# Enforce Device Trust --- SUPPORTED RESOURCES Device Trust fully supports SSH, database and Kubernetes resources using cluster-wide or role-based enforcement. Apps and Desktops may enforce trusted devices using role-based enforcement. See the [web application support](#web-application-support) and [desktop support](#desktop-support) sections for further details. --- Resources protected by the device mode "required" will enforce the use of a trusted device, in addition to establishing the user's identity and enforcing the necessary roles. Furthermore, users using a trusted device leave audit trails that include the device's information. Device Trust enforcement can be configured with the following three modes of operation, represented by the `device_trust_mode` authentication setting: - `off` - disables Device Trust. Device authentication is not performed and device-aware audit logs are absent. - `optional` - enables device authentication and device-aware audit, but does not require a trusted device to access resources. - `required` - enables device authentication and device-aware audit. Additionally, it requires a trusted device for all SSH, Database and Kubernetes connections. - `required-for-humans` - enables device authentication and device-aware audit. Additionally, it requires a trusted device for all SSH, Database and Kubernetes connections, for human users only (bots are exempt). ### Prerequisites - A running Teleport Enterprise cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tctl` and `tsh` clients. Installing `tctl` and `tsh` clients 1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tctl` and `tsh` clients: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tctl` and `tsh` clients to your %PATH% NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * To enroll a macOS device, you need: - A signed and notarized `tsh` binary. [Download the macOS tsh installer](https://goteleport.com/docs/installation/macos.md). * To enroll a Windows device, you need: - A device with TPM 2.0. - A user with administrator privileges. This is only required during enrollment. - The `tsh` client. [Download the Windows tsh installer](https://goteleport.com/docs/installation/windows.md). * To enroll a Linux device, you need: - A device with TPM 2.0. - A user with permissions to use the /dev/tpmrm0 device (typically done by assigning the `tss` group to the user). - The `tsh` client. [Install tsh for Linux](https://goteleport.com/docs/installation/linux.md). WSL users should use the Windows binary instead. [Download the Windows tsh installer](https://goteleport.com/docs/installation/windows.md). * To authenticate a Web UI session you need [Teleport Connect](https://goteleport.com/docs/connect-your-client/teleport-clients/teleport-connect.md#installation--upgrade) * Correct end-user IP propagation to your Teleport deployment: [X-Forwarded-For header](https://goteleport.com/docs/reference/deployment/config.md#proxy-service) (L7 load balancer) or [PROXY protocol](https://goteleport.com/docs/zero-trust-access/management/security/proxy-protocol.md) (L4 load balancer) This guide makes use of the preset `require-trusted-device` role, which does not enforce the use of a trusted device for [apps](#web-application-support) or [desktops](#desktop-support). Refer to their corresponding sections for instructions. ## Role-based trusted device enforcement Role-based configuration enforces trusted device access at the role level. It can be configured with the `spec.options.device_trust_mode` option and applies to the resources in its `allow` rules. It works similarly to [`require_session_mfa`](https://goteleport.com/docs/zero-trust-access/authentication/per-session-mfa.md). To enforce authenticated device checks for a specific role when a user accesses databases, Kubernetes clusters, and servers with Teleport, update the role with the `device_trust_mode` field assigned to `"required"` or `"required-for-humans"`. The following example updates the preset `require-trusted-device` role: ``` kind: role version: v7 metadata: name: require-trusted-device spec: options: device_trust_mode: "required" allow: db_labels: '*': '*' db_names: - '*' db_users: - '*' kubernetes_groups: - '{{internal.kubernetes_groups}}' - system:masters - developers - viewers kubernetes_labels: '*': '*' logins: - '{{internal.logins}}' node_labels: '*': '*' ``` Update the role: ``` $ tctl create -f device-enforcement.yaml ``` --- TIP You can also create and edit roles using the Web UI. Go to **Access -> Roles** and click **Create New Role** or pick an existing role to edit. --- ## Cluster-wide trusted device enforcement Cluster-wide configuration enforces trusted device access at the cluster level. Enterprise clusters run in `optional` mode by default. Changing the mode to `required` will enforce a trusted device for all SSH, Database