Expression Language attributes for devices

When you use the Okta Expression Language (EL) to create a custom expression for devices, you reference attributes that exist in the Okta Device Profile.

Note:

Some attributes aren't available for all devices, such as device.profile.imei, device.profile.meid, device.profile.serialNumber, and device.profile.udid.

You can use ChromeOS only with the device.profile.platform attribute.

The following table lists the device profile attributes.

Attribute name and type	Description	Examples
`device.assurance.screenLockType` Type: String	Obtains the value of the device's screen lock type.	`NONE`: No passcode is set on the device. `PASSCODE`: The device only has a passcode or password configured. Biometrics isn't set up. `BIOMETRIC`: Passcode and biometrics are set on the device.
`device.caller.binaryIdentifier` Type: String	Identifies the app that you allowed to invoke Okta FastPass.	Examples: `Google Chrome` or `3AQ936H96.org.mozilla.firefox` The exact binary identifiers for apps can be found in your System Log. (macOS, Windows)
`device.caller.bindingType` Type: String	Obtains the binding method that's used for authentication.	`LOOPBACK`: Uses loopback binding. (macOS, Windows) `APPLE_SSO_EXTENSION`: Uses the Apple SSO extension for binding. (macOS)
`device.caller.validationStatus` Type: String	Indicates whether the binary is signed.	Returns `SUCCESS` if the binary is signed. (macOS, Windows)
`device.provider.oktaVerify.version` Type: String	Obtains the value of the device's version of Okta Verify. Use the `versionGreaterThan` and `versionLessThan` functions to compare against Okta Verify version levels. Use `==` to make a comparison against an exact Okta Verify version.	`device.provider.oktaVerify.version.versionGreaterThan('9.43') == true` `device.provider.oktaVerify.version.versionLessThan('9.42.0') == true` `device.provider.oktaVerify.version == '9.46.1.2025.710.1826'` CAUTION: Don't use the `<` or `>` relational operators directly as these perform a literal comparison of the strings. For example, `device.provider.oktaVerify.version > '10.3.1'` could result in an incorrect evaluation such as `'9.23.0' > '10.3.1'`
`device.profile.diskEncryptionType` Type: String	Obtains the value of the device profile's disk encryption type.	`NONE`: No encryption has been set. (All platforms) `FULL`: The disk is fully encrypted. (Android, iOS) `USER`: The encryption key is tied to the user or profile. (Android) `ALL_INTERNAL_VOLUMES`: All internal disks are encrypted. (macOS, Windows) `SYSTEM_VOLUME`: Only the system volume is encrypted. (macOS, Windows)
`device.profile.displayName` Type: String	Obtains the value of the device profile's display name attribute. 4-byte UTF-8 characters aren't supported.	`DESKTOP-BE6IL05`, `XYZ S21`
`device.profile.imei` Type: String	Obtains the value of the device profile's International Mobile Equipment Identity (IMEI) attribute.	`410154203237518`
`device.profile.integrityDebug` Type: Boolean	Indicates whether a debugger has been detected.	`true` or `false`
`device.profile.integrityEmulator` Type: Boolean	Indicates whether the device runs as an emulator.	`true` or `false`
`device.profile.integrityHook` Type: Boolean	Indicates whether internal functions or runtime hooks have been detected.	`true` or `false`
`device.profile.integrityJailbreak` Type: Boolean	Indicates if the mobile device has been jailbroken or rooted.	`true` or `false`
`device.profile.integrityRepackage` Type: Boolean	Indicates if an unknown third party repackaged the mobile device app.	`true` or `false`
`device.profile.managed` Type: Boolean	Obtains the value of the device profile's managed attribute. This can only be used when Device Trust is enabled or if the DEVICE_CONDITION_IDX_ADVANCED feature is enabled.	`true` or `false`
`device.profile.manufacturer` Type: String	Obtains the value of the device profile's manufacturer attribute.	`VMware, Inc.` `Samsung`
`device.profile.meid` Type: String	Obtains the value of the device profile's Mobile Equipment Identifier (MEID) attribute.	`99001092003340`
`device.profile.model` Type: String	Obtains the value of the device profile's model attribute.	`VMware7,1` `SM-G991U1`
`device.profile.osVersion` Type: String	Obtains the value of the device profile's operating system version attribute. Use `versionGreaterThan` or `versionLessThan` functions to compare the OS versions.	`10.0.18362` `30` `device.profile.osVersion.versionGreaterThan('14.2.1') == true` CAUTION: Don't use the `<` or `>` relational operators directly as these perform a literal comparison of the strings. For example, `device.provider.osVersion.versionGreaterThan > '14.2.1'` could result in an incorrect evaluation such as `'2.0.0' > '10.3.1'`
`device.profile.platform` Type: String	Obtains the value of the device profile's operating system.	`IOS`, `ANDROID`, `WINDOWS`, `MACOS`, `MOBILE_OTHER`, `DESKTOP_OTHER`, or `CHROMEOS`
`device.profile.registered` Type: Boolean	Obtains the value of the device profile's registered attribute.	`true`
`device.profile.secureHardwarePresent` Type: Boolean	Obtains the value of the device profile's secure hardware present attribute. This checks for chip presence, in the form of a Trusted Platform Module (TPM) or Secure Enclave. It doesn't check whether there are tokens on the secure hardware.	`true` or `false`
`device.profile.serialNumber` Type: String	Obtains the value of the device profile's serial number attribute.	`VMware-56 5d e2 35 bd d8 66 75-5a bc 10 06 4c 6a fb 85`
`device.profile.sid` Type: String	Obtains the value of the device profile's security identifier (SID) attribute. This is only available with Windows devices.	`S-1-5-21-1016203815-1917570059-4244971090-500`
`device.profile.tpmPublicKeyHash` Type: String	Obtains the value of the device profile's Trusted Platform Module (TPM) public key hash attribute.	`18e3b568aeb17b4e75f3838d6b01ffe63c52d976950943a10968761b5bfe3f4d`
`device.profile.udid` Type: String	Obtains the value of the device profile's unique device ID (UDID) attribute. This is only available with certain managed scenarios.	`35E24D56-D8BD-7566-1ABC-10064C6AFB85`

Operators

Use operators in your custom expression to handle decisions. Any Okta Expression Language operator can be used in a custom expression. The following table lists commonly used operators:

Operator	Description
`&&`	Signifies an `AND` function.
`\|\|`	Signifies an `OR` function.
`!`	Signifies a `NOT` function.
`<`, `>`, `<=`, and `>=`	Signifies relational operators.
`==`	Checks for equality.
`!=`	Checks for inequality.

See Okta Expression Language for a complete list of Okta Expression Language functions.

Important considerations

Always include device.profile.registered == true if you want to include device conditions in your custom expression.
In general, device attributes can only be used if Okta FastPass is enabled.
Device attributes can only be evaluated if Okta Verify is installed.