You generally run an agent on the client machine that verifies machine identity and configuration as part of authentication. Beyond identity is an example.
Agents on the client can’t really be trusted unless there’s a secure boot and only authorised software is running - at which point it’s not really a personal device any more.