and Kubernetes accesses. To enable device mode `required` update your configuration as follows: Edit your cluster authentication preference using the following command: ``` $ tctl edit cluster_auth_preference ``` Make the following change: ``` kind: cluster_auth_preference version: v2 metadata: name: cluster-auth-preference spec: type: local second_factors: ["webauthn"] webauthn: rp_id: teleport.example.com device_trust: + mode: "required" # add this line ``` Save and close your editor to apply your changes. Once the config is updated, SSH, Database and Kubernetes access without a trusted device will be forbidden. For example, SSH access without a trusted device fails with the following error: ``` $ tsh ssh ip-172-31-35-170 ERROR: ssh: rejected: administratively prohibited (unauthorized device) ``` --- TRUSTED CLUSTERS It is possible to use [trusted clusters](https://goteleport.com/docs/zero-trust-access/deploy-a-cluster/trustedclusters.md) to limit the impact of device mode `required`. A leaf cluster in mode `required` will enforce access to all of its resources, without imposing the same restrictions to the root cluster. Likewise, a root cluster will not enforce Device Trust on resources in leaf clusters. --- ## Web application support The Teleport App Service may enforce Device Trust via [role-based enforcement](#role-based-trusted-device-enforcement). To access apps protected by Device Trust using the Web UI (Teleport v16 or later), make sure your device is [registered and enrolled](https://goteleport.com/docs/zero-trust-access/device-trust/device-management.md#register-a-trusted-device), install [Teleport Connect](https://goteleport.com/docs/connect-your-client/teleport-clients/teleport-connect.md), and follow the instructions during login. Alternatively, you may use [tsh proxy app](https://goteleport.com/docs/reference/cli/tsh.md) or the certificates issued by `tsh app login`. As an example, to enforce Device Trust for all `env:production` apps, save the role below as `require-trusted-device-apps.yaml`: ``` kind: role version: v7 metadata: name: require-trusted-device-apps spec: options: device_trust_mode: "required" allow: app_labels: env: production ``` Create the role and assign it to a user: ``` $ tctl create require-trusted-device-apps.yaml $ tctl edit users/alice ``` ``` kind: user metadata: name: alice # (...) spec: roles: - access - editor + - require-trusted-device-apps # (...) version: v2 ``` Now the alice user can only access `env:production` apps using a trusted device. ## Desktop support The Teleport Desktop Service may enforce Device Trust via [role-based enforcement](#role-based-trusted-device-enforcement). To access desktops protected by Device Trust make sure your device is [registered and enrolled](https://goteleport.com/docs/zero-trust-access/device-trust/device-management.md#register-a-trusted-device), install [Teleport Connect](https://goteleport.com/docs/connect-your-client/teleport-clients/teleport-connect.md), and follow the instructions during login. As an example, to enforce Device Trust for all `env:production` desktops, save the role below as `require-trusted-device-desktops.yaml`: ``` kind: role version: v7 metadata: name: require-trusted-device-desktops spec: options: device_trust_mode: "required" allow: windows_desktop_labels: env: "production" windows_desktop_logins: ["Administrator", "alice"] ``` Create the role and assign it to a user: ``` $ tctl create require-trusted-device-desktops.yaml $ tctl edit users/alice ``` ``` kind: user metadata: name: alice # (...) spec: roles: - access - editor + - require-trusted-device-desktops # (...) version: v2 ``` Now the alice user can only access `env:production` desktops using a trusted device. ## Locking a device Similar to [session and identity locking](https://goteleport.com/docs/identity-governance/locking.md), a device can be locked using `tctl lock`. Locking blocks certificate issuance and ongoing or future accesses originating from a locked device. Locking a device only works if Device Trust is enabled and if the device is enrolled to Teleport. Find a device ID to lock: ``` $ tctl devices ls Asset Tag OS Source Enroll Status Owner Device ID ------------ ----- ------ ------------- ----- ------------------------------------ C00AA0AAAA0A macOS enrolled alice 9cdfc0ad-64b7-4d9c-this-is-an-example ``` Lock a device: ``` $ tctl lock --device=9cdfc0ad-64b7-4d9c-this-is-an-example --ttl=12h Created a lock with name "5444970a-39a0-4814-968d-e58b4a8fa686". ``` Now, if a user on that device tries to access an SSH server for example, Teleport will deny access: ``` $ tsh ssh ip-172-31-35-170 ERROR: ssh: rejected: administratively prohibited (lock targeting Device:"9cdfc0ad-64b7-4d9c-this-is-an-example" is in force) ``` ## Troubleshooting ### "binary missing signature or entitlements" on `tsh