On this page
Configure a device signal collection policy
Early Access
This guide describes how to use the Policies API (opens new window) to manage device signal collection policies in your org.
Note: This document is only for Okta Identity Engine. See Identify your Okta solution (opens new window) to determine your Okta version.
What you need
- Okta Integrator Free Plan org (opens new window)
- The Device Signal Collection Policy feature enabled for your org
- A test user account (opens new window)
- A test group (opens new window) in your org that the test user is added to
About device signal collection policies
Use device signal collection policies to collect contextual information about your user's registered devices (opens new window) and control how those registered devices are used during authentication. The device signal collection policies can collect information (opens new window) about registered devices and the platforms that devices use. Device signal collection policies are part of your authentication policies and they're closely related to your device assurance policies.
You can use a device signal collection policy in the following use case, as an example.
One of your users has a registered device with Okta Verify and another authenticator. And you have an authentication policy that requires users to have registered devices when they sign in to Okta. You can use the device signal collection policy to check for devices that are registered with Okta Verify when users sign in. You can then configure the device signal collection policy to let users sign in to Okta with their other authenticator instead of using Okta Verify to automatically sign them in.
About platforms
You can use any of the following platforms as policy settings in your device signal collection policies:
ANDROIDCHROMEOSIOSMACOSWINDOWS
See Platform (opens new window).
About registered devices
You can use any of the following types of registered devices in your device signal collection policies:
- Okta Verify (opens new window)
- Chrome Device Trust connector (opens new window)
- Device posture IdP (opens new window)
How to configure device signal collection policies
To configure a device signal collection policy in your org, follow these steps:
Note: To configure a device signal collection policy in the Admin Console, see Create device signal collection rules (opens new window).
- Create an authentication policy that checks for registered devices.
- Create a disabled device signal collection policy.
- Map the device signal collection policy to the authentication policy.
- Create a rule for the device signal collection policy.
- Review and then activate the device signal collection policy.
Configure an authentication policy for registered devices
Use the Create a policy (opens new window) endpoint to create an authentication policy.
Create your own POST request body or copy the example request and input your values.
- Ensure that the following request body parameters are set correctly:
- Enter a value for
name. - Set the type as
ACCESS_POLICY. - Set the status of the policy as
ACTIVE.
- Enter a value for
- Send the
POST /api/v1/policiesrequest. - In the response, copy and paste the
idof the policy into a text editor.
Create an authentication policy request example
{
"name": "Device signal collection policy",
"priority": "1",
"status": "ACTIVE",
"system": false,
"type": "ACCESS_POLICY",
"conditions": null,
"_embedded": {
"resourceType": "string",
"property1": {},
"property2": {}
}
}
Create a rule for registered devices
Use the Create a policy rule (opens new window) endpoint to create a rule for the authentication policy that requires devices to be registered.
Before you create the rule for registered devices, use the List all groups (opens new window) endpoint to retrieve the group id of your test group.
Create your own POST request body or copy the example request and input your values.
- Ensure that the following request body parameters are set correctly:
- Enter a value for
name. - Set the type as
ACCESS_POLICY. - Set
groupIdas theidof your test group. - Set
device.registeredastrue. - Include the
device.managedproperty, and set it asfalse. In this example, the authentication policy rule doesn't apply to managed devices. - Set the status of the policy as
ACTIVE.
- Enter a value for
- Send the
POST /api/v1/policies/{policyId}/rulesrequest.
Authentication policy rule for registered devices request example
{
"name": "Registered devices rule",
"type": "ACCESS_POLICY",
"conditions": {
"people": {
"groups": {
"include": [
"{groupId}"
]
}
},
"device": {
"registered": "true",
"managed": "false"
}
},
"actions": {
"appSignOn": {
"access": "ALLOW",
"verificationMethod": {
"factorMode": "2FA",
"type": "ASSURANCE",
"reauthenticateIn": "PT0S",
"constraints": [
{
"possession": {
"required": true,
"userPresence": "OPTIONAL"
}
}
]
}
}
}
}
Create a disabled device signal collection policy
After you've created the authentication policy for registered devices, use the Create a policy (opens new window) endpoint to create a disabled device signal collection policy. By setting the policy as disabled, you can review its rules and ensure that the policy is configured correctly before activating it.
