|
| 1 | +--- |
| 2 | +title: Device Enrollment Guide |
| 3 | +html_title: How to add devices to Smallstep |
| 4 | +description: There are several ways to add your devices to Smallstep. In this guide, we talk through the options. |
| 5 | +--- |
| 6 | + |
| 7 | +In this guide, |
| 8 | +we'll talk about different approaches you can take |
| 9 | +as you build your device inventory in Smallstep. |
| 10 | + |
| 11 | +It's worth restating the overall goal of this process: |
| 12 | +To build a high-assurance device inventory, |
| 13 | +so that only your organization's devices |
| 14 | +can access protected resources. |
| 15 | + |
| 16 | +While a lot of organizations |
| 17 | +have device inventories in various locations |
| 18 | +(IT Asset Management systems, device management platforms, etc), |
| 19 | +these are not usually high-assurance inventories. |
| 20 | +Smallstep uses hardware identifiers |
| 21 | +and device attestation |
| 22 | +to help you develop a high-assurance inventory |
| 23 | +that can be the foundation for device authentication. |
| 24 | + |
| 25 | +There's a few ways to bring devices into your Smallstep inventory: |
| 26 | + |
| 27 | +### Self-enrollment |
| 28 | + |
| 29 | +You can [manually invite users |
| 30 | +to join your Smallstep team](https://smallstep.com/app/?next=/users/invite), |
| 31 | +and they will be able to self-enroll devices |
| 32 | +using the [Smallstep Desktop App](./smallstep-app.mdx) |
| 33 | +or the [Smallstep Agent for Linux](./smallstep-agent.mdx). |
| 34 | + |
| 35 | +By default, administrators |
| 36 | +must approve a new device |
| 37 | +before it can access any of your resources. |
| 38 | +You can change this in [Team Settings](https://smallstep.com/app/?next=/settings/team). |
| 39 | + |
| 40 | +### Connect Smallstep to your identity provider |
| 41 | + |
| 42 | +This option requires IdP self-enrollment in [Team Settings](https://smallstep.com/app/?next=/settings/team) to be enabled. |
| 43 | +It is disabled by default. |
| 44 | + |
| 45 | +When you connect Smallstep to your identity provider, |
| 46 | +your users will be able to self-enroll |
| 47 | +via single sign-on, |
| 48 | +using the [Smallstep Desktop App](./smallstep-app.mdx) |
| 49 | +or the [Smallstep Agent for Linux](./smallstep-agent.mdx). |
| 50 | + |
| 51 | +By default, administrators |
| 52 | +must approve a new device |
| 53 | +before it can access any of your resources. |
| 54 | +You can change this in [Team Settings](https://smallstep.com/app/?next=/settings/team). |
| 55 | + |
| 56 | +### Sync Smallstep to an MDM |
| 57 | + |
| 58 | +You can sync your existing MDM inventories into Smallstep. |
| 59 | +Once an MDM is synced, |
| 60 | +you can deploy the Smallstep Agent to your endpoints |
| 61 | +to enable high-assurance protections. |
| 62 | + |
| 63 | +Devices synced from an MDM inventory |
| 64 | +are automatically approved, |
| 65 | +but they will not be marked as high-assurance |
| 66 | +until Smallstep receives an attestation from the device. |
| 67 | + |
| 68 | +For a concrete example, |
| 69 | +see [Connect Jamf Pro to Smallstep](../tutorials/connect-jamf-pro-to-smallstep.mdx) |
| 70 | + |
| 71 | + |
| 72 | +### Add devices via API |
| 73 | + |
| 74 | +You can import devices from any source into Smallstep using our API. |
| 75 | + |
| 76 | +Devices added via API are automatically approved. |
| 77 | +but they will not be marked as high-assurance |
| 78 | +until Smallstep receives an attestation from the device. |
| 79 | + |
| 80 | +#### Example: I have a list of device identifiers |
| 81 | + |
| 82 | +For each device, use the [Save Collection Instance](https://gateway.smallstep.com/v2023-11-01/operations/PutCollectionInstance) endpoint to create a device. |
| 83 | +- For the `collectionSlug`, use `default` |
| 84 | +- For Apple devices, the `instanceID` must be the device's serial number. |
| 85 | +- For TPM 2.0 devices, the `instanceID` must be the TPM Endorsement Key URI, in the format `urn:ek:sha256:ul3sYf6uQ6jVEXAMPLEXoAuHI10U8gTvEJ6bMj95LXI=`. (You can retrieve the EK URI by running `step agent tpm --fingerprint` on the device.) |
| 86 | + |
| 87 | +For the body of the request, |
| 88 | +create a user using the following value |
| 89 | +(replacing `[email protected]` with the device owner's email address): |
| 90 | + |
| 91 | +``` |
| 92 | +{ "data": { "smallstep:identity": "[email protected]" } } |
| 93 | +``` |
| 94 | + |
| 95 | +Once added, |
| 96 | +you'll see the device in your Smallstep dashboard, |
| 97 | +under Recent Devices, |
| 98 | +and it will be automatically approved. |
0 commit comments