diff --git a/platform/README.mdx b/platform/README.mdx index cbde9630..34386520 100644 --- a/platform/README.mdx +++ b/platform/README.mdx @@ -56,7 +56,8 @@ This process, known as cryptographic device attestation, forms the foundation fo # How can you use Smallstep? -The Smallstep Agent is the vehicle through which Smallstep delivers cryptographically attested device identity to your organisation. It is the recommended way to identify devices and get client certificates to devices (Windows, Linux, Mac OS) for Enterprise Wi-Fi, VPN, HTTP/3 proxies, or web applications. +The Smallstep Agent is the vehicle through which Smallstep delivers cryptographically attested device identity to your organisation. It is the recommended way to identify devices and get client certificates to devices (Windows, Linux, macOS, ChromeOS) for Enterprise Wi-Fi, VPN, HTTP/3 proxies, or web applications. + It is a lightweight program that runs in the background on devices and manages end-to-end certificate lifecycle for various resources. It works with all TPM 2.0 devices—virtual TPMs, firmware TPMs, or physical TPMs—and on some TEEs and Secure Enclaves (eg. Apple Managed Device Attestation). @@ -68,7 +69,7 @@ If for any reason, you cannot have the Smallstep Agent on your devices, Smallste Smallstep integrates with your MDM to deploy client certificates to company-managed devices to enable certificate-based network authentication for Wi-Fi (802.1x EAP-TLS WPA-Enterprise), VPN, ZTNA, etc. -We offer integrations for any MDMs for Apple and Windows devices that support Dynamic SCEP like Jamf, Intune, Workspace ONE, Mosyle, Ivanti, e.t.c. +We offer integrations for any MDMs for Apple, Windows, and ChromeOS devices that support Dynamic SCEP like Jamf, Intune, Workspace ONE, Mosyle, Ivanti, and Google Workspace. ![Jamf MDM Marketecture.png](/graphics/Jamf_MDM_Marketecture.png) diff --git a/platform/core-concepts.mdx b/platform/core-concepts.mdx index 1d22b7d1..a4dd6732 100644 --- a/platform/core-concepts.mdx +++ b/platform/core-concepts.mdx @@ -1,5 +1,5 @@ --- -updated_at: September 17, 2025 +updated_at: September 30, 2025 title: Core Concepts html_title: Platform Core Security Concepts Explained description: Fundamental concepts of device identity platform. Understand trust models, attestation, and certificate lifecycle management. @@ -50,7 +50,7 @@ Now we have a great foundation for device identity. And, we've unlocked another Smallstep uses the following attestable device identifiers to build a high-assurance inventory: - On Apple platforms, the device’s serial number or hardware UDID. -- On Windows and Linux devices with TPMs, there is a TPM Endorsement Key and a Platform Certificate. +- On Windows, Linux, and ChromeOS devices with TPMs, there is a TPM Endorsement Key and a Platform Certificate. With Smallstep, you can build a device inventory by syncing devices from your MDM, via our API, or by having users self-register (with optional SSO). @@ -230,16 +230,16 @@ Because many client apps are unable to directly use hardware bound keys, Smallst These provisioned credentials are short-lived. Their key attestation level varies based on the application and operating system: -| | macOS (Smallstep agent) | macOS (agentless) | Windows | Linux | -| --- | --- | --- | --- | --- | -| Wi-Fi | Smallstep attested | device attested | device attested | device attested | -| SSH | Smallstep attested | not supported | device attested | device attested | -| Safari | Smallstep attested | device attested | not available | not available | -| Chrome | Smallstep attested | not supported | device attested | device attested | -| Firefox | Smallstep attested | not supported | device attested | device attested | -| Edge | talk to us | not supported | device attested | not available | -| IPSec VPN | Smallstep attested | device attested | talk to us | talk to us | -| Relay (MASQUE) | Smallstep attested | device attested | device attested | device attested | +| | macOS (Smallstep agent) | macOS (agentless) | Windows | Linux | ChromeOS | +| --- | --- | --- | --- | --- | --- | +| Wi-Fi | Smallstep attested | device attested | device attested | device attested | device attested | +| SSH | Smallstep attested | n/a | device attested | device attested | n/a | +| Safari | Smallstep attested | device attested | n/a | n/a | n/a | +| Chrome | Smallstep attested | n/a | device attested | device attested | device attested | +| Firefox | Smallstep attested | n/a | device attested | device attested | n/a | +| Edge | talk to us | n/a | device attested | talk to us | n/a | +| IPSec VPN | Smallstep attested | device attested | talk to us | talk to us | n/a | +| Relay (MASQUE) | Smallstep attested | device attested | device attested | device attested | n/a | ### A note about fallbacks diff --git a/platform/smallstep-agent.mdx b/platform/smallstep-agent.mdx index 21762fc1..9304ce1a 100644 --- a/platform/smallstep-agent.mdx +++ b/platform/smallstep-agent.mdx @@ -1,5 +1,5 @@ --- -updated_at: September 17, 2025 +updated_at: October 01, 2025 title: Smallstep Agent for Linux html_title: Smallstep Agent for Device Management Guide description: Deploy and configure Smallstep Agent on Linux. Automated device identity management and certificate renewal for enterprise Linux fleets. @@ -9,7 +9,7 @@ Choose one or the other depending on your deployment needs. # Introduction -While macOS and Windows can manage certificates and authentication settings via Mobile Device Management (MDM), Linux does not include automated remote management facilities. The Smallstep Agent brings vital certificate management features to your Linux users and endpoints. It can be installed independently on any Linux device running systemd. +While macOS, Windows, and ChromeOS can manage certificates and authentication settings via Mobile Device Management (MDM), Linux does not include automated remote management facilities. The Smallstep Agent brings vital certificate management features to your Linux users and endpoints. It can be installed independently on any Linux device running systemd. In this document, we will install, configure, and start the Smallstep Agent on a Linux device running systemd. We also show how to use the agent’s built-in PKCS#11 (smart card) service. With the PKCS#11 service, you can access Smallstep certificates and keys from applications that support PKCS#11.