Why Mobile Device Security Matters

With an increasing number of employees working remotely or on the go, company devices have become gateways to sensitive corporate data. A compromised or outdated device can expose your network to threats such as malware, data leakage, or unauthorized access. By enforcing minimum security requirements, including OS updates, passcodes, and biometric protections, you can significantly reduce risk and protect both company and customer information.

OS Update Policy

Keeping operating systems up to date is one of the simplest yet most effective defenses against emerging vulnerabilities.

A typical OS‑update policy might include:

• Monthly Review Date: Assess and update minimum supported versions on a regular, predictable schedule. For example, on every first working day of the month,assess and set the minimum OS level for different platforms.

  • Android Devices: Require security patches to be no older than six months and ensure the OS is within two major versions of the latest release. This policy is less tight then for iOS devices, since Android devices is more fragmented and not getting updates in the same time as iOS devices.

  • macOS / Windows - Require updates to be installed at least one month after their public release.

  • iOS Devices: Require updates to be installed at least two weeks after their public release.

By aligning update requirements with vendor release schedules and official security bulletins, organizations can ensure that devices remain protected against known threats.

Example of Device Assurance Policies

Android

• Okta Verify installed and configured

• Android 14 or higher

• Security patch ≥ 2025‑03‑05 (Android Security Bulletin – March 2025)

• Screen lock | Biometrics - enabled

• Not rooted

iOS

• Okta Verify installed

• iOS 18.5 or higher

• Passcode | Touch ID or Face ID enabled

• Not jailbroken

macOS

• Okta Verify installed

• macOS version ≥ 15.5

• Disk encryption enabled

• Secure Enclave presented

Windows

• Okta Verify installed

• OS Windows 10 22H2 (10.0.19045.5854) or higher

• OS Windows 11 24H2 (10.0.22631.5335) or higher

• Windows Hello enabled

• Disk encryption enabled

• Trusted Platform Module presented

Streamlining Access with Okta Workforce Identity

1. Automated Device Enrollment
   Employees install the Okta Verify app during initial setup. Once they authenticate, Okta automatically checks device compliance against Okta policy and issues a device certificate, enabling passwordless and MFA-secured access.

2. Conditional Access Policies
   Okta’s policy engine evaluates device posture in real time. If a device falls out of compliance - say, it’s running an outdated OS - access is automatically restricted until the user updates and re-authenticates, eliminating manual IT intervention.

3. Seamless Multi-Factor Authentication (MFA)
   Okta Verify’s built‑in biometrics ensure strong authentication without adding burden.

4. Unified Visibility and Reporting
   Through Okta’s admin console, your security team gains a centralized view of all enrolled devices, compliance statuses, and access attempts. You can setup SIEM alerts notify your security team of non-compliant devices or anomalous activities, enabling swift remediation.

Communicating Policy Updates

Effective communication is key to driving adoption and compliance. You may implement:

• Monthly Newsletters: Summarize upcoming OS changes, highlight new security features, and remind users of the next review date.

• Knowledge Base Articles: Step-by-step guides on updating OS, setting passcodes, and enrolling devices.

By keeping your employees informed and engaged, you can minimize disruptions and foster a security-first culture.

Best Practices for Employees

• Regularly Check for Updates: Enable automatic OS and security patch installs when possible.

• Use Strong, Unique Passcodes: Avoid simple PINs; opt for alphanumeric passcodes if supported.

• Enable Biometrics: Face ID or Touch ID adds an extra layer of protection and accelerates login.

• Never Jailbreak or Root: Circumventing manufacturer restrictions voids warranty, disables critical security controls, and breaches corporate policy.

Conclusion

By combining clear OS update policies, stringent device requirements, and dynamic conditional access, you can empower employees to work securely from any device. Ongoing communication ensures everyone stays informed.- and keeps our corporate data safe.

Disclaimer: The views expressed in this article are my own and do not represent the official position or policies of any employer.

Why Use Universal Logout with Okta ITP and Salesforce?

As enterprises expand their application ecosystems, controlling user session termination across all platforms becomes increasingly complex. Universal Logout streamlines this process by allowing to sign out users of one application and end sessions across multiple apps, which is particularly useful in preventing unauthorized access.

When combined with Okta ITP, Universal Logout provides added security. By configuring policies that trigger based on specific user or device activities, admins gain granular control over user access. For organizations using Salesforce, setting up Universal Logout with Okta ITP ensures that Salesforce sessions are securely closed, mitigating risks related to unattended, stale sessions.

Prerequisites

To configure Universal Logout for Okta and Salesforce, ensure you have:

• Okta tenant with ITP configured.

• Salesforce with API access and permission to manage session settings.

• Okta and Salesforce integration in place (Single Sign-On (SSO) enabled).

• Admin rights on both Okta and Salesforce to make necessary configuration changes

Step 1: Enable API Access and Session Management in Salesforce

1. Log into Salesforce with Admin credentials.

2. Navigate to Setup → Platform Tools → Apps → App Manager.

3. Create a New Connected App → Create a Connected App

   

4. Setup Connected app. You need to provide a Callback URL as well as define OAuth scopes. Taking into consideration the least privileged access.

   • Callback URL - https://system-admin.okta.com/admin/app/generic/oauth20redirect

   • OAuth Scopes - id,profile,email,address,phone,openid,api

   • Remove checkbox - Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows

5. Once you will hit save you will be landed to Application Page in Salesforce, here you need to obtain Consumer Details such as Consumer Key and Consumer Secret by pressing button Manage Consumer Details.

   

6. Navigate to Okta → Applications → Salesforce and choose tab Authentication.
   On the bottom of the page, you will section Logout, you need to tick this checkbox provide the Consumer Client Key and Secret, and then authenticate in the app. Upon completing those steps you will see the message “Salesforce.com account is connected”

   

   7. You can test logout by Clearing sessions and revoking tokens from the user profile.
      Don’t forget to tick the checkbox

   8. 

Sources

• AuthSession Object Reference for the Salesforce Platform

• Universal Logout

• Configure Universal Logout for third-party apps

• Configure Universal Logout for generic SAML and OIDC apps

• Build a Universal Logout for your app

• Universal Logout revocations