See you at JNUC! Come say hi at booth #324

Modern enterprise ZTNA backed by cryptographic device trust

Smallstep Enterprise Relay is a transparent VPN built on standards-based private MASQUE relays [RFC9298]. Using mutual TLS and hardware-bound device certificates, it secures access to SaaS apps and internal networks. Whether employees are remote, hybrid, or on-site, only trusted, managed devices can connect—without passwords or user prompts. Just seamless, reliable, device-based authentication.

Contact us
background graphic
Transparent to users iconTransparent to users
Device-wide enforcement iconDevice-wide enforcement
Certificate iconStronger trust model with mutual TLS
Covers both SaaS and internal apps
Exclusive egress IPs iconExclusive egress IPs
Cross-platform coverageCross-platform coverage
Laptop with the Smallstep logo surrounded by a cluster of logos and icons

Protect SaaS apps and internal resources

Smallstep Enterprise Relay secures access to internal networks and public cloud apps like GitHub, Google Workspace, and Stripe. Easily specify which domains to route through the relay using match/exclude rules, then enforce access via IP allow lists and mutual TLS. From dashboards and APIs to SaaS accounts, Relay provides a unified layer of secure control.

SSH network topology - distributed infrastructure, certificate-based remote access paths

Replace browser plugins and identity-only ZTNA

Many ZTNA tools rely on browser plugins or DNS workarounds. Smallstep Enterprise Relay provides network-level protection across the entire device. It authenticates hardware-attested devices—not just user sessions—and routes only approved traffic through a dedicated outbound IP range. Policies are enforced based on trusted, hardware-bound certificates, not just login credentials. No browser extensions, no redirect pages—only seamless, device-based security.

Ephemeral certificate flow - key, timer, shield - short-lived credential lifecycle

Enable transparent authentication for every user

With Smallstep Enterprise Relay, authentication happens silently in the background. There are no popups, login screens, or user prompts. If a device has a valid attested certificate, it gets access. If not, it’s blocked, and your users never need to think about it.

Learn more about MASQUE Relays
Multi-platform ACME attestation supporting Windows, Android, iOS, macOS, Linux devices via Smallstep

Extend ZTNA to all devices. Yes, Linux too

Smallstep Enterprise Relay is natively supported on Apple devices via the Managed Relay MDM payload (iOS 17+, iPadOS 17+, macOS 14+, tvOS 17+). For Windows and Linux, the Smallstep agent extends the same hardware-bound mutual TLS authentication. No browser extensions or third-party clients—just unified, system-level access control across your entire device fleet.

Multi-platform device dashboard - Render, Apple, Linux, RDP, Windows filters - 32,175 managed fleet

Learn more about the platform

The Smallstep platform helps mitigate numerous cybersecurity threats – from phishing to advanced hardware attacks – without impacting end-user workflows.

Learn more
gradient background

Device identity based ZTNA that just works

Deploy in the cloud or on-prem. Apply Zero Trust policies across every device without breaking workflows.

Let us show you how