> It's almost 2024, and MDM is still difficult. There are a large number of > companies who are happy to charge recurring monthly fees, per user, for > MDM solutions. That's bad for everyone but them.
This is true, but EAP-FIDO is still not a free lunch: - EAP-FIDO implies the existence of a web-service to perform the initial registration - That web-service needs to share state with the RADIUS server Today's turnkey EAP provisioning solutions are not *conceptually* dissimilar to this (often using self-signed CAs with EAP-TLS for mutual authn; and LDAP to the Enterprise directory to authz the client cert's SAN). The onboarding would just be transparent for an end-user because of the browser/OS/TPM integration (so no "installer" to download and execute). It would be very interesting if the initial registration could be performed in-band of EAP (using WebPKI). > We've had ~20+ years of relying on end users to carry the burden of > supplicant configuration. That practice is a failure, and should be replaced > with something better, +1 Josh _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
