Phase 5: Client Device Registration¶
This phase enables end-user devicesโWindows, macOS, Linux, iOS, and Androidโto securely connect to your internal services using SSO, certificates, and Zero Trust overlay networking.
๐ป Phase 5 โ Client Registration and Access¶
๐ป Supported Platforms¶
| OS | Access Method | Services Used |
|---|---|---|
| Windows | Tailscale + Browser | Nextcloud, Webmail, SSO |
| macOS | Tailscale + Mail.app | S/MIME, Webmail, Files |
| Linux | Tailscale + Thunderbird | SSH, S/MIME, Web |
| Android | Tailscale + K9 Mail | S/MIME + Nextcloud App |
| iOS | Tailscale + Safari | Apple Mail + Web Access |
๐ General Steps¶
1. Import Identity Certificate¶
- Issue
.p12or.pemvia Step-CA or secure portal - Windows: Import into Personal Certificate Store
- macOS/iOS: Use Apple Configurator profile
- Linux: Import into Thunderbird or GPG-based tool
- Android: Import via settings or K-9 Mail
2. Join Tailscale¶
- Install Tailscale client
- Login using SSO from Keycloak (OIDC)
- Verify tailnet ACLs enforce proper segmentation
- Label devices and assign tags in admin panel
3. Configure Email¶
- Set up Mailcow with SOGo or external clients
- Use STARTTLS/SMTPS on 465 or 587 with S/MIME signing
4. Access Nextcloud or Internal Services¶
- Use browser login (SSO-enabled)
- Or native apps configured with device cert auth
๐ Device Policy Best Practices¶
- Use system disk encryption (BitLocker, FileVault)
- Require password + hardware MFA (YubiKey/WebAuthn)
- Disable root access where not needed
- Automatically expire old device certificates
- Monitor device behavior via Wazuh
โ Output of This Phase¶
- Client devices trusted via cert, auth, and overlay
- Secure mail, file sync, and SSO login validated
- End-to-end encrypted access for remote and on-site users
โ Proceed to Phase 6: Logging, SIEM, and Alerting