1.3 Overview

Many enterprises check software state and policy compliance before allowing computers to access corporate network resources. The goal of these checks is to ensure that the operating system (OS) is properly updated, the OS configuration meets company policy, and that antivirus software is up-to-date.

The Device Health Attestation (DHA) protocol provides a way for a device to submit its policy compliance status and software status in a tamper-resistant way to a Device Health Attestation Service (DHA-Service) such that its state can later evaluated by an entity such as an MDM (mobile device management) to determine compliance status.

The following diagram describes the three components that interact in a Device Health Attestation communications.

  1. DHA-Enabled Device: that supports Trusted Platform Module (TPM) in Firmware or Discreet format.

  2. Device Management Server (MDM): initiates the Device Health Attestation flow, reviews the Device Health Attestation Report (DHA-Report), and evaluates whether the reported state is equivalent to compliance status.

  3. DHA-Service: a component that processes Device Health Attestation data, produces DHA-Report.

This document discusses only the interaction between the client and the DHA-Service.

Device health attestation

Figure 1: Device health attestation

The following is a sequence diagram that describes how the three components interact, during a Device Health Attestation session.

Device, DHA-service communication

Figure 2: Device, DHA-service communication