Device identity is the unique ID associated with a device. In the context of zero trust, device identity can be used to authenticate and authorize users and to determine if a device can be trusted before granting a user access to a protected application or service.
Device identity with Pomerium
Pomerium versions 0.16.0 and up support the use of device identity as a criteria in authorization policies. Pomerium uses the Web Authentication (WebAuthn) API to bring authentication and authorization based on device identity into your security framework. With Pomerium’s device identity support, users can register devices and administrators can limit access to devices they trust.
Device identity features
Pomerium Enterprise and Core both support device identity, but Enterprise users can enroll and manage devices in the Enterprise Console.
|Pre-approved device enrollment
|Administrators can enroll a new device and generate a registration link for a specific user.
|Administrators can view and manage approved and pending devices in the Enterprise Console.
|User-initiated device enrollment
|Users can register their device if a route requires device identity authentication, but can only access the route if their device is approved in the Enterprise Console.
|User-initiated device enrollment
|Users can register their device if a route requires device identity authentication and access the route without device approval.
New enrollment (Enterprise)
Device identity with Pomerium relies on a trust on first use (TOFU) authentication scheme:
- Administrators can enroll a device and generate a custom registration link for a specific user. (Registration links are only valid for the selected user.)
- When a user registers their device with a registration link, the device will automatically be approved following the TOFU authentication scheme.
Manage devices (Enterprise)
When an administrator enrolls a device, the Enterprise Console displays the device's status as Pending Enrollment.
When a user visits the registration link and registers their device, the Enterprise Console updates the device’s status to Approved.
If an administrator deletes a device, the device will be revoked and the link becomes invalid.
Enroll devices as an administrator (Enterprise)
Enterprise users can build policies that only grant access to a route if a user’s device is approved in the Enterprise Console. (See Device Matcher for more information.)
The Enterprise Console’s Manage Devices GUI provides a dashboard where administrators can enroll devices and generate custom registration links for users in their directory.
Before you can generate device registration links for users within your directory, you must sync your directory data first.
See Directory Sync for more information.
To enroll a new device:
In the Console sidebar, select Devices
Select NEW ENROLLMENT
- In the New Enrollment window:
Select Users: Select a user to send a registration link (the link is only valid for the selected user)
Route: Enter a pre-configured route from your Console; Pomerium will use this route to create the custom registration link
Redirect URL (optional): Enter a route that users will redirect to after registering their device
- Select Any to allow a user to register any device
- Select Secure Enclave Only to restrict the user to secure enclaves
- Select SUBMIT to get the registration link
Give the link to the user.
Enroll device as a user
The steps below cover enrollment of a device by a user. This is available for both Pomerium Core and Pomerium Enterprise installations. However, Enterprise users may also receive registration links generated by their administrators, which will mark the newly enrolled device as approved in the Enterprise Console.
Users are prompted to register a new device when accessing a route that requires device authentication:
Users can also access the registration page from the special
.pomeriumendpoint available on any route at the bottom of the page:
Select Register New Device. Your browser will prompt you to provide access to a device. This will look different depending on the browser, operating system, and device type:
Find the device ID
If a route's policy is configured to only allow specific device IDs, you will see a
450 error even after registering:
.pomerium endpoint you can copy your device ID to provide to your Pomerium administrator.
You can also delete the ID for devices that should no longer be associated with your account.