Personal app migration: How it works
Personal app migration
App migration allows employees to migrate personal apps saved in their work accounts into Okta Personal accounts. This feature helps ensure that employees can take their personal (non-work provisioned) apps with them even after they leave their company and helps companies keep their Okta tenants clear of non-work related data.
How does it work?
Admin
Admins must enable app migration to allow their end users to migrate personal apps from their work account to their personal account.
- Enable the Okta Personal for Workforce feature in Early Access
- Enable app migration (or ensure it is already enabled)
Note: Enabling this feature introduces an "Okta Personal App Migration" application to your Okta org that is managed and only visible to you as an admin.
By default this app should be configured correctly for your org, but if your end users complain that they are unable to authenticate into their work accounts to complete personal app migration, ensure that the app's authentication policy is set correctly by navigating to Applications > Active > Okta Personal App Migration > User authentication and setting the Authentication Policy to "Okta Dashboard".
- If you would like to block your end users from migrating apps with usernames that contain specific email domains (e.g., @gmail.com), use the interface below to specify those domains
Monitoring
In the Admin console, navigate to Reports > System Log to view logs relating to how app migration is being used in your organization. We make the following logs available:
- personal.admin.configuration.update: Logged when the app migration feature is enabled or disabled within your organization
- personal.user.app_migration.export: Logged when an end user migrates personal apps from their Workforce account into an Okta Personal account. Includes the number and list of imported app names and app URLs to allow you to verify that only personal apps are being exported
Employee:
- Employee creates an Okta Personal account.
- Employee links their Okta Personal account to their Okta Personal account by following these steps.
- Once the accounts are linked, the employee can see which apps are eligible to migrate by navigating to Profile Settings Menu > Import Apps > Import from Okta from the Okta Personal web dashboard.
- Employee chooses which apps to migrate to Okta Personal. The migrated apps are removed from the employee's work account and added to the employee's Okta Personal account.
Which apps are eligible to be moved?
Personal apps stored in an Okta work account are eligible to be migrated to Okta Personal. Personal apps are apps that meet all of the following criteria:
- App is not managed by the organization (user added it on their own, excluding apps added through Self-Service)
- App username does not contain email domain of the user's work email (the email they use to log into Okta)
- App username does not match any in the list of custom email domains their admin has chosen to block
Here is an example:
- Jane is an employee at Work Inc. attempting to move an app she added herself to her Okta work account that is not managed by her organization
- Her work email is [email protected]
- Her Okta admin at Work Inc. has blocked app migration for the "work-labs.com" email domain.
| App username | Eligible to be moved? |
|---|---|
| [email protected] | No |
| [email protected] | No |
| [email protected] | No |
| [email protected] | Yes |
| jane.doe | Yes |
| [email protected] | Yes |
Which apps are not eligible to be moved?
- Apps that are managed by the organization, including apps added by administrators or added by the end user through Self-Service
- Apps marked as private
- App username contains the email domain that matches the email domain the user uses to log into Okta for work
- App username contains an email domain restricted by the organization's Okta admin
FAQs
What guardrails does Okta put in place to ensure employees don't migrate work apps out of their Okta work accounts?
Okta blocks migration of apps that:
- are assigned to the user (i.e. only self-added apps are exportable)
- are private apps (having private flag set in Apps table)
- are saved with a username that matches the email they use to log into Okta for work
- are saved with a username that contains an email domain restricted by the organization's Okta admin
In the case that these safeguards are not sufficient for an organization, Okta provides admins the ability to disable app migration.
How does Okta determine what is a work vs a personal app?
See our guidelines for determining whether an app is eligible to be migrated as a personal app here.
As an Okta Admin, can I completely prevent my end users from sharing credentials for apps classified as "personal apps"?
The username and password of personal apps saved in an Okta work account are fully visible to the end user, as the user has to provide the username and password themself in order to save them. Even if you have blocked app migration for your organization, your end users can view and copy the usernames and passwords of personal apps.
Where is Okta Personal's data stored?
Okta Personal data is stored in servers located in the EU. If your organization is located outside of the EU and your end user migrates their personal apps from their Okta work account to an Okta Personal account, the newly migrated data will be stored the EU.