Long?lived contractor accounts, unmanaged BYOD; Okta Workflows + Device Assurance enforced time?boxed, approved access

Overview

A film studio granted contractors long?lived accounts and broad entitlements, then chased cleanup at the end of each engagement. Approvals lived in email, device standards weren’t enforced for external laptops, and audits struggled to tie access back to a sponsor and an end date. Intelligex implemented ephemeral access using Okta workflows, enforced device checks at sign?in, and routed every contractor request through a sponsor approval with expirations. Accounts and group memberships now time?box by default, unmanaged devices are steered to safer paths, and the studio has a clean evidence trail—without changing core identity, collaboration, or production tools.

Client Profile

• Industry: Film and television production
• Company size (range): Studio with multiple productions, post/VFX partners, and distributed crews
• Stage: Okta for Single Sign?On; mixed endpoints (studio?issued and BYOD); ServiceNow for requests; Jamf and Intune for device management; contractor onboarding handled via tickets and spreadsheets with manual deprovisioning at wrap
• Department owner: IT & Infrastructure (Identity & Access Management and End?User Services)
• Other stakeholders: Production IT, Post/VFX, Security, HR/Procurement, Legal, Vendor Management, Internal Audit

The Challenge

Contractors arrived fast and stayed unpredictable lengths of time. Identity created accounts in the directory, added users to application groups, and relied on wrap notices to trigger removals. When projects shifted or vendors re?staffed, accounts lingered. Shared inboxes approved access informally, and device requirements varied by team. BYOD laptops accessed creative and collaboration systems without consistent posture checks, and requests to extend access lived in email threads.

Lifecycle friction showed up everywhere. Offboarding at wrap meant searching for accounts across groups and apps. Exceptions for vendors with their own identity providers were inconsistent, and partner staff moved between shows while access to prior work remained. Audit requests for who approved access, when it expired, and what device standards applied required combing through tickets and change logs. The studio needed a way to keep identity the front door, make access ephemeral by default, and gate sign?in on device health—while keeping productions moving.

Why It Was Happening

Root causes were static accounts and approvals detached from enforcement. Group memberships used for application access had no end date; accounts were suspended manually, often after wrap; and exceptions were handled case by case. Device standards in Jamf and Intune existed, but identity did not enforce them at sign?in for external users. Without a sponsor model and a policy that tied approval, expiration, and device context together, contractor access accumulated drift.

Ownership and timing were split. Production needed people onboard quickly, Procurement managed contracts, Identity provisioned accounts, and Security documented standards. Each did its part, but the process relied on memory and tickets rather than on a governed lifecycle that expired access automatically and enforced device checks in real time.

The Solution

Intelligex implemented a contractor access lifecycle anchored on Okta. Requests flowed through sponsor approvals with justification and an end date; Okta Workflows created accounts and time?bound group memberships; device posture was checked at sign?in; and expirations triggered auto?suspend and deprovision. Extensions required sponsor confirmation, and exceptions were time?bound with rationale. The design leveraged Okta Workflows for orchestration, Okta device assurance and context to enforce posture (Device Assurance), and sponsor approvals via Okta Access Requests (Access Requests). Device signals came from Microsoft Intune and Jamf Pro, with request tracking and notifications in ServiceNow.

• Integrations: Okta as the identity and policy hub; Okta Workflows for create/assign/expire; device assurance policies fed by Jamf and Intune; ServiceNow for request intake and notifications; application access via SAML/OIDC and SCIM; SIEM for audit log aggregation.
• Contractor model: Sponsor, project, vendor, data sensitivity, apps/groups, start and end dates, and device requirement flags captured at request time; reusable packages per production or department.
• Ephemeral access: Time?boxed accounts and group memberships with scheduled auto?suspend and deprovision; optional re?invite flow for returnees to preserve history without leaving accounts active.
• Device checks: Device assurance at sign?in enforcing encryption, OS baseline, and management state; BYOD routed to virtual desktops or limited scopes where policy required.
• Approvals and exceptions: Sponsor approvals with maker?checker for sensitive apps; time?bound exceptions with compensating controls; auto?reminders for upcoming expirations.
• Observability and evidence: Dashboards for upcoming expirations, exception aging, and device posture denials; exportable records tying requests, approvals, assignments, and suspensions to users and sponsors.
• Security and privacy: Least?privilege groups per application; minimal claims shared to partners; secrets and tokens handled by existing vaults; role?based access to logs and dashboards.

