Expression Language attributes for devices
When you use the Okta Expression Language (EL) to create a custom expression for devices, you reference attributes that exist in the Okta Device Profile.
Some attributes; such as, device.profile.imei, device.profile.meid, device.profile.serialNumber, device.profile.udid, are not available for all devices.
You can use ChromeOS only with the device.profile.platform attribute.
The following table lists the device profile attributes:
|
Attribute |
Description |
Type |
Example |
|---|---|---|---|
|
device.assurance.screenLockType |
Obtains the value of the device screen lock type. |
String |
NONE No passcode is set on the device. PASSCODE Only a passcode or password is set on the device. Biometrics are not set up. BIOMETRIC Passcode and biometrics are set on the device. |
|
device.profile.diskEncryptionType |
Obtains the value of the device profile’s disk encryption type. |
String |
NONE No encryption has been set. (All platforms) FULL The disk is fully encrypted. (Android, iOS) USER The encryption key is tied to the user or profile. (Android) ALL_INTERNAL_VOLUMES All internal disks are encrypted. (macOS, Windows) SYSTEM_VOLUME Only the system volume is encrypted. (macOS, Windows) |
|
device.profile.displayName |
Obtains the value of the device profile's display name attribute. Note that 4-byte UTF-8 characters are not currently supported. |
String |
DESKTOP-BE6IL05, XYZ S21 |
|
device.profile.imei |
Obtains the value of the device profile's International Mobile Equipment Identity (IMEI) attribute. |
String |
410154203237518 |
|
device.profile.integrityDebug |
Indicates wheter a debugger has been detected. |
Boolean |
true or false |
|
device.profile.integrityEmulator |
Indicates whether the device runs as an emulator. |
Boolean |
true or false |
|
device.profile.integrityHook |
Indicates whether internal functions or runtime hooks have been detected. |
Boolean |
true or false |
|
device.profile.integrityJailbreak |
Indicates if the mobile device has been jailbroken or rooted. |
Boolean |
true or false |
|
device.profile.integrityRepackage |
Indicates if the mobile device app was repackaged by an unknown third party. |
Boolean |
true or false |
|
device.profile.managed |
Obtains the value of the device profile's managed attribute. This can only be used when Device Trust is enabled or if the DEVICE_CONDITION_IDX_ADVANCED feature is enabled. |
Boolean |
true or false |
|
device.profile.manufacturer |
Obtains the value of the device profile's manufacturer attribute. |
String |
VMware, Inc., samsung |
|
device.profile.meid |
Obtains the value of the device profile's Mobile Equipment Identifier (MEID) attribute. |
String |
99001092003340 |
|
device.profile.model |
Obtains the value of the device profile's model attribute. |
String |
VMware7,1, SM-G991U1 |
|
device.profile.osVersion |
Obtains the value of the device profile's operating system version attribute. Use versionGreaterThan or versionLessThan functions to compare the OS versions. |
String |
10.0.18362, 30 device.profile.osVersion.versionGreaterThan('14.2.1') == true Don’t use device.profile.osVersion.versionGreaterThan > ‘14.2.1' to compare versions directly. The strings are compared literally, resulting in ‘2.0.0’ > '14.2.1’ |
|
device.profile.registered |
Obtains the value of the device profile's registered attribute. |
Boolean |
true |
|
device.profile.secureHardwarePresent |
Obtains the value of the device profile's secure hardware present attribute. It checks for chip presence: trusted platform module (TPM) or secure enclave. It does not check whether there are tokens on the secure hardware. |
Boolean |
true or false |
|
device.profile.serialNumber |
Obtains the value of the device profile's serial number attribute. |
String |
VMware-56 5d e2 35 bd d8 66 75-5a bc 10 06 4c 6a fb 85 |
|
device.profile.sid |
Obtain the value of the device profile's security identifier (SID) attribute. This is only available with Windows devices. |
String |
S-1-5-21-1016203815-1917570059-4244971090-500 |
|
device.profile.tpmPublicKeyHash |
Obtains the value of the device profile's Trusted Platform Module (TPM) public key hash attribute. |
String |
18e3b568aeb17b4e75f3838d6b01ffe63c52d976950943a10968761b5bfe3f4d |
|
device.profile.platform |
Obtains the value of the device profile's operating system. |
String |
IOS, ANDROID, WINDOWS, MACOS, MOBILE_OTHER, DESKTOP_OTHER, or CHROMEOS |
|
device.profile.udid |
Obtains the value of the device profile's unique device ID (UDID) attribute. This is only available with certain managed scenarios. |
String |
35E24D56-D8BD-7566-1ABC-10064C6AFB85 |
Operators
Use operators in your custom expression to handle decisions. Any Okta Expression Language operator can be used in a custom expression. The following table lists commonly used operators:
| Operator | Description |
|---|---|
| && | Signifies an AND function. |
| || | Signifies an OR function. |
| ! | Signifies a NOT function. |
| <, >, <=, and >= | Signifies relational operators. |
| == | Checks for equality. |
| != | Checks for inequality. |
See Okta Expression Language for a complete list of Okta Expression Language functions.
Important considerations
- Always include device.profile.registered == true if you want to include device conditions in your custom expression.
- In general, device attributes can only be used if Okta FastPass is enabled.
Related topics
Add a custom expression to an authentication policy