device enroll` A signed and notarized `tsh` binary is necessary to enroll and use a trusted device. [Download the macOS tsh installer](https://goteleport.com/docs/installation/macos.md) to fix the problem. ### "unauthorized device" errors using a trusted device A trusted device needs to be registered and enrolled before it is recognized by Teleport as such. Follow the [registration](https://goteleport.com/docs/zero-trust-access/device-trust/device-management.md#register-a-trusted-device) and [enrollment](https://goteleport.com/docs/zero-trust-access/device-trust/device-management.md#enroll-a-trusted-device) steps and make sure to `tsh logout` and `tsh login` after enrollment is done. ### "Failed to open the TPM device" on Linux Linux users need permissions to read and write from the TPM device, `/dev/tpmrm0`. Without such permissions `tsh` would need `sudo` prompts for most operations. The simplest way to solve this is to check if your distro ships with the `tss` group and assign it to your OS user. If that is not possible, or you are looking for a different solution, we recommend creating udev rules similar to the ones shipped by the [TPM2 Software Stack](https://github.com/tpm2-software/tpm2-tss/blob/ede63dd1ac1f0a46029d457304edcac2162bfab8/dist/tpm-udev.rules#l4). ### Auto enrollment not working Auto-enrollment ceremonies, due to their automated nature, are stricter than regular enrollment. Additional auto-enrollment checks include: 1. Verifying device profile data, such as data originated from an MDM service, against the actual device 2. Verifying that the device is not enrolled by another user (auto-enroll cannot take devices that are already enrolled) Check you audit log for clues: look for failed "Device Enroll Token Created" events and see the "message" field in the details. If you suspect (1) is the issue, compare the actual device against its inventory definition (`tsh device collect` executed in the actual device vs `tctl get device/`). Tweaking the device profile, manual enrollment or waiting for the next MDM sync may solve the issue. If you suspect (2), you can unenroll the device using `tctl edit device/` and changing the "enroll\_status" field to "not\_enrolled". ### App access and "access to this app requires a trusted device" Follow the instructions in the [Web UI troubleshooting section](#web-ui-fails-to-authenticate-trusted-device) below (Teleport v16 or later). Alternatively, you may use one of the tsh commands described by [App Access support](https://goteleport.com/docs/zero-trust-access/device-trust/enforcing-device-trust.md). For example, for an app called `myapp`, run `tsh proxy app myapp -p 8888`, then open in your browser. If you are already running `tsh proxy app`, or using the certificates acquired from `tsh app login`, then it's likely your device isn't registered or enrolled. In this case, follow the advice from the [unauthorized device section](#unauthorized-device-errors-using-a-trusted-device) above. ### Desktop access and "access to this app requires a trusted device" Follow the instructions in the [Web UI troubleshooting section](#web-ui-fails-to-authenticate-trusted-device) below. ### Web UI fails to authenticate trusted device The Web UI attempts to authenticate your device using Teleport Connect during login. If you are not asked to authenticate your device immediately after login, follow the steps below: 1. Make sure your device is [registered and enrolled](https://goteleport.com/docs/zero-trust-access/device-trust/device-management.md#register-a-trusted-device) 2. Install [Teleport Connect](https://goteleport.com/docs/connect-your-client/teleport-clients/teleport-connect.md#installation--upgrade). Use the DEB or RPM packages on Linux (the tarball doesn't register the custom URL handler). 3. Make sure Teleport Connect can access the same resource you are trying to access on the Web 4. Ask your cluster administrator if Device Trust is enabled (cluster mode "optional" or higher) After the steps above are done try logging out from the Web UI and logging in again. If the error persists, check your audit log for failed "device authenticated" or "device web" events and look for failure details within the events. ### "device web authentication IP mismatch" errors "IP mismatch" errors in audit logs indicate that the IP checks performed by the device web authentication ceremony failed. In this case it's likely that end-user IPs are not propagated correctly to your Teleport deployment. - L7 load balancer: make sure it propagates the [X-Forwarded-For header](https://goteleport.com/docs/reference/deployment/config.md#proxy-service) - L4 load balancer: enable [PROXY protocol](https://goteleport.com/docs/zero-trust-access/management/security/proxy-protocol.md) ### Checking Device Trust authorization status in the web UI When successfully authorized