diff --git a/cypress/support/commands.ts b/cypress/support/commands.ts
index 698b01a4..95857aea 100644
--- a/cypress/support/commands.ts
+++ b/cypress/support/commands.ts
@@ -34,4 +34,4 @@
 //       visit(originalFn: CommandOriginalFn, url: string, options: Partial<VisitOptions>): Chainable<Element>
 //     }
 //   }
-// }
\ No newline at end of file
+// }
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 360da5e0..9a14b340 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,24 +1,16 @@
-FROM alpine:3.14
+FROM nginx:alpine
 
-RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext \
-    nginx curl supervisor certbot-nginx && \
-    rm -rf /var/cache/apk/* && mkdir -p /run/nginx
-
-STOPSIGNAL SIGINT
 EXPOSE 80
-EXPOSE 443
-ENTRYPOINT ["/usr/bin/supervisord","-c","/etc/supervisord.conf"]
 
 WORKDIR /usr/share/nginx/html
-# copy configuration files
-COPY docker/default.conf /etc/nginx/http.d/default.conf
+
+# Copy nginx configs
 COPY docker/nginx.conf /etc/nginx/nginx.conf
-COPY docker/init_cert.sh /usr/local/init_cert.sh
-COPY docker/init_react_envs.sh /usr/local/init_react_envs.sh
-RUN chmod +x /usr/local/init_cert.sh && rm /etc/crontabs/root
-RUN chmod +x /usr/local/init_react_envs.sh
+COPY docker/default.conf /etc/nginx/conf.d/default.conf
+
+# Copy init script as an entrypoint hook (runs before nginx starts)
+COPY docker/init_react_envs.sh /docker-entrypoint.d/40-init-react-envs.sh
+RUN chmod +x /docker-entrypoint.d/40-init-react-envs.sh
 
-# configure supervisor
-COPY docker/supervisord.conf /etc/supervisord.conf
-# copy build files
-COPY out/ /usr/share/nginx/html/
\ No newline at end of file
+# Copy static build output
+COPY out/ /usr/share/nginx/html/
diff --git a/docker/init_react_envs.sh b/docker/init_react_envs.sh
index d1c5a182..4324c1e5 100644
--- a/docker/init_react_envs.sh
+++ b/docker/init_react_envs.sh
@@ -1,67 +1,67 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 
-if [[ -z "${AUTH_AUTHORITY}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${AUTH_AUTHORITY}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "AUTH_AUTHORITY or AUTH0_DOMAIN environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${AUTH_CLIENT_ID}" ]]; then
-    if [[ -z "${AUTH0_CLIENT_ID}" ]]; then
+if [ -z "${AUTH_CLIENT_ID}" ]; then
+    if [ -z "${AUTH0_CLIENT_ID}" ]; then
         echo "AUTH_CLIENT_ID or AUTH0_CLIENT_ID environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${AUTH_AUDIENCE}" ]]; then
-    if [[ -z "${AUTH0_AUDIENCE}" ]]; then
+if [ -z "${AUTH_AUDIENCE}" ]; then
+    if [ -z "${AUTH0_AUDIENCE}" ]; then
         echo "AUTH_AUDIENCE or AUTH0_AUDIENCE environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ "${AUTH_AUDIENCE}" == "none" ]]; then
+if [ "${AUTH_AUDIENCE}" = "none" ]; then
     unset AUTH_AUDIENCE
 fi
 
-if [[ -z "${AUTH_SUPPORTED_SCOPES}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${AUTH_SUPPORTED_SCOPES}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "AUTH_SUPPORTED_SCOPES environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${USE_AUTH0}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${USE_AUTH0}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "USE_AUTH0 environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${NETBIRD_MGMT_API_ENDPOINT}" ]]; then
+if [ -z "${NETBIRD_MGMT_API_ENDPOINT}" ]; then
     echo "NETBIRD_MGMT_API_ENDPOINT environment variable must be set"
     exit 1
 fi
 
