At the Apple Worldwide Developer Conference (WWDC) earlier this year, the company announced that it was building in additional capabilities, for those running in iOS/iPadOS/tvOS 16, to establish device identity otherwise known as Device Attestation. Managed Device Attestation is a new capability that helps ensure servers and services (on-premise or in the cloud) only respond to legitimate requests for access to resources. This approach allows Apple to use the ACME protocol in new ways, taking out hours of manual labor by IT professionals in enterprises everywhere. No longer will they have to have the physical devices sent to them to prove the device identity before it's given to the user - now it's a simple and automated enrollment process once the user receives the device.

To fully understand the significance to enterprise IT, we caught up with Mike Malone, founder and CEO of Smallstep to talk about MDA and what Smallstep is doing to support it.

VMblog: We last spoke in June. What should enterprises be thinking about in relation to certificates for securing distributed systems? 

Mike Malone: The reality of the way companies work is changing. The shift to remote/hybrid offices has become more permanent, making the way that IT departments secure their systems complex. Mobile Device Management (MDM) solutions paired with the Simple Certificate Enrolment Protocol (SCEP) are often used as a solution, but they have a critical shortcoming: there isn't a way to cryptographically verify that the SCEP profile is on the correct machine. 

There is a better way now. A new ACME challenge type proposed by an engineer at Google to the Internet Engineering Task Force (IETF), called device-attest-01 and branded Managed Device Attestation by Apple, binds an identifier to a specific device using cryptographic hardware. 

Malone: Managed Device Attestation works to create a second boundary of trust around which the device management solutions can work to protect against security breaches. With companies like Apple announcing their support behind Device Attestation with Microsoft and Google not far behind, a better security posture for end user devices in every enterprise is a reality.

Malone: All the functionalities of the ACME protocol make its use on private networks more powerful - a way to securely get certificates for end user devices without a SCEP password. With teams of all types (hybrid, remote, in-office) using personal and company devices for their work, IT professionals are feeling the pressure for better authentication on every device with access to mission-critical resources. By allowing employees to securely self-enroll devices without help desk or IT support, IT teams will have more freedom to focus their time and money on managing and maintaining technology for a business' benefit. 

Malone: Organizations rely on MDM solutions for several reasons, including credential provisioning, configuration management, and compliance monitoring. MDM solutions typically use outdated protocols such as SCEP to provision credentials and may not confidently assure the identity of the device that's being enrolled. Managed Device Attestation, built on the new ACME Device Attestation challenge, combines a hardware-bound, cryptographic identity with a modern protocol for certificate automation. This combination offers a higher assurance of the device's identity than typical enrollment methods. This makes it a secure foundation for other functionalities that require a trusted identity.

Malone: Managed device attestation is the next step for Smallstep in securing distributed systems and another place for TLS certificates to shine in a cryptographically secured environment. Using the ACME protocol on all end user devices (including things like routers) in addition to using certificates to authenticate humans creates a hard stop for breaches based on shared credentials to exist. Short-lived/trusted TLS certificates for every device with ACME and managed device attestation are the future, and the future is now.

##