# Device Trust Architecture Device Trust leverages the macOS Secure Enclave, or TPM 2.0 on Linux and Windows devices, to establish and validate device identity. There are three main steps in a device's lifecycle: registration, enrollment and authentication. **Registration** informs Teleport about a known device. At this stage the device is not yet trusted, but is part of the **device inventory**. For example, a device created using `tctl devices add` or synced via Jamf is registered. **Enrollment** transforms a registered device into a trusted device by creating and verifying a secure private key. ![macOS enrollment](/docs/assets/images/device-trust-enrollment-macos-cea4c18a49c8a8c52a66775f2557687c.png) The collected device data above includes the serial number, model, OS information, etc. (You can inspect it by running `tsh device collect`). A safe enrollment ceremony is paramount, as the identity established here (through the device's key) is the basis for future authentications. Options range from [auto-enrollment](https://goteleport.com/docs/zero-trust-access/device-trust/device-management.md#auto-enrollment) to manually distributed [device enrollment tokens](https://goteleport.com/docs/zero-trust-access/device-trust/device-management.md#create-a-device-enrollment-token). **Authentication** follows a similar pattern. It challenges the device to prove itself using the previously established device key and, if successful, issues new user certificates augmented with device extensions. The presence of device extensions is what unlocks [device enforcement](https://goteleport.com/docs/zero-trust-access/device-trust/enforcing-device-trust.md) Device authentication happens after the initial user authentication, requiring the user to be authenticated beforehand. ![device authentication](/docs/assets/images/device-trust-authentication-4a63dc69d485db9e6e11d730ed329d75.png) These are the basics of Device Trust. TPM ceremonies are slightly different in implementation but equivalent in functionality and security properties (enrollment attests the EKCert, EK and AK; authentication verifies possession of the AK). Web UI support is underpinned by the same ceremonies described above, which are delegated to Teleport Connect for technical reasons. Our [Device Trust for the web](https://goteleport.com/blog/device-trust-for-web-challenges-and-solutions/) blog post describes the implementation challenges in detail. For practical use see the [Device Trust section](https://goteleport.com/docs/zero-trust-access/device-trust.md).