Alan DeKok <[email protected]> wrote: > On Jun 28, 2021, at 8:50 PM, Michael Richardson <[email protected]> wrote: >> To date, Enterprises with laptops and PCs have provisioned the IDevID into >> the TPM, themselves, at the same time the device is wiped and the golden >> image is installed. So, the TPM identity is actually known to them by construction.
> And... if I have my own phone? Or if a university wishes to tie
> devices to student accounts? So that they can limit (somewhat) abuses?
> For now, the answer is "too bad". Or maybe "buy a $$$$ MDM solution".
I think that today, the answer is probably too bad because too complex.
But, I think that most phones can do "Enterprise" WPA, and so a certificate
can be loaded in to do EAP-TLS.
> As someone who bought my own phone, I'm not going install some MDM
> solution which lets my employer wipe my personal device. I would much
> prefer to be able to prove (a) it's my device, and (b) it has a unique
> device identifier. The simpler the method, the better.
If I were a student, I would also not allow a university (or employer) MDM
solution onto my phone, and I'm not actually sure that it directly helps; it
just makes loading that certificate easier.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