Create your own POST request body or copy the example request and input your values.
- Set the following request body parameters:
- Enter a value for
name. - Set the
typeasDEVICE_SIGNAL_COLLECTION. - Set the
statusof the policy asACTIVE.
- Enter a value for
- Send the
POST /api/v1/policiesrequest. - In the response, copy and paste the
idof the policy into a text editor.
Create a device signal collection policy request example
{
"name": "Device signal collection policy",
"type": "DEVICE_SIGNAL_COLLECTION",
"status": "INACTIVE"
}
Create a device signal collection policy response example
{
"id": "rst8jpde42q54pj090g7",
"status": "INIACTIVE",
"name": "Device signal collection policy",
"priority": 1,
"system": false,
"conditions": null,
"created": "2025-06-05T18:52:21.000Z",
"lastUpdated": "2025-06-05T18:52:21.000Z",
"_links": {
"mappings": {
"href": "https://{yourOktaDomain}m/api/v1/policies/rst8jpde42q54pj090g7/mappings",
"hints": {
"allow": [
"GET",
"POST"
]
}
},
"self": {
"href": "https://{yourOktaDomain}/api/v1/policies/rst8jpde42q54pj090g7",
"hints": {
"allow": [
"GET",
"PUT",
"DELETE"
]
}
},
"rules": {
"href": "https://{yourOktaDomain}/api/v1/policies/rst8jpde42q54pj090g7/rules",
"hints": {
"allow": [
"GET",
"POST"
]
}
},
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/policies/rst8jpde42q54pj090g7/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
},
"type": "DEVICE_SIGNAL_COLLECTION"
}
Map the device signal collection policy to the authentication policy
You must associate device signal collection policies with authentication policies. You can do this by mapping the device signal collection policy id to the authentication policy id.
Use the Map a resource to a policy (opens new window) endpoint to map your device signal collection policy to your authentication policy.
Create your own POST request body or copy the example request and input your values.
- In the path parameters, use the device signal collection policy
idas thepolicyId. - In the request body, set the following parameters:
- Use the
idof the authentication policy as theresoureceId. - Set the
resourceTypeasAPP.
- Use the
- Send the
POST /api/v1/policies/{policyId}/mappingsrequest.
Map the devie signal collection policy request example
{
"resourceId": "{AuthenticationPolicyId}",
"resourceType": "APP"
}
Create a device signal collection policy rule
In this example, create a rule that checks for Okta Verify registered devices when those devices are on IOS and ANDROID platforms. And allow users to choose which authenticator they want to use to authenticate.
Use the Create a policy rule (opens new window) endpoint to create a device signal collection policy rule.
Create your own POST request body or copy the example request and input your values.
- In the path parameters set the device signal collection policy
idas thepolicyId. - Set the following request body parameters:
- Enter a value for
name. - Set the type as
DEVICE_SIGNAL_COLLECTION. - Set the
deviceContextProviders.keyasOKTA_VERIFY. - Set the
deviceContextProviders.keyasIGNOREso that users can choose which authenticator to use when they sign in. - Include
IOSandANDROIDas platform conditions.
- Enter a value for
- Send the
POST /api/v1/policies/{policyId}/rulesrequest.
Create a device signal collection policy rule request example
{
"name": "Device signal collection rule",
"actions": {
"deviceSignalCollection": {
"deviceContextProviders": [
{
"key": "OKTA_VERIFY",
"userIdentification": "IGNORE"
}
]
}
},
"conditions": {
"platform": {
"include": [
{
"type": "MOBILE",
"os": {
"type": "IOS"
}
},
{
"type": "MOBILE",
"os": {
"type": "ANDROID"
}
}
]
}
},
"type": "DEVICE_SIGNAL_COLLECTION"
}
Activate the device signal collection policy
Review the device signal collection policy and the rule that you created. Ensure that it's configured with the correct settings.
After you've reviewed the policy and rule, use the Activate a policy endpoint (opens new window) to activate the policy.
Review the System Log
Review your System Log events to see if your device signal collection policy is triggered correctly. The device signal collection policy is included as a target of the policy.evaluate_sign_on event type. See System Log query and Event Types.
