Machine Tunnel implementations - best practices

I am starting a thread for Machine Tunnel Best Practices, and I’m making it a new thread because the old one here for Machine Tunnel is long, and is primarily about “when will this feature be available”. This thread is more about implementation methods, what works well/best, and what to avoid.

For example, it seems to me that setting it up can open a security concern. If I create Machine Tunnel (“MT” from here onwards) access to a particular set of (minimal) internal services, then that policy is entirely dependent on having the string of characters from the Windows Application Policy Token. If that Token gets leaked, Bad People can get access to my sensitive services.

Has anyone played with combining this with ZCC Posture features, such as a cert or a registry key?


I just tried combining Posture (specifically, the Domain Joined option), but the Access Policy won’t accept a combination of Machine Tunnel and Posture. Perhaps my approach to this idea is incorrect.