Implementation

• Discovery: Mapped current onboarding paths and application groups; inventoried contractor?heavy apps and partner identity patterns; reviewed device standards in Jamf and Intune; sampled wrap?out timelines and audit asks; identified sensitive workflows in production and post.
• Design: Defined the contractor schema (sponsor, project, vendor, end date); authored access packages by show and department; mapped device assurance policies by app class; designed Okta Workflows for create/assign/expire and extension prompts; specified exception categories and approver tiers; planned dashboards and SIEM feeds.
• Build: Implemented access request forms and approval routes in Okta Access Requests and ServiceNow; built Okta Workflows for account creation, JIT group assignment, scheduled suspend, and deprovision; configured device assurance with signals from Jamf/Intune; wired SCIM to supported apps; enabled logging and evidence exports.
• Testing/QA: Piloted with a single production and a post/VFX vendor; validated sponsor approvals, device checks, and time?boxed membership; exercised extension and re?invite flows; confirmed auto?suspend and cleanup behavior; tuned exception paths for vendor?hosted identities.
• Rollout: Expanded by department and app risk, starting with collaboration and asset review tools; migrated existing contractors by adding expiration dates and notifying sponsors; kept manual offboarding as a controlled fallback during early cycles; tightened device assurance after stable results.
• Training/hand?off: Delivered sessions for Production IT, Post/VFX, and Helpdesk on requests, sponsorship, device denials, and extensions; published sponsor guides; updated SOPs for onboarding, wrap, and vendor exceptions; transferred policy ownership and dashboards to Identity & Access Management under change control.
• Human?in?the?loop review: Established recurring reviews of exception aging, device denials causing friction, and package scopes; recorded decisions with rationale and effective dates; updated policies and workflows accordingly.

Results

Contractor accounts no longer linger by default. Sponsorship and end dates are required, assignments expire on schedule, and extensions need a click from the sponsor. Device checks apply at sign?in, so unmanaged or out?of?policy laptops follow a safer path, and studio?managed devices meet standards without unusual steps. Identity remains the front door, and production teams see access arrive quickly with a predictable wrap?out.

Audits are straightforward. Each account and group assignment ties back to a request, a sponsor, and a timeline; device assurance decisions are logged; and deprovision events carry the same lineage. Cleanup work at wrap declined because expirations fire automatically, and returnees onboard with re?invites instead of rebuilding from scratch. The studio kept Okta, Jamf, Intune, ServiceNow, and its applications; the addition is a lifecycle and device gate that made contractor access predictable and accountable.

What Changed for the Team

• Before: Long?lived contractor accounts and manual wrap?out. After: Time?boxed accounts and group memberships with auto?suspend and deprovision.
• Before: Email threads approved access. After: Sponsor approvals through access requests tied to policy and audit logs.
• Before: BYOD and studio devices mixed without checks. After: Device assurance gated access and routed BYOD to safer paths.
• Before: Group membership managed by hand. After: Okta Workflows assigned and removed groups on a schedule with prompts for extensions.
• Before: Exceptions lived in chat. After: Time?bound exceptions with approvers, compensating controls, and expirations.
• Before: Audits stitched evidence from tickets and logs. After: Dashboards and exports tied requests, approvals, device checks, and suspensions in one trail.

Key Takeaways

• Make access ephemeral by default; require end dates and sponsor approvals for all contractor requests.
• Automate the lifecycle; use workflows to create, assign, expire, and clean up without manual steps.
• Bind access to device posture; enforce assurance checks at sign?in and steer unmanaged devices to safer options.
• Design packages, not one?offs; bundle apps and groups by project or department with clear scopes and expirations.
• Govern exceptions; time?bound approvals with compensating controls prevent drift.
• Integrate, don’t replace; keep your IdP, MDMs, and ITSM—add a lifecycle and approval layer across them.

FAQ

What tools did this integrate with? Okta acted as the identity and policy hub with Okta Workflows for orchestration, device assurance enforcing posture at sign?in (Device Assurance), and sponsor approvals via Okta Access Requests. Device signals flowed from Microsoft Intune and Jamf Pro. Request tracking and notifications used ServiceNow, and supported apps connected through SAML/OIDC and SCIM.

How did you handle quality control and governance? Access packages, device assurance rules, and workflow steps lived under change control with owners and rationale. Sensitive apps required maker?checker approvals and shorter expirations. Each assignment and suspension recorded the requester, sponsor, policy version, and timestamps. Exception requests carried reason codes, compensating controls, and expirations, and dashboards tracked aging and adherence.

How did you roll this out without disruption? The team piloted with one production and a post/VFX vendor. Legacy accounts continued while new requests used packages with expirations. Existing contractors were migrated by adding end dates and notifying sponsors. Device assurance started in report?only mode, then moved to enforcement with clear remediation guidance. Manual offboarding remained a controlled fallback during early cycles.

How did device checks work for BYOD and partner devices? Device assurance evaluated signals such as encryption, OS baseline, and management state. Studio?managed devices met policy directly. BYOD and partner laptops that didn’t meet standards were guided to virtual desktops or limited scopes, with instructions for enrollment where appropriate. Exceptions were time?bound and reviewed.

What about vendors with their own identity providers? Where partners used their own directories, apps federated through SAML/OIDC as before, but access still flowed through packages with sponsor approvals and expirations. Group?based authorization in the studio’s tenant controlled app roles, and expirations removed assignments even when authentication occurred cross?tenant.

How were short engagements and recurring contractors handled? Short runs used minimal packages with tight expirations. Returnees were re?invited through the same flow; prior profiles were reused, but access remained time?boxed and sponsor?approved. Extensions required an explicit sponsor action rather than silent renewal.

How did this affect helpdesk and production IT? Helpdesk and Production IT received clearer requests with sponsor context, standard packages, and device requirements encoded. Common issues like device denials came with remediation prompts. Cleanup at wrap shifted from manual list building to monitoring upcoming expirations and handling exceptions.