*Jul 26, 2025* Device Trust is like a smart gatekeeper—it only lets you into company apps if your device is **managed, enrolled, and healthy**. That means employees are required to use devices enrolled in something like **Jamf** or **Intune**, with an up-to-date OS, EDR turned on, encryption enabled, and other key compliance checks in place before they can access company resources. This works through **Managed Device Attestation**, which gives the Identity Provider solution real-time proof that the device you’re using is trusted. Unlike traditional VPNs, where once you’re in, you’re in, Device Trust enforces **app-level, least-privilege access** based on real-time device posture. Unmanaged or compromised devices are blocked by default. So you get stronger security, fewer sketchy access attempts, and users only get access to the apps they actually need. In this post, I’ll walk you through how to set up Device Trust using **Jamf Pro** for macOS, **Intune** for Windows, and **Okta** as the Identity Provider. # Okta Setup ![[okta-color.png|256]] > [!important] **Save yourself some troubleshooting time** > Make sure devices have the correct date and time. If the clock is not accurate, Okta Verify won’t be able to authenticate—and users may get blocked from logging into scoped Okta apps on managed laptops. ### 1. Authentication Policies > [!info] Okta Admin > Security > Authentication Policies [^1]Authentication policies define and enforce access requirements for apps. Every app in your org already has a default authentication policy. You can customize the policy by creating rules that regulate, among other things, who can access an app, from what locations, on what types of devices, and using what authentication methods. ### 2. Device Assurance Policies > [!info] Okta Admin > Security > Device Assurance Policies [^2]With device assurance policies you can check sets of security-related device attributes as part of your authentication policies. For example, you can configure a device assurance policy to check whether a specific operating system version or security patch is installed on a device before that device can be used to access Okta-protected resources. By adding device checks to authentication policy rules, you can establish minimum requirements for the devices that have access to systems and applications in your organization. ### 3. Authenticators > [!info] Okta Admin > Security > Authenticators [^3]Multifactor authentication (MFA) means that users must verify their identity in two or more ways to gain access to their account. This makes it harder for unauthorized parties to sign in to a user's account. It's unlikely that they have access to all authentication methods. # Jamf Pro Setup ![[jamf-color.png|256]] # Intune Setup ![[intune-color.png|256]] --- #device-trust #okta #jamf #intune #macos #windows [^1]: https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/add-app-signon-policy-desktop.htm [^2]: https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/device-assurance.htm [^3]: https://developer.okta.com/docs/guides/authenticators-overview/main/