The app enrolls your device with Smallstep using a private key stored in your TPM or Secure Enclave.
The app enrolls your device with Smallstep using a private key stored in your TPM or Secure Enclave. During enrollment, it uses Device Identity Attestation to get a certificate for the device from Smallstep. Device Identity Attestation ensures that:
- A device’s private key is hardware-bound and is not exportable
- A device’s manufacturer has proven the device’s identifier (serial number, TPM endorsement key, or MDM enrollment ID) with Smallstep
With a hardware-bound private key and an attested identity, you get the strongest possible protection against unauthorized devices gaining access to sensitive resources.