Okta Mobile end of life: what changes for mobile SWA access?

TL;DR: Okta’s planned retirement of its Mobile app on May 31, 2026 raises a governance problem for organisations that still depend on secure web authentication for credential-based, non-federated mobile apps, where end-user-managed passwords, shared secrets, and incomplete auditability remain common, according to Cerby. The real issue is not migration convenience but whether identity teams can bring disconnected apps under centrally managed lifecycle and credential controls without preserving standing risk.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should teams govern mobile apps that still depend on shared credentials?

A: Treat them as a credential lifecycle problem, not just an access experience problem.

Q: Why do non-federated mobile apps create more governance risk than federated ones?

A: Because the password becomes the real control point.

Q: What breaks when lifecycle workflows do not reach disconnected applications?

A: Joiner, mover, and leaver processes stop at the identity provider and never change the app state.

Practitioner guidance

• Inventory every mobile SWA dependency Identify all apps that still rely on credential replay rather than SAML or OIDC, then classify them by owner, business criticality, and shared versus personal credential use.
• Move secrets into a single managed vault Remove passwords from spreadsheets, personal managers, and ad hoc sharing paths, and make the vault the only approved source for credential-based mobile access.
• Extend lifecycle events to disconnected apps Bind joiner, mover, and leaver changes to provisioning, deprovisioning, and rotation actions for every non-federated application, including shared and admin-managed accounts.

What's in the full announcement

Cerby's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step migration options for organizations that need to move off Okta Mobile without breaking access for disconnected apps.
• Specific ways Cerby handles credential replay, vaulting, and tile-based access across desktop and mobile environments.
• Details on automated password rotation, MFA handling, and audit logging for shared or admin-managed credentials.
• Lifecycle automation examples for provisioning and deprovisioning disconnected apps through Okta events.

👉 Read Cerby’s analysis of Okta Mobile end of life and SWA migration →

Okta Mobile end of life: what changes for mobile SWA access?

Explore further

View Full Forum →  |  NHI Foundation Course →