Summary

Add support for ingesting Okta Devices through the Okta Management API listDevices operation.

Okta’s Device API exposes enrolled, managed, or registered devices associated with users and organizations. This data is not currently modeled in Cartography’s Okta intel module. Adding it would allow us to track device identities, statuses, and security posture directly in the graph.

Motivation

Okta-managed devices represent a critical part of identity posture and are increasingly used for adaptive MFA, device assurance policies, and Zero Trust decisions.

By ingesting devices, Cartography can surface:

• All devices enrolled for each user.
• Device metadata (status, platform, identifiers).
• Device security posture information when provided by Okta.
• Correlations between high-privilege users and their registered devices.
• Visibility into unused, stale, or compromised devices.

This unlocks graph-based analysis such as:

• Identifying inactive/compromised devices tied to privileged accounts.
• Detecting accounts with many devices.
• Validating device-based access policies.

Proposed Solution

Extend the Okta intel module to call: GET /api/v1/devices

Model each returned device as a new node type (e.g., OktaDevice)

Create relationships:

• (:OktaUser)-[:OWNS]->(:OktaDevice) using the device user association from the API.
  Add sync logic mirroring the standard Okta pagination and delta-update approach used in the module.

Document:

• New data model (nodes/edges).
• Required Okta scopes (okta.devices.read).
• Deployment/config changes for integrators.

Additional Context

Okta Management API Device docs:
https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Device/#tag/Device/operation/listDevices