered by password reuse on a phishing page


 
realtimeUrlCheckMode
boolean
Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled


 
safeBrowsingProtectionLevel
string (SafeBrowsingProtectionLevel) 
Represents the current value of the Safe Browsing protection level


 Enum: Description
NO_SAFE_BROWSING
Safe Browsing is never active


STANDARD_PROTECTION
Safe Browsing is active in the standard mode


ENHANCED_PROTECTION
Safe Browsing is active in the enhanced mode


 
screenLockSecured
boolean
Indicates whether the device is password-protected


 
secureBootEnabled
boolean
Indicates whether the device's startup software has its Secure Boot feature enabled


 
siteIsolationEnabled
boolean
Indicates whether the Site Isolation (also known as Site Per Process) setting is enabled


 
thirdPartyBlockingEnabled
boolean
 Deprecated 
Indicates whether Chrome is blocking third-party software injection


 
windowsMachineDomain
string
Windows domain that the current machine has joined


 
windowsUserDomain
string
Windows domain for the current OS user


 
Responses 
200
OK


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/device-assurances/{deviceAssuranceId}
Request samples 
application/json
{
  • "name": "Device assurance Android",
  • "osVersion": {
    • "minimum": 12
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true
}
Response samples 
application/json
{
  • "id": "dae3m8o4rWhwReDeM1c5",
  • "name": "Device assurance Android",
  • "lastUpdate": "2022-01-01T00:00:00.000Z",
  • "createdUpdate": "2022-01-01T00:00:00.000Z",
  • "lastUpdatedBy": "00u217pyf72CdUrBt1c5",
  • "createdBy": "00u217pyf72CdUrBt1c5",
  • "osVersion": {
    • "minimum": "12.4.5"
    },
  • "diskEncryptionType": {
    • "include": [
      ]
    },
  • "jailbreak": false,
  • "platform": "ANDROID",
  • "screenLockType": {
    • "include": [
      ]
    },
  • "secureHardwarePresent": true,
  • "_links": {}
}
Delete a device assurance policy
Identity Engine
OAuth 2.0: 
  • okta.deviceAssurance.manage
Deletes a device assurance policy by deviceAssuranceId. If the device assurance policy is currently being used in the org Authentication Policies, the delete will not be allowed.


Request 
path Parameters
deviceAssuranceId
required
string
Id of the device assurance policy


 
Responses 
204
No Content


403
Forbidden


404
Not Found


409
Conflict


429
Too Many Requests


delete/api/v1/device-assurances/{deviceAssuranceId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}