ACME Device Attestation

This page provides a conceptual overview of ACME Device Attestation and its workflows.

For a practical integration example with a Mobile Device Management (MDM) solution, see Configure EJBCA ACME Device Attestation with Jamf for Apple devices.

Introduction

The ACME protocol, as specified in RFC 8555: Automatic Certificate Management Environment (ACME) was originally designed for issuing TLS certificates. The protocol offers significant advantages in terms of security and automation compared to other enrollment protocols.

Based on version 08 of the Automated Certificate Management Environment (ACME) Device Attestation Extension draft specification, the ACME protocol can also be used in Enterprise Device Management use cases. In this context, it enables the enrollment of client authentication certificates for devices within enterprise IT environments.

Using ACME Device Attestation in Enterprise Device Management enables a high level of automation and strong security. This is achieved through the verification of permanent identities with cryptographic attestation based on hardware generated keys on the devices.

ACME Device Attestation for Enterprise Management of Apple Devices Overview

This overview illustrates the integration between a Mobile Device Management (MDM) server and an Enterprise Managed Device using the ACME Device Attestation protocol for Apple devices. Apple refers to this capability as Managed Device Attestation.

This overview of EJBCA ACME Device Attestation integration for Enterprise Management of Apple Devices shows the interaction between the managed device, the MDM server, and EJBCA during the certificate enrollment process using ACME with device attestation. The workflow ensures that only devices with verified hardware-backed identities can obtain client authentication certificates, strengthening both device trust and overall security posture.