Verify that managed devices are running iOS 16 / macOS 13 or later, as Managed Device Attestation requires Secure Enclave-capable hardware on these OS versions or newer
In your MDM solution or custom profile tool, create a configuration profile containing an ACME payload (payload type com.apple.security.acme) pointing to your organization's ACME CA server URL
Enable the attest key within the ACME payload; this instructs the device to generate a hardware-bound key in the Secure Enclave and include device attestation in the certificate signing request
Deploy the profile to managed devices via MDM push; the device contacts the ACME server, provides the hardware attestation, and receives a client certificate bound to the Secure Enclave
Configure your network access control, VPN, or Wi-Fi authentication to require the issued client certificate for EAP-TLS or mutual TLS authentication
Set up certificate renewal in the ACME payload to ensure certificates are automatically renewed before expiry without user interaction
Known gotchas
Managed Device Attestation certificates are non-exportable because the private key is stored in the Secure Enclave; any infrastructure expecting to export or back up the key will fail
ACME Device Attestation is a newer standard than SCEP; not all CA vendors support it — verify ACME with device attestation challenge support before choosing a CA
The ACME server must be reachable from managed devices at enrollment time and at renewal time; placing the ACME server behind a VPN that requires the certificate being issued creates a bootstrapping deadlock
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp