Device Management System Low-Level Design
A device management system answers three security questions: what devices have accessed an account, how much should each device be trusted, and how do you revoke a device remotely when it is lost or compromised? This article covers device fingerprinting, trust level assignment, session-to-device binding, remote wipe command delivery, and compliance checks — with full SQL schema and Python implementation.
Device Fingerprinting
A stable device identifier cannot rely on IP address (changes on every network switch) or cookie (cleared by users). Instead, generate a fingerprint hash from attributes that rarely change:
import hashlib
import json
from typing import Optional
def compute_device_fingerprint(
user_agent: str,
screen_res: str, # e.g. "1920x1080"
timezone: str, # e.g. "America/New_York"
language: str, # e.g. "en-US"
platform: str, # e.g. "MacIntel"
canvas_hash: Optional[str] = None # optional canvas fingerprint from JS
) -> str:
"""
Returns a stable hex fingerprint for this device profile.
Not a security primitive — used for recognition, not authentication.
"""
components = {
'ua': user_agent,
'screen': screen_res,
'tz': timezone,
'lang': language,
'platform': platform,
}
if canvas_hash:
components['canvas'] = canvas_hash
canonical = json.dumps(components, sort_keys=True)
return hashlib.sha256(canonical.encode('utf-8')).hexdigest()
The fingerprint is advisory, not authoritative. Two devices may collide (same model, same settings), and a single device may drift after OS upgrades. Store it as a recognition hint alongside a server-assigned device_id UUID that the app persists locally.
SQL Schema
CREATE TYPE trust_level AS ENUM ('unknown', 'trusted', 'corporate', 'revoked');
CREATE TABLE device (
id BIGSERIAL PRIMARY KEY,
device_id UUID NOT NULL UNIQUE DEFAULT gen_random_uuid(),
user_id BIGINT NOT NULL,
fingerprint TEXT NOT NULL,
trust_level trust_level NOT NULL DEFAULT 'unknown',
name TEXT, -- user-assigned label, e.g. "Work MacBook"
platform TEXT NOT NULL, -- 'web','ios','android','desktop'
os_version TEXT,
app_version TEXT,
encryption_enabled BOOLEAN DEFAULT NULL, -- NULL = unknown
last_seen_at TIMESTAMPTZ,
last_seen_ip INET,
enrolled_at TIMESTAMPTZ, -- NULL = not MDM enrolled
wiped_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_device_user ON device (user_id, trust_level);
CREATE INDEX idx_device_fp ON device (fingerprint);
CREATE TABLE device_session (
id BIGSERIAL PRIMARY KEY,
session_id UUID NOT NULL UNIQUE DEFAULT gen_random_uuid(),
device_id UUID NOT NULL REFERENCES device(device_id) ON DELETE CASCADE,
user_id BIGINT NOT NULL,
access_token_hash TEXT NOT NULL, -- SHA-256 of the bearer token
ip_address INET,
user_agent TEXT,
expires_at TIMESTAMPTZ NOT NULL,
revoked_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_ds_device ON device_session (device_id) WHERE revoked_at IS NULL;
CREATE INDEX idx_ds_token ON device_session (access_token_hash) WHERE revoked_at IS NULL;
CREATE TABLE device_command (
id BIGSERIAL PRIMARY KEY,
device_id UUID NOT NULL REFERENCES device(device_id),
command TEXT NOT NULL CHECK (command IN ('wipe','lock','unenroll','push_policy')),
payload JSONB,
status TEXT NOT NULL DEFAULT 'pending'
CHECK (status IN ('pending','delivered','acknowledged','failed')),
issued_by BIGINT NOT NULL,
issued_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
delivered_at TIMESTAMPTZ,
acknowledged_at TIMESTAMPTZ
);
CREATE INDEX idx_dc_device_pending ON device_command (device_id, status)
WHERE status = 'pending';
Device Registration
from dataclasses import dataclass
from datetime import datetime, timezone
@dataclass
class DeviceRegistrationRequest:
user_id: int
device_id: str # client-generated UUID, persisted on device
fingerprint: str
platform: str
os_version: str
app_version: str
name: Optional[str] = None
def register_device(db, req: DeviceRegistrationRequest) -> dict:
"""
Upserts device record. Returns dict with device_id and assigned trust_level.
Trust level defaults to 'unknown'; elevated to 'trusted' after MFA confirmation,
or 'corporate' when MDM enrollment is verified.
"""
existing = db.fetchone(
"SELECT * FROM device WHERE device_id=%s", (req.device_id,)
)
if existing:
db.execute(
"""UPDATE device SET os_version=%s, app_version=%s,
last_seen_at=NOW() WHERE device_id=%s""",
(req.os_version, req.app_version, req.device_id)
)
db.commit()
return {'device_id': req.device_id, 'trust_level': existing['trust_level']}
# New device: check if fingerprint matches a known trusted device for this user
fp_match = db.fetchone(
"""SELECT trust_level FROM device
WHERE user_id=%s AND fingerprint=%s AND trust_level != 'revoked'
ORDER BY last_seen_at DESC LIMIT 1""",
(req.user_id, req.fingerprint)
)
initial_trust = fp_match['trust_level'] if fp_match else 'unknown'
db.execute(
"""INSERT INTO device
(device_id, user_id, fingerprint, trust_level, name, platform, os_version, app_version, last_seen_at)
VALUES (%s,%s,%s,%s,%s,%s,%s,%s,NOW())""",
(req.device_id, req.user_id, req.fingerprint, initial_trust,
req.name, req.platform, req.os_version, req.app_version)
)
db.commit()
return {'device_id': req.device_id, 'trust_level': initial_trust}
Session Binding to Device
Every access token is bound to a specific device. Token validation rejects the token if the device has been revoked or wiped:
import hashlib
from datetime import datetime, timezone
def validate_session(db, token: str) -> Optional[dict]:
"""Returns session+device info or None if invalid."""
token_hash = hashlib.sha256(token.encode()).hexdigest()
row = db.fetchone(
"""SELECT ds.*, d.trust_level, d.wiped_at
FROM device_session ds
JOIN device d ON d.device_id = ds.device_id
WHERE ds.access_token_hash = %s
AND ds.revoked_at IS NULL
AND ds.expires_at > NOW()""",
(token_hash,)
)
if not row:
return None
if row['wiped_at'] or row['trust_level'] == 'revoked':
# Revoke this session immediately
db.execute(
"UPDATE device_session SET revoked_at=NOW() WHERE access_token_hash=%s",
(token_hash,)
)
db.commit()
return None
return row
Remote Wipe Command
def issue_remote_wipe(db, device_id: str, issued_by: int, reason: str) -> int:
"""
Enqueues a wipe command and immediately revokes all active sessions.
Returns the command ID.
"""
# Mark device as revoked immediately (blocks new logins)
db.execute(
"UPDATE device SET trust_level='revoked', wiped_at=NOW() WHERE device_id=%s",
(device_id,)
)
# Revoke all active sessions
db.execute(
"""UPDATE device_session SET revoked_at=NOW()
WHERE device_id=%s AND revoked_at IS NULL""",
(device_id,)
)
# Enqueue wipe command for delivery when device next phones home
db.execute(
"""INSERT INTO device_command (device_id, command, payload, issued_by)
VALUES (%s, 'wipe', %s, %s)""",
(device_id, json.dumps({'reason': reason}), issued_by)
)
db.commit()
cmd = db.fetchone("SELECT lastval()")
return cmd['lastval']
def poll_pending_commands(db, device_id: str) -> list:
"""
Called by the device on every check-in. Returns pending commands
and marks them as delivered.
"""
commands = db.fetchall(
"""UPDATE device_command SET status='delivered', delivered_at=NOW()
WHERE device_id=%s AND status='pending'
RETURNING *""",
(device_id,)
)
db.commit()
return commands
Compliance Checks
from packaging.version import Version
MINIMUM_OS_VERSIONS = {
'ios': '16.0',
'android': '12',
'desktop': '0', # no restriction
}
def run_compliance_check(db, device_id: str) -> dict:
"""
Returns compliance status. Non-compliant devices are downgraded to 'unknown' trust.
