Device attestation is a crucial process in any IT management strategy. As its name suggests, it “attests” or verifies the authenticity and integrity of a device or endpoint’s hardware and software.
This is usually captured in a certificate signed with a Certificate Authority (CA) key and validated using Public Key Infrastructure (PKA). Alternatively, the certificate can be self-signed and verified against the Creator Identity or a public device registry.
Deliver endpoint security through the familiar NinjaOne platform.
How does device attestation work?
Typically, device attestation is rooted within two asymmetric keys: Creator Identity and Owner Identity. Both keys provide details on an endpoint’s cryptographic properties.
- The Creator Identity is generated at manufacture and endorsed by the Creator PKI.
- The Owner Identity is generated at ownership transfer time or whenever the BL0 (bootloader) configuration changes.
The Owner Identity key is endorsed by the Creator Identity, usually through the provider’s specific processes. For example, Microsoft follows its own Intune device attestation, while Apple has its own device attestation for Mac, iPhone, iPad, and Apple TV and devices.
Device attestation is crucial in determining that any device enrolled in your system is authentic. This reduces potential security vulnerabilities and contributes to their secure management if, for example, you are using an endpoint management or mobile device management (MDM) solution.
What is device trust?
Device trust determines whether a device present in a network can be considered secure and reliable for accessing resources or performing specific tasks. It also ensures that every endpoint being used or managed can be granted certain privileges based on specific needs and goals.
It is a seldomly discussed feature in any proactive IT management and security strategy. We often read guides on what software to use or how to plan our IT budget, but we forget the first step in any effective security strategy: Ensuring that what we’re managing can be trusted in the first place.
What is the ACME protocol?
The Automated Certificate Management Environment (ACME) protocol automates the entire lifecycle of digital certificates, from their issuance to renewal. This hastens the process and minimizes the risk of human error.
The Internet Security Research Group (ISRG) created the ACME protocol for Lets Encrypt, its own public certificate service. Since it was recently published as an Internet Standard RFC 8555, many operating systems now use ACME to streamline the device attestation process. Previously, this task was handled by Simple Certificate Enrollment Protocol (SCEP).
Device attestation and zero-trust security
ACME plays a pivotal role in advancing robust zero-trust security frameworks. Device attestation provides cryptographic proof of a device’s attributes, leveraging asymmetric key technology. These unique identifiers are commonly utilized during the initial stages of MDM enrollment or other device onboarding processes.
ACME ensures the device’s characteristics are cryptographically validated and cross-referenced against a comprehensive device catalog. Once the device’s authenticity and attributes are confirmed, it is eligible for enrollment into the infrastructure, allowing secure and trusted usage within the system.
What happens with failed attestations?
Device attestation may occasionally fail. In such cases, the device can still respond to an ACME challenge, but certain critical information, such as the expected object identifier, might be missing. The reasons for failed attestation can be caused by various reasons, from temporary network issues to more severe scenarios like compromised hardware or software.
Although there is no foolproof way to determine the exact cause of the failure, organizations can mitigate risks by employing strategies within their zero-trust architecture, particularly under managed device attestation protocols. Using this framework, organizations can calculate a device trust score depending on the results of their attestation. A lower score should trigger different actions, such as denying access to services or alerting the IT team, depending on the numeric value calculated.
It’s worth noting that the results of device attestation play a direct role in device enrollment, especially in MDM. For example, in Android enrollment, the user or device must provide the relevant credentials to be configured.
→ Start your 14-day free trial of the #1 endpoint management software on G2.
Strengthen device security with NinjaOne
NinjaOne delivers endpoint security through its multi-awarded RMM software solution. Its robust platform not only automates patch and software management to quickly identify vulnerabilities at scale, but it also protects critical business data through endpoint backup.
If you’re ready, request a free quote, sign up for a 14-day free trial, or watch a demo.
