Unit 6: Device trust signals — conditional join rules from endpoint protection and MDM

[TeoSlayer]

Scope

Combine identity + device signals for conditional network access. A valid identity token alone is not enough — the device must also be compliant.

Deliverables

• Device attestation framework: accept signals from CrowdStrike, SentinelOne, Jamf, Intune, Workspace ONE
• Conditional join rules: identity token + device compliance → production network; identity only → staging
• Device signal types: endpoint protection active, disk encryption enabled, OS patched, MDM enrolled
• Signal validation: API integration with device management platforms
• Policy integration: device signals as OPA input (combine with Unit 1)
• Dashboard: device compliance status per node in console

Files

• pkg/registry/device.go — device attestation framework
• pkg/daemon/device.go — local device signal collection
• tests/ — conditional join tests

Priority: LOW

[TeoSlayer]

Context: Device trust is the final layer of zero-trust. Identity proves WHO, device trust proves WHERE. A compromised laptop with valid credentials should not reach production networks if endpoint protection is disabled or the OS is unpatched. This is high-value for regulated industries (healthcare, finance) but lower priority because it requires per-vendor API integrations.