Skip to main content

Device Enrollment

Defend uses certificate-based device enrollment to establish a cryptographically secure identity for every endpoint. This prevents enrollment token theft, device spoofing, and replay attacks.

Why Certificate-Based Enrollment

Traditional enrollment tokens (shared secrets, API keys) can be stolen and reused. Defend's approach:

  • Each device generates a hardware fingerprint from immutable hardware identifiers
  • The server derives a deterministic device_id from the fingerprint — the client never controls its own identity
  • A device certificate is issued by the Azure Key Vault Certificate Authority, binding the identity to that specific hardware
  • All subsequent API calls use mTLS (mutual TLS) with the device certificate

This means a stolen enrollment token cannot be used to impersonate a different device.

Enrollment Flow

  1. Agent installed — RMM agent runs on the endpoint
  2. Hardware fingerprint collected — Agent gathers hardware identifiers (CPU, motherboard, disk serial numbers)
  3. Enrollment request — Agent sends fingerprint to Defend API with a one-time enrollment token
  4. Token burned — The enrollment token is invalidated immediately (ETag-based single use)
  5. Device ID derived — Server computes deterministic device_id from the hardware fingerprint
  6. Certificate issued — Key Vault CA signs a device certificate (1-year validity)
  7. SAS token provisioned — Device receives a device-scoped, send-only Event Hub SAS token (24-hour validity, auto-refreshed)
  8. Device active — Telemetry collection begins

Certificate Lifecycle

EventDetails
IssuanceOn enrollment, signed by Key Vault CA
Validity1 year from issuance
Auto-renewalBackground timer checks every 6 hours; renews certificates expiring within 24 hours
RevocationAdmins can revoke via Defend console; revoked certs appear on the CRL endpoint

Platform-Specific Details

Windows

Certificate issued during MSI installation. Stored in the Windows Certificate Store under the machine's personal certificates.

macOS

Certificate delivered via MDM profile or generated during PKG installation. Stored in the system keychain.

Linux

Certificate generated during enrollment and stored in /etc/theone/ with restricted file permissions (root-only readable).

Viewing Enrolled Devices

In the Defend console under Devices, each enrolled device shows:

  • Device name, OS type, and agent version
  • Certificate thumbprint and expiration date
  • Enrollment timestamp
  • Current status (Active, Offline, Isolated, Revoked)

Certificate Revocation

To revoke a device (retired hardware, compromised endpoint):

  1. Navigate to the device in the Defend console
  2. Click Revoke Certificate
  3. The device is added to the Certificate Revocation List (CRL)
  4. The agent can no longer authenticate — telemetry delivery and API calls are rejected
ℹ️Certificate revocation takes effect immediately. The CRL endpoint is checked on every API call. A revoked device must go through full re-enrollment to reconnect.

Re-Enrollment

If a device needs to re-enroll (after revocation, hardware changes, or OS reinstall):

  1. Generate a new enrollment token from the Defend console
  2. Run the agent enrollment command on the endpoint
  3. The device goes through the full enrollment flow with a new certificate
  4. Historical telemetry for the device is preserved and linked to the new identity

Next Steps