Device Attestation
Apple
Device Attestation establishes the authenticity of a device using known information about it. The devices are verified and attested based on the criteria provided by Apple. This is to ensure that only legitimate devices can access the MDM server. The Device obtains attestation from Apple's servers and returns it to the MDM server. MDM server evaluates the attestation. This is applicable only for iOS, iPadOS and tvOS 16.0 or later versions.
MDM server retrieves the Device Attestation certificate from Apple's attestation server when:
- A new device is enrolled with MDM.
- The device is updated to a new OS version.
Apple's attestation servers refuse to issue an attestation in the following cases:
- The device experiences a network issue reaching the Apple's Attestation servers.
- Issues with Apple's Attestation servers.
- The device hardware or software maybe compromised.
When device attestation fails, the admin can manually investigate the device and revoke access to the organization's resources, by wiping all the corporate data present on the device.
Android
Remove devices when
Admins can use the following settings to ensure that corporate data is removed from devices if the device is compromised by any threat. The devices are checked during enrollment and during every scan. If the devices are found to be non-compliant with the option selected below, the device will be deprovisioned and data will be wiped from the device. If the device is checked during enrollment, the device enrollment will fail.
Rooted
Rooted devices gives users additional controls like removing profiles distributed by MDM or removing the device from MDM management itself. Therefore, organizations must not allow Rooted devices to access the corporate data, as this could lead to a data breach. MDM identifies rooted devices and upon selecting this option removes these devices from management. Removing the device from management also removes the corporate data from the devices.
Basic Integrity Check fails
Android's Basic Integrity Check monitors if the device is Rooted, virtual device or contains a virtual ROM. If any of the above conditions are true, the device fails the Basic Integrity Check. During enrollment, if the device fails Basic Integrity, Check, the device will not be enrolled. If an enrolled device fails Basic Integrity Check, the device will be removed from management and the data will be removed from the device.
Google Certification fails
Google certifies devices based on it's Compatibility Testing Suite, which contains basic requirements for Google to certify devices for enterprises. If this option is selected, the devices will be enrolled only if they are certified by Google. Here is an exhaustive list of Google certified devices.
NOTE: Google Certification also checks for the device's Basic Integrity. But when Basic Integrity Check is selected, it is possible for devices to pass the Basic Integrity Check but not be Google certified.
MDM allows admins to generate reports to fetch details about Device Attestation Status of the managed devices. To view reports, navigate to Reports> Predefined reports> Device Attestation.