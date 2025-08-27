Version: 17.x

On this page

Getting Started with Device Trust Report an issue with this page

note Device Trust supports all platforms and clients, including tsh , Teleport Connect and the Web UI (requires Teleport Connect to be installed). The following resources are protected by Device Trust: Role-based enforcement only: Apps and Desktops

Cluster and role-based enforcement: SSH nodes, databases, and Kubernetes clusters

Device Trust requires two of the following steps to have been configured:

Device enforcement mode configured via either a role or a cluster-wide config.

Trusted device registered and enrolled with Teleport.

In this guide, you will update an existing user profile to assign the preset require-trusted-device role and then enroll a trusted device into Teleport to access a resource (a test linux server) protected with Teleport.

A running Teleport Enterprise cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



User with editor role. tsh status > Profile URL: teleport.example.com:443 Logged in as: myuser Cluster: teleport.example.com Roles: access, auditor, editor Logins: root, ubuntu, ec2-user Kubernetes: disabled Valid until: 2023-08-22 03:30:24 -0400 EDT [valid for 11h52m0s] Extensions: login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

role. Access to a linux server (any Linux server you can access via tsh ssh will do). tsh ls Node Name Address Labels ---------------- -------------- -------------------------------------- ip-172-31-35-170 ⟵ Tunnel

tsh ssh root@ip-172-31-35-170 root@ip-172-31-35-170:~#

Once the above prerequisites are met, begin with the following step.

To enforce Device Trust, a user must be assigned with a role with Device Trust mode "required".

For this guide, we will use the preset require-trusted-device role to update current user profile.

Open the user resource in your editor so we can update it with the preset require-trusted-device role.

tctl edit users/myuser

Edit the profile:

kind: user metadata: id: 1692716146877042322 name: myuser spec: created_by: time: "2023-08-14T13:42:22.291972449Z" expires: "0001-01-01T00:00:00Z" roles: - access - auditor - editor + - require-trusted-device # add this line status: is_locked: false ...

Update the user by saving and closing the file in your editor.

Now that the user profile is updated to enforce Device Trust, try to access the test server again.

tsh logout; tsh login --proxy=teleport.example.com --user=myuser tsh ssh root@ip-172-31-35-170 ERROR: access denied to root connecting to ip-172-31-35-170:0

As you can verify from the above step, access to ip-172-31-35-170 ssh server, which was previously accessible, is now forbidden.

To access ip-172-31-35-170 server again, you will have to enroll your device.

Enrolling your device is easy, and can be done using tsh client:

tsh device enroll --current-device Device "C00AA0AAAA0A"/macOS registered and enrolled

self enrollment The --current-device flag tells tsh to enroll the current device. The user must have the preset editor or device-admin role to be able to self-enroll their device. For users without the editor or device-admin roles, a device admin must generate the an enrollment token, which can then be used to enroll the device. Learn more about manual device enrollment in the device management guide.

Relogin to fetch updated certificate with device extension:

tsh logout; tsh login --proxy=teleport.example.com --user=myuser

tsh status > Profile URL: teleport.example.com:443 Logged in as: myuser Cluster: teleport.example.com:443 Roles: access, auditor, editor Logins: root Kubernetes: enabled Valid until: 2023-08-22 04:06:53 -0400 EDT [valid for 12h0m0s] Extensions: login-ip, ... teleport-device-asset-tag, teleport-device-credential-id, teleport-device-id

The presence of the teleport-device-* extensions shows that the device was successfully authenticated.

Now, let's try to access server ( ip-172-31-35-170 ) again:

tsh ssh root@ip-172-31-35-170 root@ip-172-31-35-170:~#

Congratulations! You have successfully configured a Trusted Device and accessed a resource protected with Device Trust enforcement.

A signed and notarized tsh binary is necessary to enroll and use a a trusted device. Download the macOS tsh installer to fix the problem.

A trusted device needs to be registered and enrolled before it is recognized by Teleport as such. Follow the registration and enrollment steps and make sure to tsh logout and tsh login after enrollment is done.

Linux users need permissions to read and write from the TPM device, /dev/tpmrm0 . Without such permissions tsh would need sudo prompts for most operations.

The simplest way to solve this is to check if your distro ships with the tss group and assign it to your OS user. If that is not possible, or you are looking for a different solution, we recommend creating udev rules similar to the ones shipped by the TPM2 Software Stack.

Auto-enrollment ceremonies, due to their automated nature, are stricter than regular enrollment. Additional auto-enrollment checks include:

Verifying device profile data, such as data originated from Jamf, against the actual device Verifying that the device is not enrolled by another user (auto-enroll cannot take devices that are already enrolled)

Check you audit log for clues: look for failed "Device Enroll Token Created" events and see the "message" field in the details.

If you suspect (1) is the issue, compare the actual device against its inventory definition ( tsh device collect executed in the actual device vs tctl get device/<asset_tag> ). Tweaking the device profile, manual enrollment or waiting for the next MDM sync may solve the issue.

If you suspect (2), you can unenroll the device using tctl edit device/<asset_tag> and changing the "enroll_status" field to "not_enrolled".

Follow the instructions in the Web UI troubleshooting section below (Teleport v16 or later).

Alternatively, you may use one of the tsh commands described by App Access support. For example, for an app called myapp , run tsh proxy app myapp -p 8888 , then open http://localhost:8888 in your browser.

If you are already running tsh proxy app , or using the certificates acquired from tsh app login , then it's likely your device isn't registered or enrolled. In this case, follow the advice from the unauthorized device section above.

Follow the instructions in the Web UI troubleshooting section below.

The Web UI attempts to authenticate your device using Teleport Connect during login. If you are not asked to authenticate your device immediately after login, follow the steps below:

Make sure your device is registered and enrolled Install Teleport Connect. Use the DEB or RPM packages on Linux (the tarball doesn't register the custom URL handler). Make sure Teleport Connect can access the same resource you are trying to access on the Web Ask your cluster administrator if Device Trust is enabled (cluster mode "optional" or higher)

After the steps above are done try logging out from the Web UI and logging in again. If the error persists, check your audit log for failed "device authenticated" or "device web" events and look for failure details within the events.

"IP mismatch" errors in audit logs indicate that the IP checks performed by the device web authentication ceremony failed. In this case it's likely that end-user IPs are not propagated correctly to your Teleport deployment.

L7 load balancer: make sure it propagates the X-Forwarded-For header

L4 load balancer: enable PROXY protocol

When successfully authorized to use Device Trust in the web UI, the user will see a green shield icon next to the logged-in username at the top right of the screen. Additionally, clicking on the username to show the user menu will indicate that the session is authorized with Device Trust.

If the user is not authorized to use Device Trust in the web UI, but either the cluster-wide configuration or their assigned role(s) require the use of a trusted device, the user will see a yellow warning shield next to the logged-in username at the top right of the screen. Additionally, clicking on the username to show the user menu will indicate that the session is not authorized with Device Trust, so the user's access is restricted.

Theme Session authorized with Device Trust Session not authorized with Device Trust Light Dark