Documentation
Solutions Guide
Device Trust
Verify device security posture before granting access. Ensure only trusted, compliant devices can connect to your infrastructure.
Estimated time: 20 minutes
What We Verify
Operating system version
Disk encryption status
Firewall enabled
Antivirus running
Screen lock configured
Jailbreak detection
MDM enrollment
Certificate validity
Configuration Steps
1
Enable Device Trust
Configure device trust verification in the auth service.
tacctl create -f - <<EOF
kind: cluster_auth_preference
metadata:
name: default
spec:
device_trust:
mode: required # or 'optional', 'off'
auto_enroll: true
EOF2
Define Device Policies
Set security requirements for trusted devices.
tacctl create -f - <<EOF
kind: device_trust_policy
metadata:
name: corporate-devices
spec:
requirements:
os_version:
macos: ">=13.0"
windows: ">=10.0.19041"
linux: ">=5.4"
security:
disk_encryption: required
firewall: required
screen_lock: required
antivirus: recommended
certificate:
enrolled: true
max_age: 30d
EOF3
Enroll Devices
Enroll devices with the TigerAccess agent.
# Install device agent
curl -sSL https://get.tigeraccess.io/agent | sh
# Enroll device
tac device enroll --token=${ENROLLMENT_TOKEN}
# Verify enrollment
tac device status
# List enrolled devices (admin)
tacctl devices ls4
Configure Per-Resource Requirements
Set different device trust levels for different resources.
tacctl create -f - <<EOF
kind: role
metadata:
name: production-access
spec:
options:
device_trust_mode: required
allow:
node_labels:
env: production
device_requirements:
disk_encryption: true
os_updates: current
# Dev access with relaxed requirements
allow:
node_labels:
env: development
device_trust_mode: optional
EOFDevice Trust Enabled
With device trust configured, you have:
- Verified device security posture before access
- Continuous verification throughout sessions
- Hardware-bound certificates for trusted devices
- Flexible policies per resource sensitivity