A live trust decision for every endpoint — from the user's device to the application server.
Trust in enterprise access isn't established by username and password alone. The device the user connects from, that device's security posture, mobile device compliance, and the real health of the application server are all parts of the decision.
TR7 ETM — Endpoint Trust Manager — turns user devices, mobile devices, and application servers into live trust signals. Device posture feeds AAM access policies; server health feeds ADC routing decisions.
The result: the access decision is not one-time but stays current throughout the session. Risky devices are blocked, compliant devices get controlled access, traffic shifts away from a strained server, and the entire process is kept under auditable record.
Measure device trust. Manage access accordingly.
ETM is the Endpoint Trust Manager layer that collects live signals from clients, mobile devices, and application servers and connects them to TR7 AAM, ADC, Central Management, and SIEM streams.
Five capability layers, one trust model
Many enterprise access systems check the device only at connection time. If the device looks compliant at that moment, access is granted; but after the session starts, the security agent may stop, configuration may drift, or a risky process may run. The server side has a similar gap: a service that responds is assumed to be healthy. In reality, a real trust decision comes from continuously observing device and server state.
A device may look secure at login. But once the session starts, EDR can stop, disk encryption can be disabled, a malicious process can launch, or the device can fall out of policy. The classic model can't reflect those changes into the access decision in real time.
IP address, operating-system name, or basic device info isn't enough for real trust. Software inventory, running processes, security agent state, disk encryption, certificates, and configuration must be evaluated together.
Just reporting a risky device isn't security. The operations team has to be able to quarantine the device, run a command, terminate a risky process, and collect evidence remotely.
An application server may be responding, while CPU is spiking, RAM is exhausted, disk is full, or the database connection pool is saturated. For ADC to decide correctly, it needs to know the server's internal state too.
ETM's core approach: in enterprise access, device trust, mobile compliance, and server health shouldn't be managed in separate silos. The same trust model should run on user devices, mobile devices, and application servers. ETM collects those signals in a single TR7 management layer and wires them into access, routing, incident response, and audit processes.
Enterprise devices are monitored under the same data model. The device trust score can act as a live decision input in AAM access policies.
CPU, RAM, disk, service, process, and application metrics are collected from application servers. That data feeds live signal into ADC routing decisions.
Android and iOS devices come under the same management domain. Corporate profiles, app deployment, selective wipe, and compliance checks are managed from one platform.
ETM isn't a standalone endpoint tool — it's the trust layer of the TR7 Application Delivery and Security platform. AAM, ADC, WAAP, Central Management, and SIEM all share the same signal stream.
ETM is built from four core layers. First, device trust is measured continuously. Second, remote response is available when needed. Third, real server health flows into ADC decisions. Finally, application files, release processes, and configuration changes are monitored under integrity control.
Devices are evaluated not only at login but throughout the session. Software inventory, security agent state, hardware info, configuration changes, certificate status, network interfaces, and core security signals are collected on a regular cadence.
ETM doesn't just monitor devices — it makes them manageable. SOC and IT teams can run live queries, send commands, retrieve files, terminate risky processes, or isolate the device from the network.
The ETM agent runs on application servers and passes real server state into ADC. Traffic routing then takes into account not only an external health check but also the server's live resource state.
ETM makes application integrity visible by monitoring file, directory, binary, and configuration changes on servers. Unauthorized changes, suspected webshells, cluster drift, and release processes connect to operational decisions.
ETM manages clients, mobile devices, and servers without splitting them into separate tools. Desktop and server systems run an agent, mobile devices run MDM, and the TR7 side runs central management and a policy engine. With this architecture, enterprise device trust, application access, and server routing decisions all run over the same data path.
ETM closes the gap between device security and application access. It also brings the real state of application servers into ADC decisions, strengthening user experience and operational continuity.
EDR or antivirus stops on a user's device. In a classic setup, the user continues to access sensitive applications with their open session.
ETM recognizes this change as a trust event in real time. AAM can suspend access, require step-up MFA, or terminate the session. The SOC team can remotely isolate the device and collect forensic data.
A clinician, finance specialist, or field worker wants to access the corporate application from their own device. The device isn't in the organization's inventory, and its security posture isn't clear.
ETM checks the trust state of the mobile or desktop device. Compliant devices are granted access; risky devices face extra verification or are blocked. On mobile, work-profile separation and selective wipe keep corporate data out of the personal space.
An application server returns HTTP 200, but the database connection pool is saturated, CPU is spiking, or queue depth is rising. Users experience slowness, but the classic health check considers the server healthy.
ETM's server trust signal delivers this pressure to ADC as live data. ADC gradually lowers the server's traffic weight and routes new requests to healthier servers.
An auditor asks whether disk encryption is on across all devices, whether the security agent is running, and whether critical servers have configuration drift. In the classic model, this evidence is gathered manually from different tools.
ETM produces instant evidence from device and server inventory via live query and reporting. The audit process moves away from manual list-gathering and onto verifiable trust signals.
A logistics, energy, or healthcare field team receives new mobile devices. Manually configuring Wi-Fi, VPN, email, applications, and security settings takes time.
With ETM MDM, devices are automatically brought into corporate scope at first power-up. Required profiles, applications, and policies are deployed. If a device is lost, selective wipe or full wipe can be applied.
ETM licensing is planned by the total number of endpoints under management. Clients, mobile devices, and servers all draw from the same capacity pool. Every tier ships the same core capability set: device trust, remote action, MDM, server health signal, and integrity monitoring.
TR7 bundles include a standard ETM endpoint allowance. For broader device inventories, the capacity tiers below take over.
Every tier ships the same capability set. There is no distinction between clients, mobile, and servers — the allowance draws from a single endpoint pool.
One endpoint is one managed operating-system instance. The same user's laptop and mobile device count as two endpoints. Devices idle for 60+ consecutive days are auto-retired and the seat is reclaimed.
ETM supports device inventory, security posture, remote-access control, audit logging, and incident-response requirements. Organizations can document device and server trust state with live signals and make audit processes more measurable.
Supports technical safeguards for personal data security. Provides verifiable contribution through device trust state, security-agent monitoring, remote response, and audit trails.
Supports remote access, device inventory, logging, third-party access, and operational auditability requirements. ETM turns those requirements into live trust signals.
Provides an additional control layer for monitoring, trust checks, and incident response on devices accessing critical systems.
Supports security-agent, configuration, access-control, and audit requirements on devices accessing the cardholder data environment.
Strengthens data separation on mobile and personal devices accessing health data via work profiles, selective wipe, and device-compliance checks.
ETM is available as a Premium add-on for all four TR7 bundles (Base, Geo, Secure, and Enterprise). The license model is per endpoint; clients, mobile devices, and servers all draw from the same capacity pool. This reduces the need for a separate MDM, endpoint management, or server observability product.
Let's model your own environment together in an ETM demo: how many endpoints to manage, which device groups will pilot, which server signals feed into ADC decisions, and how AAM access policies will be strengthened with device trust.