← All terms
Device Trust

What is Device Trust?

Device trust verifies that the device requesting access is known, managed, and healthy before granting entry, adding a second identity beside the user's.

Last updated: 15 July 2026

How device trust works

Device trust gives every endpoint an identity of its own, usually a certificate or cryptographic key installed during enrollment through a mobile device management (MDM) tool or an enrollment flow. When the device requests access, it proves possession of that credential, which tells the identity provider this is a known, registered machine rather than an arbitrary browser on the internet.

Beyond recognition, mature implementations evaluate device posture: whether the operating system is up to date, disk encryption is on, screen lock is set, endpoint protection is running, and the device has not been jailbroken. These signals feed access policy at sign-in time, so a compliant laptop gets in smoothly while an unpatched or unknown device is blocked, quarantined, or allowed only limited access.

Why device trust matters

Strong user authentication answers who is signing in, but says nothing about where from. A phished or malware-ridden machine can present perfectly valid credentials, and stolen session cookies replayed from an attacker's computer look like the legitimate user. Requiring a trusted device closes this gap: credentials alone stop being enough, because the request must also originate from hardware the organization recognizes.

Device trust is also a pillar of zero trust architecture, where every access decision weighs user identity, device state, and context together. For remote and hybrid workforces that long ago left the office network perimeter, the managed, healthy device effectively becomes the new perimeter.

Device trust in practice

Rollouts usually begin with visibility: enrolling corporate devices, inventorying what connects today, and reporting on posture without enforcing yet. Enforcement then arrives gradually, first for the most sensitive applications and admin access, later for the broader portfolio, with clear self-service remediation so a user with an outdated OS knows exactly how to regain access.

The hardest questions are practical ones: how to handle personal devices under BYOD policies, contractors who cannot enroll in MDM, and break-glass access when enrollment infrastructure is down. Common answers include lighter-weight registration for BYOD and time-boxed exceptions with extra monitoring. Monosign can evaluate device, IP, and location signals in its conditional access policies, letting administrators gate sensitive applications by the trustworthiness of the requesting device.

Frequently asked questions

Is device trust the same as MDM?
No. MDM manages and configures devices; device trust consumes that information at sign-in time to decide access. MDM enrollment is a common way to establish a device identity and report posture, but the access decision itself belongs to the identity and access layer.
Can device trust work with personal (BYOD) devices?
Yes, with adjusted expectations. Lightweight registration or per-app management can establish a device identity and basic posture checks without full corporate control, and policy can grant such devices access to a narrower set of applications than fully managed hardware.
Does device trust replace MFA?
It complements rather than replaces it. The device credential proves the machine; MFA proves the person. Together they cover both stolen-credential and stolen-device scenarios, and many organizations treat a trusted device as one of the factors in an adaptive policy.