How device trust works
Device trust gives every endpoint an identity of its own, usually a certificate or cryptographic key installed during enrollment through a mobile device management (MDM) tool or an enrollment flow. When the device requests access, it proves possession of that credential, which tells the identity provider this is a known, registered machine rather than an arbitrary browser on the internet.
Beyond recognition, mature implementations evaluate device posture: whether the operating system is up to date, disk encryption is on, screen lock is set, endpoint protection is running, and the device has not been jailbroken. These signals feed access policy at sign-in time, so a compliant laptop gets in smoothly while an unpatched or unknown device is blocked, quarantined, or allowed only limited access.
Why device trust matters
Strong user authentication answers who is signing in, but says nothing about where from. A phished or malware-ridden machine can present perfectly valid credentials, and stolen session cookies replayed from an attacker's computer look like the legitimate user. Requiring a trusted device closes this gap: credentials alone stop being enough, because the request must also originate from hardware the organization recognizes.
Device trust is also a pillar of zero trust architecture, where every access decision weighs user identity, device state, and context together. For remote and hybrid workforces that long ago left the office network perimeter, the managed, healthy device effectively becomes the new perimeter.
Device trust in practice
Rollouts usually begin with visibility: enrolling corporate devices, inventorying what connects today, and reporting on posture without enforcing yet. Enforcement then arrives gradually, first for the most sensitive applications and admin access, later for the broader portfolio, with clear self-service remediation so a user with an outdated OS knows exactly how to regain access.
The hardest questions are practical ones: how to handle personal devices under BYOD policies, contractors who cannot enroll in MDM, and break-glass access when enrollment infrastructure is down. Common answers include lighter-weight registration for BYOD and time-boxed exceptions with extra monitoring. Monosign can evaluate device, IP, and location signals in its conditional access policies, letting administrators gate sensitive applications by the trustworthiness of the requesting device.