Faking managed: how a rogue endpoint passes Okta device trust
Device trust is only as strong as the enrollment behind it. A rogue endpoint that claims managed posture satisfies a device-based sign-on policy with no real corporate machine.
A sign-on policy that requires a managed device is a strong control, right up until an attacker enrolls a device that only claims to be managed.
How the attack works
An attacker enrolls a rogue endpoint into Okta, or abuses an enrollment gap, and binds a FastPass authenticator so device assurance evaluates the machine as managed and trusted. That satisfies a device-based sign-on policy with no real corporate device, and the session reaches applications that were supposed to be restricted to managed machines. The Okta System Log records the device-enrollment and FastPass-activation events and the policy evaluations the rogue device passed. In ATT&CK terms this is T1556, Modify Authentication Process, used for defense evasion alongside T1550, Use Alternate Authentication Material.
Why it works
FastPass and device assurance are meant to recognize managed corporate devices, but device trust is only as strong as the enrollment and assurance checks behind it. If the assurance path accepts an unverified managed claim, an unmanaged endpoint can pose as a corporate machine. The root cause is an enrollment and assurance gap that does not require verifiable proof of management.
How to fix it
The non-obvious point is that the password was never the gate; the device enrollment is. Revoke the rogue device and its FastPass enrollment, terminate its active sessions, and tighten device-assurance and enrollment controls so a rogue endpoint cannot re-claim managed posture. Scope what it reached from the System Log filtered to the device and window: the enrollment, the policy evaluations, and every app sign-on. Then require verifiable MDM attestation for managed posture, restrict and approve who can enroll devices, bind FastPass to managed-device proof, and alert on enrollment and FastPass-activation events.
Practice it
We built this as a GraphLattice Range scenario so security teams can spot the unaccounted-for enrollment, revoke the device and its FastPass binding, and harden device assurance.