Device Identity Systems
By CtrlOne Team ·
Before you can govern a device you have to be able to name it reliably. Device identity is the quiet foundation under every other endpoint capability: apply a policy, correct drift, produce evidence, and each of those actions needs to be tied to a specific, stable machine. This article is a CtrlOne framework for thinking about device identity systems: what makes an identity durable, how enrollment establishes it, and how CtrlOne uses device identity to target toggles, version changes, and prove posture per machine without straying into being an identity provider for users.

Why identity comes first
Every governance action is really a statement about a specific device: this machine should have these controls. If you cannot reliably identify the machine, the statement has nowhere to land.
Device identity is therefore the join point for policy targeting, drift correction, and audit. A weak or unstable identity undermines all three, because actions and evidence cannot be attributed correctly.
What makes an identity durable
A good device identity survives reboots, user changes, and network moves. It should not silently change when a laptop switches subnets or a user signs out.
Durability lets history accumulate against a stable reference, so the change record and drift events for a machine stay coherent over its whole life rather than fragmenting into disconnected pieces.
- Survives reboots and network changes.
- Stays stable across user sign-ins and sign-outs.
- Anchors a coherent history for the machine.
- Lets policy target the right device reliably.
Enrollment establishes trust
Identity begins at enrollment, when a device is brought under management and associated with a tenant and group. Enrollment is where the platform first learns the machine exists and where it belongs.
CtrlOne enrolls Windows devices and ties each to its tenant and groups, which is what lets subsequent toggles reach the correct population. Clean enrollment is the difference between confident targeting and guesswork.
Identity in action across the platform
Once a device has a stable identity, everything else hangs off it. Policy is targeted to it, drift is detected and corrected against it, and its change history is versioned under it.
The console can show, per device, which toggles are enforced, whether it has drifted, and how its configuration changed over time. Evidence packs then reference the same identity so audit findings map cleanly to real machines.
- Target toggles to the correct device.
- Attribute drift and corrections to the machine.
- Version the device's configuration history.
- Map evidence-pack findings back to real endpoints.
Device identity is not user identity
It is important to keep the boundary crisp. CtrlOne handles device identity for governance; it is not an identity provider and does not authenticate users or issue credentials.
User identity, single sign-on, and multi-factor authentication belong to your identity stack. CtrlOne complements that stack by ensuring the device a user signs in on is known, governed, and in a trustworthy state.
Frequently asked questions
Why is device identity so foundational?
Every governance action targets a specific machine. Without a reliable identity, policy targeting, drift correction, and audit cannot be attributed correctly, so identity is the join point for all of them.
What makes a device identity durable?
It survives reboots, network changes, and user sign-ins, so history accumulates against a stable reference rather than fragmenting when a device moves or a user changes.
How does enrollment relate to identity?
Enrollment is where a device is brought under management and tied to its tenant and groups, establishing the identity that subsequent toggles and evidence reference.
Is CtrlOne an identity provider for users?
No. It handles device identity for governance, not user authentication. Single sign-on and multi-factor belong to your identity stack, which CtrlOne complements.
Govern devices you can name
See how CtrlOne uses stable device identity and enrollment to target policy, correct drift, and prove posture per machine.