[maxsaltonstall]

That's correct. Previous papers touch on the inventory data pipeline and machine health, though without as much detail as I might like in your shoes. Our agents track a wide variety of things on client machines, and we use that inventory data to determine how trustworthy a machine could be. [I work at Google, and helped make these papers, and blog post, happen]

[mattweinberg]

Also FYI- there's visible template code here: https://cloud.google.com/iap/docs/quickstart

[DorothySim]

Interesting design. As far as I understood from old papers client certificates are used only to identify the device while user authentication is handled differently.

Could you elaborate on the technical details on user authentication? (If that's not top-super-secret) I guess it's just like accounts.google.com for Enterprise with mandatory 2FA (username+password+U2F key?). Does it work the same on mobile/Android (U2F via NFC or codes)?

[weeks]

Android supports U2F via NFC and Bluetooth now, which is used for user authentication on Android devices. We've also released an (experimental?) iOS app to support U2F over Bluetooth.

https://itunes.apple.com/us/app/google-smart-lock/id11520663...

[e12e]

How is trust anchored?

There's tpm and secure boot - does the (presumably signed, in the trusted boot->os->user binary/service-path) agent access signing services from tpm - backed by a key in tpm, and use that to identify itself as an authentic agent?

Otherwise I can't see how an (admin) user couldn't extract the key from ram and run the os and agent in a vm?