Alan DeKok <al...@deployingradius.com> wrote: > On Jun 28, 2021, at 8:50 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: >> To date, Enterprises with laptops and PCs have provisioned the IDevID into >> the TPM, themselves, at the same time the device is wiped and the golden >> image is installed. So, the TPM identity is actually known to them by construction.
> And... if I have my own phone? Or if a university wishes to tie > devices to student accounts? So that they can limit (somewhat) abuses? > For now, the answer is "too bad". Or maybe "buy a $$$$ MDM solution". I think that today, the answer is probably too bad because too complex. But, I think that most phones can do "Enterprise" WPA, and so a certificate can be loaded in to do EAP-TLS. > As someone who bought my own phone, I'm not going install some MDM > solution which lets my employer wipe my personal device. I would much > prefer to be able to prove (a) it's my device, and (b) it has a unique > device identifier. The simpler the method, the better. If I were a student, I would also not allow a university (or employer) MDM solution onto my phone, and I'm not actually sure that it directly helps; it just makes loading that certificate easier. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu