Course Navigation
6 min read·Lesson 4 of 8

Device Trust and Posture

The second signal of Zero Trust — knowing the device, evaluating its health, and using that signal in access decisions.

Identity tells you who. Device tells you what they are using. A finance VP signing in from a corporate-issued, encrypted, EDR-protected laptop is a different risk profile from the same VP signing in from a personal Windows 7 desktop. Zero Trust uses both signals.

The Components

Device trust is not a single product. It is the composition of four:

ComponentRoleExamples
Device inventorySingle source of truth for every device the organisation knowsIntune, Jamf, ServiceNow CMDB, Kandji
MDM / UEMMobile/unified endpoint management — push config, enforce settings, wipeIntune, Jamf, Workspace ONE, Kandji, Mosyle
EDR / XDREndpoint detection and response — telemetry and active threat huntingCrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne
Compliance / posture engineScores devices against rules and feeds the result to the policy engineIntune compliance policies, Jamf compliance, Kandji blueprints

Together they answer: "Do I know this device? Is it ours? Is it healthy right now?"

Device Identity

A device proves itself with one or more of:

  • Certificates issued via the MDM during enrolment, stored in the TPM
  • Azure AD Join / Hybrid Join for Windows — a strong cryptographic device identity tied to the directory
  • Platform Single Sign-On (macOS) tying the device to the IdP
  • Hardware attestation — TPM, Apple Secure Enclave, Android StrongBox proving the device is genuine and the boot chain intact

The IdP can require, in a Conditional Access policy, that the request comes from a device with a valid device certificate. Unmanaged devices simply cannot meet the condition.

Compliance Policies

A compliance policy is a rule set the device must satisfy to be considered "compliant." Typical checks:

  • OS version at or above a minimum (e.g., Windows 11 23H2, macOS 14, iOS 17)
  • Disk encryption enabled (BitLocker, FileVault)
  • Firewall enabled, screen lock under 5 minutes
  • Real-time antivirus / EDR running and reporting
  • No jailbreak / root detected on mobile
  • Required apps installed; banned apps absent
  • Recent check-in with the management server
  • EDR risk score below threshold

The compliance engine evaluates continuously. A device that drops out of compliance — disk encryption disabled, EDR uninstalled — is marked non-compliant within minutes. The next sign-in (or even an active session, with continuous evaluation) is denied.

Device Risk Signals from EDR

Modern EDRs feed a risk score back to the policy engine. If CrowdStrike sees a malware execution or a credential-dumping attempt, the affected device is flagged high-risk. Conditional Access can:

  • Revoke active sessions on that device
  • Block new sign-ins until the device is remediated
  • Limit access to read-only
  • Require approval for sensitive resources

This is the "continuous evaluation" promise of Zero Trust. Static "you logged in with MFA two hours ago, so you are fine" gives way to "the device you are on now has malware; you are not fine."

Conditional Access Patterns Using Device Signal

ResourcePolicy
Marketing wikiAny device, MFA
Source codeCompliant device, phishing-resistant MFA
Production cloud consoleCompliant device, PAW (privileged access workstation), PIM activation
HR / payrollHybrid-joined device, US/UK locations only, phishing-resistant MFA
Personal-device webmail accessApp protection policy required; no download, no print

The same user has different access depending on the device they happen to be on.

BYOD and the Personal-Device Problem

You cannot demand full MDM on someone's personal phone. Zero Trust does not require that — it requires verified trust, which can come in lighter forms:

  • MAM (Mobile Application Management) / App Protection Policies. Manage the app, not the device. Outlook, Teams, OneDrive on iOS/Android are sandboxed, with controls on copy-paste, save, screenshot. No corporate data leaks to the user's photo library.
  • Browser-based access via ZTNA. Cloudflare, Zscaler, Citrix offer "clientless" ZTNA that delivers the app in an isolated browser session. No corporate data lands on disk.
  • Virtual desktops. Windows 365, Azure Virtual Desktop, AVD. The "device" is a managed VM the user accesses via RDP.
  • Contractor / partner enrolment. Lightweight management via Apple User Enrollment or Android Work Profile keeps work data separate from personal data.

The rule of thumb: don't try to manage the personal device; manage the data on it.

Posture for Servers and Containers

Device trust extends beyond endpoints. Servers and containers have posture too:

  • Patch level (CVE scanning)
  • CIS Benchmark compliance
  • Image provenance (signed images only)
  • SBOM and vulnerability scanning at build
  • Runtime drift detection (Falco, Aqua, Sysdig)

The control loop is the same: continuous posture evaluation, feeding into the policy engine that decides whether the workload can talk to other workloads or pull secrets. Tools: Wiz, Lacework, Prisma Cloud for cloud posture; Falco / Tetragon for runtime; OPA / Kyverno for admission control.

Pitfalls

  • Slow compliance evaluation. If compliance status takes 4 hours to refresh, an attacker has 4 hours after dropping malware. Tune for minute-level evaluation.
  • Bypassing via legacy clients. Some legacy IMAP / POP / older Outlook versions cannot honour device-bound tokens. Block legacy auth (per the Identity lesson) or device controls will be sidestepped.
  • Misclassifying "personal" devices. If executives use unmanaged iPads to read sensitive email, MAM is not optional.
  • EDR coverage gaps. Servers without EDR, contractor laptops without enrolment, IoT — the device pillar is only as strong as its weakest unmanaged endpoint.

The Minimum Bar

If you have nothing today, a credible starting point:

  1. MDM/UEM for all corporate-owned laptops and phones.
  2. EDR on every endpoint and every server.
  3. A compliance policy enforced in Conditional Access — start with "Allow only compliant devices for Microsoft 365 / Google Workspace."
  4. App protection policies for BYOD email.
  5. Inventory feed from MDM into your SIEM and ITSM.

Add device-bound certificates, phishing-resistant MFA tied to the device's TPM, and continuous evaluation as you mature toward "Advanced" on the CISA model.

With identity and device pillars in place, the next question becomes: even if I authenticate you and your device, what should you be allowed to reach over the network? That is microsegmentation — the next lesson.

Key Takeaways

  • A request from a healthy managed device deserves more trust than one from an unknown endpoint.
  • Device inventory + MDM + EDR + posture checks together produce the device trust signal.
  • Compliance frameworks (Intune compliance, Jamf, Workspace ONE) score devices against rules.
  • Posture signals plug into Conditional Access — non-compliant devices get blocked or limited.
  • BYOD is harder but not impossible — MAM, app protection policies, and ZTNA with browser-based access cover it.

Test your knowledge

Try exam-style practice questions to reinforce what you've learned.

Practice Questions →