MDMs do not prove device identity
Mobile Device Managment tools (MDMs) can tell you a device is managed. They cannot cryptographically prove that an access request is coming from the exact hardware you issued—so portable credentials, phishing, and impersonation still work.
The problem is that "managed" doesn’t mean “provable"
Portable credentials
MDM-era enrollment commonly relies on secrets or software-stored keys that can be copied to another machine.
Credential theft still wins
If the credential is all you check, attackers only need the credential. MDM can’t prove hardware residency.
Invisible spoofing
Without attestation, a relying service can’t distinguish “real device key” from a simulated or exported key.
Shadow access
Personal or unmanaged devices can reuse stolen tokens to access SaaS apps, internal tools, and admin consoles.
No provenance
Traditional flows don’t prove which device initiated a request—only that a credential was presented.
Revocation gap
Offboarding a device in MDM doesn’t necessarily revoke all usable credentials already copied elsewhere.
Hardware-bound trust
Devices prove identity using secure elements, like a TPM or Secure Enclave. Keys used for authentication are generated in hardware and cannot be exported. Attestation provides proof to the relying party.
- Keys never leave hardware
- Cryptographic proof of key residency
- Enrollment without reusable secrets
Identity control plane
Centralize device inventory, certificate issuance, configuration, and enforcement. This replaces fragmented device trust signals with a single source of truth.
- Canonical inventory of approved devices
- Automated issuance for renewal and revocation
- Policy-driven rollout across resources
Transparent authentication
Add device identity as a silent factor. Authentication happens continuously and contextually based on device identity and posture, reducing user friction.
- No codes, no prompts for trusted devices
- Stops credential replay from unmanaged hardware
- Works for Wi‑Fi, VPN, ZTNA, web apps
MDM vs. hardware-bound device identity
| Capability | MDM-only | MDM with Smallstep device identity |
|---|---|---|
| Attestation | No cryptographic proof of hardware | Hardware-backed device identity |
| Credential portability | Keys/secrets can be copied | Non-exportable hardware-bound keys |
| Phishing / replay resistance | Stolen credential still authenticate | Credential tied to the device’s secure element |
| Rotation & lifecycle | Often manual / inconsistent | Automated issuance, renewal, revocation |
| Enforcement across Wi‑Fi / VPN / ZTNA / SSO | Depends on app-specific signals | Certificates work almost everywhere |
| Offboarding assurance | Doesn’t invalidate copied creds | Revoke device certs + enforce inventory |
Scroll to the right to see more →
Integrates with your existing stack
The platform integrates with existing identity providers, infrastructure, and security tooling, including AI runtimes and MCP-based systems. It extends cryptographic identity and policy enforcement to agents, tools, and automated workflows without requiring architectural replacement. This allows trust controls to remain consistent as execution shifts from users and services to autonomous systems.
The foundation for secure device access
Replace “managed device” assumptions with cryptographic proof. Stop credential replay. Enforce high-assurance device identity across your most sensitive resources.