"""
device = db.fetchone("SELECT * FROM device WHERE device_id=%s", (device_id,))
issues = []
# OS version check
min_ver = MINIMUM_OS_VERSIONS.get(device['platform'], '0')
if device['os_version'] and Version(device['os_version']) < Version(min_ver):
issues.append(f"OS {device['os_version']} below minimum {min_ver}")
# Encryption check
if device['encryption_enabled'] is False:
issues.append("Disk encryption disabled")
compliant = len(issues) == 0
if not compliant and device['trust_level'] == 'corporate':
db.execute(
"UPDATE device SET trust_level='unknown' WHERE device_id=%s",
(device_id,)
)
db.commit()
return {'compliant': compliant, 'issues': issues}
{
“@context”: “https://schema.org”,
“@type”: “FAQPage”,
“mainEntity”: [
{
“@type”: “Question”,
“name”: “How reliable is browser fingerprinting for device recognition?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “Browser fingerprinting has roughly 90-95% stability for the same device across sessions, but it is not a security primitive. Use it as a recognition hint to pre-populate trust level when a returning device registers. Always require a server-assigned device_id UUID that the app persists in secure storage as the authoritative identifier.”
}
},
{
“@type”: “Question”,
“name”: “What happens to active sessions when a remote wipe is issued?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “All active sessions for that device_id are immediately revoked in the database (revoked_at = NOW()). The device trust_level is set to ‘revoked’. Any subsequent token validation that joins against device will see the revoked status and reject the token, even if the wipe command has not yet been delivered to the physical device.”
}
},
{
“@type”: “Question”,
“name”: “How does the device receive the wipe command if it is currently offline?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “The wipe command is stored in device_command with status=’pending’. When the device next establishes connectivity and calls the check-in endpoint, it receives the pending command via the poll_pending_commands function. For MDM-enrolled corporate devices, a push notification (APNs MDM push, FCM) can wake the device to check in sooner.”
}
},
{
“@type”: “Question”,
“name”: “What is the difference between ‘trusted’ and ‘corporate’ trust levels?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “‘Trusted’ means the user has explicitly confirmed this personal device via MFA challenge. ‘Corporate’ means the device is enrolled in an MDM (Mobile Device Management) system and has passed compliance checks. Corporate devices typically get access to more sensitive resources and are subject to remote wipe authority by the organization.”
}
}
]
}
{
“@context”: “https://schema.org”,
“@type”: “FAQPage”,
“mainEntity”: [
{
“@type”: “Question”,
“name”: “How is device fingerprinting implemented?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “User-Agent, screen resolution, timezone, and installed fonts/plugins are hashed client-side using SHA-256; the hash is sent on registration as the device fingerprint.”
}
},
{
“@type”: “Question”,
“name”: “How are trust levels assigned?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “New devices start as unknown; after successful MFA verification the device is promoted to trusted; corporate devices registered via MDM are automatically assigned the corporate level.”
}
},
{
“@type”: “Question”,
“name”: “How is a remote wipe command delivered?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “A DeviceCommand row with type=wipe is inserted; the device polls a /commands endpoint on next sync and executes the wipe, then confirms completion by updating the command status.”
}
},
{
“@type”: “Question”,
“name”: “How are sessions invalidated on device removal?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “Removing a device triggers a cascade that revokes all active sessions bound to that device_id via a foreign-key relationship or explicit session cleanup job.”
}
}
]
}
See also: Apple Interview Guide 2026: iOS Systems, Hardware-Software Integration, and iCloud Architecture
See also: Meta Interview Guide 2026: Facebook, Instagram, WhatsApp Engineering
See also: Scale AI Interview Guide 2026: Data Infrastructure, RLHF Pipelines, and ML Engineering
See also: Atlassian Interview Guide