Verify device compliance before MFA and SSO with Okta for MSPs

Shelves with old computers that would not be compliant today



ZeroTek Communications



November 5, 2025



Time to read: 4 min

Control what devices can be used to access resources

If you’re an MPS or IT service provider looking for a way to check device compliance before users hit MFA and SSO for their SaaS apps, you’ve come to the right place. When you use Okta, there are three main ways you can do this: (1) integrate Okta with an endpoint/device management platform, (2) use Okta device assurance—to check posture on managed or unmanaged devices, or (3) layer both for a stronger Zero Trust strategy. For SMB clients that don’t warrant full device trust, Okta device assurance provides policy-driven checks—minimum OS version, patch/update status, disk encryption, screen lock, and management state—so you can block or remediate devices before access. And with ZeroTek, MSPs and IT service providers can configure and scale these Okta controls across many small and mid-sized business clients quickly.

What MSPs can verify at sign-in with Okta device assurance

Okta evaluates device posture in real time and enforces access accordingly. Typical controls include:

Minimum OS versions (Windows build, macOS release, iOS/Android version)
Patch/update recency within a defined time window
Disk encryption and screen lock enabled
Management state
Other posture signals

You attach Okta device assurance policies to authentication policy rules, so you can configure the right baseline for each app or group. It’s useful to have this flexibility, since you’ll often have clients where device assurance is really only warranted for a subset of sensitive apps and highly privileged users.
Use device assurance policies on their own, or layer device assurance with device trust as part of your broader Zero Trust strategy.

Why MSPs deliver Okta through ZeroTek

ZeroTek makes Okta’s enterprise-grade identity and access management (IAM) technology ideal for MSPs—and their SMB clients.

Built for how you operate. Get multi-tenant control of all your client Okta orgs, MSP-ready role-based access control (RBAC), and strong standardized baselines you can clone across clients.
Faster time to value. Spin up Okta orgs in seconds, set up field-tested Okta configurations in minutes, and roll out changes safely in phases.
Flexible licensing. Usage-based billing maps cleanly to your managed services pricing for your SMB clients and makes it easy to scale.

Guiding principles

Device assurance policies are platform specific. Conditions you set for Windows devices won’t apply to macOS; you’ll use different policies for different platforms. Define posture baselines per platform—Android, ChromeOS, iOS, macOS, and Windows—so Okta device assurance can verify device compliance accurately at sign-in.

Target and test first. Even with ZeroTek’s proven guidance, start with a pilot group and a single app. Attach your device assurance policy or policies to the relevant authentication policy rule, then monitor authentications and remediation prompts. Validate that everything is working as expected before expanding coverage.

Quick setup blueprint for admins

Deploy Okta FastPass (if it isn’t already). Okta device assurance requires Okta FastPass is in place first. (But with or without device assurance, ZeroTek recommends deploying FastPass anyway—because there’s no better way to deliver a low-friction, high-security, passwordless experience for your clients.)
Create your device assurance policies and define compliance standards for each target group or app.
Attach device assurance to an Okta authentication policy rule. As suggested above, test device assurance in a targeted way first.
Expand across groups, apps, and clients as required.
Optionally add device trust for managed-only device access for the most sensitive applications.

What this means for your service line

Measurable risk reduction without agents or custom scripts.
Lower support friction. Compliant users sail through with FastPass; non-compliant devices see remediation prompts.
Clear market differentiation. Offer tiered packages—device assurance, device trust, or both—to match each client’s risk profile, compliance needs, and budget, with a straightforward upsell path as requirements mature.

FAQs

Can I check for patch status without full device trust?
Yes. Okta device assurance can stand alone to check patch recency and OS versions before access. Add device trust later if you want to restrict access to managed devices only.

Can I set different standards per app or group?
Yes. You can set different standards per app or group, and even different standards for different types of devices. Device assurance policies are platform specific.

Are you ready?

Ready to explore how ZeroTek | Okta can help your MSP deliver next-level security services to your customers?

Book a call to get your questions answered, learn about our MSP pricing, and arrange a demo.

← Prev: Identity management in the cloud: How MSPs secure multi-platform (and multi-cloud) environments

Identity management in the cloud: How MSPs secure multi-platform (and multi-cloud) environments

Oct 28, 2025

SMBs aren’t single-platform anymore. Sprawling SaaS plus a mix of AWS, Microsoft 365, GCP, and legacy on-prem can make identity messy. With MSP co-author NENS, we map MSP pitfalls, field-tested fixes, and how to use Okta + ZeroTek to standardize, secure, and scale.

ZeroTek named one of Canada’s Companies-to-Watch in Deloitte’s 2025 Technology Fast 50™ Program

Oct 23, 2025

ZeroTek has been recognized by Deloitte Canada as one of the 2025 Companies-to-Watch in its Technology Fast 50™ program, ranking 13th nationally.

A practical roadmap for SMB identity security

Oct 21, 2025

As an leading MSP/IT services provider, NENS manages thousands of users across more than 60 clients on Okta. They follow a proven deployment roadmap for new clients to ensure a great user experience.