Hardware-backed device attestation powers mobile workers
Published Jul 27 2023 06:00 AM 16.8K Views

Today Microsoft and Samsung announced a new groundbreaking solution that adds another layer of mobile device protection for people using Samsung Galaxy devices in the workplace. This new solution represents the first step of a broader strategic partnership to jointly develop deeply integrated, trusted experiences on Samsung Galaxy devices with Microsoft Intune to deliver the best possible at-work mobile device solutions. With this solution we are bringing together Samsung's software and hardware innovations, and Microsoft endpoint management leadership to introduce an on-device, mobile hardware-backed device attestation solution for both company-owned and personal mobile devices.

The need for advanced device attestation

As cyber threats become increasingly sophisticated, endpoints are often a prime target for bad actors. These attackers are creating new ways to penetrate the deepest components of a device, making their attacks difficult to defend against. One of the fundamental principles of a Zero Trust security architecture is to explicitly verify the identity and health of every user and device requiring access to organization resources. Device attestation is a crucial mechanism to verify device trust and health to help detect if a device has been compromised, even at its deepest components.

As attacks grow increasingly sophisticated, organizations require an additional layer of protection against the risk of compromised devices gaining access to sensitive organization data. Through this integration, we're increasing the security of mobile device attestation to help organizations ensure the trust and health of their mobile devices for work.

The new solution will be made available to customers in the August release of Microsoft Intune and is applicable to select Samsung Galaxy smartphones and tablets, including “Secured by Knox” devices, with Android 10 OS or later. The solution is available for Intune mobile application management (MAM) protected applications for use on company-owned as well as personal devices.

This is a breakthrough development for highly regulated organizations that want to enable employees to bring their own devices (BYOD) for work. It opens up opportunities for Galaxy smartphone users to use their preferred device securely and privately for both work and play – while still empowering them with the flexibility and versatility to optimize their productivity. When organizations allow Samsung devices to access their corporate resources, they now can have the confidence that personally owned Galaxy devices will have the same strong level of extra protection as company-owned Galaxy devices.

Added protection for Galaxy devices

Today, device attestation requires a network connection and access to cloud services to authenticate a device's trust and integrity. The device may fail validation if, for example, there's no internet or there's a service outage. Remote validation may result in high latency between detecting a threat and communicating that threat to the user's device. Complete protection from threats, however, requires that devices be attested immediately and reliably regardless of network connectivity or device ownership model.

Galaxy devices are protected by Samsung Knox, Samsung's defense-grade mobile security platform. The integration of the Samsung Knox device attestation API with Intune app protection policies enables organizations to validate device trust and health regardless of network connectivity and device ownership. This reduces the opportunity for malicious parties to compromise a device.

This device attestation enables a trusted, hardware-based health check for the device. Intune and Samsung's on-device hardware-backed attestation solution is “always on” and can verify the integrity of the device regardless of network connectivity. Intune can utilize the health check performed securely on the device itself to attest to a device's health and block access to company resources if needed, even if a device is off the network. This makes the attestation responsive and reliable in situations where there isn't any network connectivity. It has none of the latency issues that users could face when using a remote service-based approach. This on-device attestation enables Intune to make real-time access control decisions.

Device attestation validates that it's a device that the company has already approved, while an integrity check ensures the device has not been compromised. Samsung's hardware-backed cryptography and Intune app protection policies verify the client endpoint (application + device) and secure the communication between Intune client and service. Altogether, this helps to prevent malicious endpoints from accessing organization resources using valid client information taken from another device and limiting tampering with client requests.

Simplification and security improve user and IT experiences

This solution helps organizations strengthen their Zero Trust security posture by allowing only verified Samsung devices and applications to access organization resources. Using hardware-backed device attestation bolsters security by providing additional verifiable, health checks. It adds a layer of protection against tampering and replay attacks by enabling signing and encryption of Intune MAM client responses. This hardware-backed approach provides another method for Intune MAM to verify device trust, reducing the opportunity for compromised devices falsely claiming to be known and healthy to gain access to sensitive corporate data.

Intune MAM is the industry's leading BYOD solution, trusted by organizations everywhere to protect their Microsoft 365 applications and thousands of additional mission-critical apps across millions of users.

Intune and Samsung Knox device attestation can be used alongside Intune's innovative MAM capabilities to empower organizations with stronger enterprise-level protection on Samsung devices. Samsung devices are ready for work, out of the box and don't require additional IT administrative work to set up device attestation as the functionality is built in during manufacturing. Intune device attestation capabilities are made available through Intune MAM and compliance capabilities and can be enabled with no additional Intune licensing.

Hardware-backed device attestation can also improve the end-user experience and doesn't compromise security health checks required by organizations' security policies. Employees get seamless access to organizational data protected by Intune without extra authentication steps, regardless of their device connectivity. IT can reduce incidents of blocked access based on false positive attestation failures, which are otherwise frustrating and can reduce productivity. At the same time, when users don't have to enroll their devices but are protected by Intune app protection policies, they can use their own devices for work, knowing that their personal data remains private, increasing satisfaction and productivity.

A transformative shift for enterprise mobile device security

This hardware-backed device attestation solution for strengthening Zero Trust security is available only with Samsung devices and Intune. It can allow even the most security-minded organizations to adopt a BYOD policy to increase productivity and privacy for mobile workers on their preferred Galaxy devices.

By combining Samsung's hardware and software expertise and the power of Microsoft Intune cloud endpoint management, this partnership sets a new standard for protecting business assets. As the cybersecurity landscape evolves, more ground-breaking solutions are on the horizon, reinforcing our commitment to safeguarding data and ensuring a secure digital future for all.


Learn more about Intune:


1 Comment
Version history
Last update:
‎Jul 26 2023 08:24 PM
Updated by: