[jesseendahl]

>except for MDM devices where the MDM profile can allow attestation for RP domains on an opt-in basis.

And even then, the attestation you get in that scenario is just an attestation that the passkey was created on a managed device. It is not a hardware/device attestation.

[lxgr]

But only Apple devices can be managed, and presumably that’s in turn attested to by Apple cryptographic keys in hardware?