VN-01 · Endpoint Enrollment & Asset Visibility
Status: Delivered (token-based identity; enforced mTLS deferred to a later phase) Roles needed: Tenant admin, plus a second tenant's admin for the isolation check
What the client asked for
"Endpoint enrollment must be tenant-owned: the tenant admin generates an enrollment token, the agent is installed in the tenant environment, the agent calls an enrollment endpoint over HTTPS, and future device identity is based on a token-for-certificate exchange."
"Rogue device detection is tenant-scoped and comes from authorized tenant environment sources" — i.e., enrolled machines must become visible as managed assets to that tenant.
What this proves
A tenant can securely onboard one of its own machines, and that machine then appears as a managed asset in the console — visible only to that tenant.
How it works (at a glance)
Where to look in the portal
SettingsthenEnrollment TokensAssetsAudit
Validation walkthrough
| # | Action | What you should see |
|---|---|---|
| 1 | Log in as tenant admin | The console loads scoped to your tenant; you see your tenant name |
| 2 | Go to Settings then Enrollment Tokens, click Create | A new token is shown once, with an expiry and usage limit. Copy it now |
| 3 | Reload the token list | The token row is present as metadata, but the secret value is not shown again |
| 4 | (The demo machine's agent has already been installed with that token) | — |
| 5 | Go to Assets | The enrolled machine appears with hostname, operating system, site, and a recent "last seen" time |
| 6 | Click the asset row | The detail panel shows hostname, platform, site, agent ID, and a timeline entry such as "telemetry heartbeat accepted" |
| 7 | Navigate away to another page, then return to Assets | The asset is still listed (it did not disappear) |
| 8 | Open Audit | An agent.enrolled entry exists for this enrollment, attributed to your tenant |
| 9 | Log in as a different tenant's admin and open Assets | The machine from step 5 is not visible |
Pass / fail checklist
- Enrollment token is shown only once and never re-displayed in the list
- Enrolled machine appears in
Assetswith correct hostname, OS, and site - Asset detail shows the agent identity and a heartbeat timeline entry
- The asset persists across navigation (does not vanish on return)
-
Auditshows anagent.enrolledrecord for the action - A different tenant cannot see this asset
Intentionally not in Phase 1
- Enforced mutual-TLS (mTLS) with a certificate authority. Phase 1 uses a token-based, tenant-scoped identity that is the accepted runtime-lite path.
- Automated agent packaging/installers (MSI/PKG/DEB/RPM). The demo machine is enrolled manually.
Evidence to capture
- Screenshot of the asset in the
Assetslist and its detail panel. - Screenshot of the
agent.enrolledaudit entry. - Screenshot of the second tenant's empty/different
Assetslist (isolation).