Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The DHA protocol enables Mobile Device Management (MDM) solutions to get a Device Health Report (DHA-Report) from devices that meet the following requirements.
Support Trusted Module Platform (TPM) version 1.xx or 2.xx in the following formats.
Firmware (i.e. Windows phone)
Discrete (i.e. PC devices that have a physical TPM chip)
The EK, EKCert and Windows Attestation Identity Key (AIK) and Windows Attestation Certificate (AIKCert), as specified in [TCG-Cred], MUST be provisioned previous to initiating the attestation protocol. The health attestation protocol can be initiated asynchronously after boot once the TPM has been provisioned (i.e. EK, EK Cert, AIK, AIK Cert are created) or it can be initiated as a part of a service request by mobile device management server. For more information about the AIK enrollment process, see [X509].
The Device Health Report (DHA-Report) is device bound and is valid only for the current boot cycle. It will also have a time bounded lifetime to force an attestation check for long-running devices.
Following is a brief overview of the Device Health Attestation, asynchronous processing flow:
Upon Boot the device sends information about its boot state (DHA-Boot-Data) to Device Health Attestation Service (DHA-Service)
DHA-Service replies back with an encrypted data BLOB (DHA-Encrypted-Data)
When a Device Management Server (MDM-Server) needs to get a Device Health Report (DHA-Report), it sends a request to the TPM-compatible device (that is enrolled to - managed by the MDM-Server), initiates the DHA data validation session
The TPM-compatible device sends an alert to the Device Management Server, informs that the Device Health Validation Data (DHA-Validation-Data) is ready for pickup
The Device Management Server sends a request to the TPM-compatible device to get the DHA-Validation-Data
The TPM-compatible device sends the DHA-Validation-Data to Device Management Server (MDM-Server)
The Device Management Server (MDM-Server) adds a "Nonce" to the payload, forwards the DHA-Validation-Data to DHA-Service
The DHA-Service review the data, sends a report (DHA-Report) to the Device Management Server (MDM-Server)
Figure 4: Device health attestation asynchronous processing flow
Following is a brief overview of the Device Health Attestation, synchronous processing flow:
The Device Management Server (MDM-Server) sends a request to the TPM-compatible device to initiate the DHA data validation session
The TPM-compatible device sends an alert to the Device Management Server (MDM-Server), informs that the data is not ready for pickup
The TPM-compatible sends its boot data (DHA-Boot-Data) to the DHA-Service
The DHA-Service sends an encrypted BLOB back to the TPM-compatible device
The TPM-compatible device sends an alert to the Device Management Server (MDM-Server) informs that DHA data is ready for pickup
The Device Management Server sends a request to the TPM-compatible device to get the DHA-Validation-Data
The TPM-compatible device sends the DHA-Validation-Data to Device Management Server (MDM-Server)
The Device Management Server (MDM-Server) adds a "Nonce" to the payload, forwards the DHA-Validation-Data to DHA-Service
The DHA-Service review the data, sends a report (DHA-Report) to the Device Management Server (MDM-Server)
Figure 5: Device health attestation synchronous processing flow
The DHA-enabled client is a computing device that supports TPM in firmware or discrete format, and is enrolled/managed by a Device Management Server (MDM-Server). The following state diagram shows an exchange in a negotiation between the TPM-compatible device and the Device Health Attestation Service (DHA-Service).
Figure 6: Device Health Attestation
The Device Management Server (MDM-Server) can initiate a request for DHA Data as needed. When the Device Management Server (MDM-Server) sends this request: the TPM-compatible device prepares DHA-Validation-Data, forward it to Device Management Server (MDM-Server)
Figure 7: Device to MDM-Server communication