Device Attestation for macOS

Device attestation is a security feature that lets an MDM server verify the authenticity and integrity of a device that is enrolling or communicating with the management system.

It provides a cryptographically signed proof from Apple’s device attestation service that:

• The device is a genuine Apple device (not a counterfeit or emulator)

• The device’s operating system and security features (like Secure Boot, Secure Enclave) are intact and unmodified

MDM servers request this attestation from the device, which obtains it from Apple’s secure infrastructure. The MDM server then verifies this attestation to decide if the device should be allowed to enroll or continue to be managed.

Using this feature, IT Admins can configure and apply the device attestation and also take appropriate action if any deviations in the device’s state are detected.

Using Scalefusion's Device Profile for Personal (BYOD) and Company Owned devices, you can enable the attestation feature and the actions that need to be taken in the event of a violation. Follow the steps below to setup Device Attestation.

Pre-Requisites

1. macOS Device Profile should be created

2. Supported OS: macOS 14 or above with Silicon chip

3. Devices can be Company Owned Devices or BYO

Steps

1. On Scalefusion Dashboard, navigate to Device Profiles & Policies > Device Profiles

2. Create or Edit the profile where you want to set the Compliance levels.

3. Navigate to the Device Integrity Protection
   

   

4. Configure the following settings:

   1. Validate using Apple's Managed Device Attestation: When enabled, this feature uses Apple’s attestation service to verify device integrity.

   2. Monitor Frequency: Use this setting to define how frequently device attestation should run. Options:

      1. Every 24 hours

      2. Every 48 hours

      3. Weekly Once

   3. Violation Action: Choose how Scalefusion should respond if a device fails the attestation. Options:

      1. No Action: Detects the attestation failure but will not take any automatic enforcement action on the device.

      2. Unenroll Device: Automatically unenrolls the device from management upon detection of a failed attestation.

      3. Factory Reset: Scalefusion will attempt to initiate a factory reset on the device when it fails attestation.
         

         Sometimes these checks or APIs may return a false positive, so please choose a violation action accordingly.

   4. Email Alert Settings: Configure email alerts for attestation or jailbreak violations. Options:

      1. Global Email Settings: The email alert will go to the account owner

      2. Custom Email Settings: If Custom Email Settings is selected, a text field will appear to enter recipient email addresses. You are required to enter at least one email.