to use Device Trust in the web UI, the user will see a green shield icon next to the logged-in username at the top right of the screen. Additionally, clicking on the username to show the user menu will indicate that the session is authorized with Device Trust. If the user is not authorized to use Device Trust in the web UI, but either the cluster-wide configuration or their assigned role(s) require the use of a trusted device, the user will see a yellow warning shield next to the logged-in username at the top right of the screen. Additionally, clicking on the username to show the user menu will indicate that the session is not authorized with Device Trust, so the user's access is restricted. | Theme | Session authorized with Device Trust | Session not authorized with Device Trust | | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Light | ![device-trust-trusted-shield-light-success.png](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACEAAAAeBAMAAABQ5mokAAAAAXNSR0IArs4c6QAAAGJlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAABJKGAAcAAAASAAAAUKABAAMAAAABAAEAAKACAAQAAAABAAAAIaADAAQAAAABAAAAHgAAAABBU0NJSQAAAFNjcmVlbnNob3Sp3UnXAAAB1GlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNi4wLjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWURpbWVuc2lvbj4zMDwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4zMzwvZXhpZjpQaXhlbFhEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlVzZXJDb21tZW50PlNjcmVlbnNob3Q8L2V4aWY6VXNlckNvbW1lbnQ+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgr6QmjlAAAAD1BMVEUAS0A/d299o568z837+/yPK0LhAAAAbElEQVQoU73MwQ2AIAwF0CoOgMQBNHYAjAwg5e8/kwqJVC7e/Ice3k8/oclBf0ukHK6y7DlGSXn4lrUVMa3MrGWDk/6144O3DBmqRE7uWuIqpZ2VYLyPgxJ/1dukJVmWDlogZPktkIBGnvwqJx72fSiilRuQAAAAAElFTkSuQmCC) | ![device-trust-trusted-shield-light-failure.png](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAfBAMAAADtgAsKAAAAAXNSR0IArs4c6QAAAGJlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAABJKGAAcAAAASAAAAUKABAAMAAAABAAEAAKACAAQAAAABAAAAH6ADAAQAAAABAAAAHwAAAABBU0NJSQAAAFNjcmVlbnNob3TkMrSoAAAB1GlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNi4wLjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWURpbWVuc2lvbj4zMTwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4zMTwvZXhpZjpQaXhlbFhEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlVzZXJDb21tZW50PlNjcmVlbnNob3Q8L2V4aWY6VXNlckNvbW1lbnQ+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgoKphb0AAAAMFBMVEWZZwCshDGyjD+zj0S1kUe1kUjBpGjIrnnIr3rKsX7czKzi1r3n3crz7+j49vT7+/zMXW1PAAAAcElEQVQoz2P4jwo+MAyggAIDCHDCBX5q7waBDfvhAvoQ1SgC99EFLNAFPPAK/AYKhKMIcP////7//wkIh2n+/7/m//+ZCAGgnNj/nwiX/v8Ectmn+QiB30DJ30rIvt3E+X+CPor3JzBxooXH7AGOBgDmJcsiwtmJxgAAAABJRU5ErkJggg==) | | Dark | ![device-trust-trusted-shield-dark-success.png](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgBAMAAACBVGfHAAAAAXNSR0IArs4c6QAAAGJlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAABJKGAAcAAAASAAAAUKABAAMAAAABAAEAAKACAAQAAAABAAAAIKADAAQAAAABAAAAIAAAAABBU0NJSQAAAFNjcmVlbnNob3SIp+WXAAAB1GlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNi4wLjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWURpbWVuc2lvbj4zMjwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4zMjwvZXhpZjpQaXhlbFhEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlVzZXJDb21tZW50PlNjcmVlbnNob3Q8L2V4aWY6VXNlckNvbW1lbnQ+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpkQLVKAAAAD1BMVEUiLFkzV3VEg5JVrq5m2cpb/V2pAAAAZklEQVQoU2NgGMyA2QUMFOACyoJg4IgQgFCEBBTRBJgc0QRUFJAEhBmMmJyQzRAREDFRYGBygAswKzAaAU1RgAtA5FQQAgzGIMIIwWcQAUoKGyAJMJooMDkzIAMmF6A1qCICDAMKAK1wCdo2CeInAAAAAElFTkSuQmCC) | ![device-trust-trusted-shield-dark-failure.png](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACIAAAAhBAMAAABO/WRfAAAAAXNSR0IArs4c6QAAAGJlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAABJKGAAcAAAASAAAAUKABAAMAAAABAAEAAKACAAQAAAABAAAAIqADAAQAAAABAAAAIQAAAABBU0NJSQAAAFNjcmVlbnNob3RXmSaSAAAB1GlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNi4wLjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWURpbWVuc2lvbj4zMzwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4zNDwvZXhpZjpQaXhlbFhEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlVzZXJDb21tZW50PlNjcmVlbnNob3Q8L2V4aWY6VXNlckNvbW1lbnQ+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgrKDRuBAAAAMFBMVEUiLFkpMVk0OVpOTFxZVFxoX12RfWCUf2CVgGCki2HAn2LBoGLEomPIpWPUrmP/zWYds+x/AAAAaklEQVQokWNgGBKA9z8YJCBEcl3A4AuSCIRCFWHCEOEpQBfhJiTiy8DA1YAi4u/AwMjAwPYByYUJDKwGDGxILgTK8k1gyEcSYbgLIq4he8wfKO17AVmE5X4C218GFMD2/34CA5qQA8MgBQD+GSDFmfoPwAAAAABJRU5ErkJggg==) | ## Next steps - [Device Management](https://goteleport.com/docs/zero-trust-access/device-trust/device-management.md) - [Jamf Pro Integration](https://goteleport.com/docs/zero-trust-access/device-trust/jamf-integration.md) - [Microsoft Intune Integration](https://goteleport.com/docs/zero-trust-access/device-trust/intune-integration.md)