Skip to main content

Device Identity

Device identity is the unique ID associated with a device. In the context of zero trust, device identity can be used to authenticate and authorize users and to determine if a device can be trusted before granting a user access to a protected application or service.

Device identity with Pomerium

Pomerium versions 0.16.0 and up support the use of device identity as a criteria in authorization policies. Pomerium uses the Web Authentication (WebAuthn) API to bring authentication and authorization based on device identity into your security framework. With Pomerium’s device identity support, users can register devices and administrators can limit access to devices they trust.

Device identity features

Pomerium Enterprise and Core both support device identity, but Enterprise users can enroll and manage devices in the Enterprise Console.

Features (Enterprise)Device Identity
Pre-approved device enrollmentAdministrators can enroll a new device and generate a registration link for a specific user.
Device managementAdministrators can view and manage approved and pending devices in the Enterprise Console.
User-initiated device enrollmentUsers can register their device if a route requires device identity authentication, but can only access the route if their device is approved in the Enterprise Console.
Features (Core)Device Identity
User-initiated device enrollmentUsers can register their device if a route requires device identity authentication and access the route without device approval.

New enrollment (Enterprise)

Device identity with Pomerium relies on a trust on first use (TOFU) authentication scheme:

  • Administrators can enroll a device and generate a custom registration link for a specific user. (Registration links are only valid for the selected user.)
  • When a user registers their device with a registration link, the device will automatically be approved following the TOFU authentication scheme.

Manage devices (Enterprise)

When an administrator enrolls a device, the Enterprise Console displays the device's status as Pending Enrollment.

When a user visits the registration link and registers their device, the Enterprise Console updates the device’s status to Approved.

If an administrator deletes a device, the device will be revoked and the link becomes invalid.

Enroll devices as an administrator (Enterprise)

Enterprise users can build policies that only grant access to a route if a user’s device is approved in the Enterprise Console. (See Device Matcher for more information.)

The Enterprise Console’s Manage Devices GUI provides a dashboard where administrators can enroll devices and generate custom registration links for users in their directory.

To enroll a new device:

  1. In the Console sidebar, select Devices

  2. Select NEW ENROLLMENT

Enroll devices

  1. In the New Enrollment window:

Select Users: Select a user to send a registration link (the link is only valid for the selected user)
Route: Enter a pre-configured route from your Console; Pomerium will use this route to create the custom registration link
Redirect URL (optional): Enter a route that users will redirect to after registering their device
Enrollment Type:

  • Select Any to allow a user to register any device
  • Select Secure Enclave Only to restrict the user to secure enclaves

Select new enrollment

  1. Select SUBMIT to get the registration link

Enrollment created

Give the link to the user.

Enroll device as a user

If a Pomerium route requires device authentication, the user must register a trusted execution environment (TEE) device before accessing the route. Registration differs depending on the device.

The steps below cover enrollment of a device by a user. This is available for both Pomerium Core and Pomerium Enterprise installations. However, Enterprise users may also receive registration links generated by their administrators, which will mark the newly enrolled device as approved in the Enterprise Console.

  1. Users are prompted to register a new device when accessing a route that requires device authentication:

    The WebAuthn Registration page with no devices registered

    Users can also access the registration page from the special .pomerium endpoint available on any route at the bottom of the page:

    The Device Credentials section of the .pomerium endpoint with the WebAuthn link highlighted

  2. Select Register New Device. Your browser will prompt you to provide access to a device. This will look different depending on the browser, operating system, and device type:

    The device authentication prompt on Windows

Find the device ID

If a route's policy is configured to only allow specific device IDs, you will see a 450 error even after registering:

450 device not authorized error screen

From the .pomerium endpoint you can copy your device ID to provide to your Pomerium administrator.

Device ID list at /.pomerium

You can also delete the ID for devices that should no longer be associated with your account.