-export AUTH_AUTHORITY=${AUTH_AUTHORITY:-https://$AUTH0_DOMAIN}
-export AUTH_CLIENT_ID=${AUTH_CLIENT_ID:-$AUTH0_CLIENT_ID}
-export AUTH_CLIENT_SECRET=${AUTH_CLIENT_SECRET}
-export AUTH_AUDIENCE=${AUTH_AUDIENCE:-$AUTH0_AUDIENCE}
-export AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI}
-export AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI}
-export USE_AUTH0=${USE_AUTH0:-true}
-export AUTH_SUPPORTED_SCOPES=${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}
+export AUTH_AUTHORITY="${AUTH_AUTHORITY:-https://${AUTH0_DOMAIN}}"
+export AUTH_CLIENT_ID="${AUTH_CLIENT_ID:-${AUTH0_CLIENT_ID}}"
+export AUTH_CLIENT_SECRET="${AUTH_CLIENT_SECRET}"
+export AUTH_AUDIENCE="${AUTH_AUDIENCE:-${AUTH0_AUDIENCE}}"
+export AUTH_REDIRECT_URI="${AUTH_REDIRECT_URI}"
+export AUTH_SILENT_REDIRECT_URI="${AUTH_SILENT_REDIRECT_URI}"
+export USE_AUTH0="${USE_AUTH0:-true}"
+export AUTH_SUPPORTED_SCOPES="${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}"
 
-export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
-export NETBIRD_MGMT_GRPC_API_ENDPOINT=${NETBIRD_MGMT_GRPC_API_ENDPOINT}
-export NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID}
-export NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID}
-export NETBIRD_GOOGLE_TAG_MANAGER_ID=${NETBIRD_GOOGLE_TAG_MANAGER_ID}
-export NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
-export NETBIRD_DRAG_QUERY_PARAMS=${NETBIRD_DRAG_QUERY_PARAMS:-false}
-export NETBIRD_WASM_PATH=${NETBIRD_WASM_PATH}
+export NETBIRD_MGMT_API_ENDPOINT="$(echo "$NETBIRD_MGMT_API_ENDPOINT" | sed -E 's/(:80|:443)$//')"
+export NETBIRD_MGMT_GRPC_API_ENDPOINT="${NETBIRD_MGMT_GRPC_API_ENDPOINT}"
+export NETBIRD_HOTJAR_TRACK_ID="${NETBIRD_HOTJAR_TRACK_ID}"
+export NETBIRD_GOOGLE_ANALYTICS_ID="${NETBIRD_GOOGLE_ANALYTICS_ID}"
+export NETBIRD_GOOGLE_TAG_MANAGER_ID="${NETBIRD_GOOGLE_TAG_MANAGER_ID}"
+export NETBIRD_TOKEN_SOURCE="${NETBIRD_TOKEN_SOURCE:-accessToken}"
+export NETBIRD_DRAG_QUERY_PARAMS="${NETBIRD_DRAG_QUERY_PARAMS:-false}"
+export NETBIRD_WASM_PATH="${NETBIRD_WASM_PATH}"
 
 echo "NetBird latest version: ${NETBIRD_LATEST_VERSION}"
 
@@ -74,4 +74,4 @@ for f in $(grep -R -l AUTH_SUPPORTED_SCOPES /usr/share/nginx/html); do
     cp "$f" "$f".copy
     envsubst "$ENV_STR" < "$f".copy > "$f"
     rm "$f".copy
-done
\ No newline at end of file
+done
diff --git a/docker/nginx.conf b/docker/nginx.conf
index 94024677..5b04b0cf 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -1,6 +1,4 @@
 # /etc/nginx/nginx.conf
-daemon off;
-
 user nginx;
 
 # Set number of worker processes automatically based on number of CPU cores.
@@ -136,7 +134,7 @@ http {
 
 
 	# Includes virtual hosts configs.
-	include /etc/nginx/http.d/*.conf;
+	include /etc/nginx/conf.d/*.conf;
 }
 
 # TIP: Uncomment if you use stream module.
diff --git a/package-lock.json b/package-lock.json
index 00a5a540..1e03991b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -168,7 +168,6 @@
       "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.29.0",
         "@babel/generator": "^7.29.0",
@@ -3031,7 +3030,6 @@
       "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.10.tgz",
       "integrity": "sha512-WPigyYuGhgZ/cTPRXB2EwUw+XvsRA3GqHlsP4qteqrnnjDrApbS7MxcGr/hke5iUoeB7E/gQtrs9I37zAJ0Vjw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "csstype": "^3.2.2"
       }
@@ -3041,7 +3039,6 @@
       "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-19.2.3.tgz",
       "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
       "license": "MIT",
-      "peer": true,
       "peerDependencies": {
         "@types/react": "^19.2.0"
       }
@@ -3100,7 +3097,6 @@
       "integrity": "sha512-BtE0k6cjwjLZoZixN0t5AKP0kSzlGu7FctRXYuPAm//aaiZhmfq1JwdYpYr1brzEspYyFeF+8XF5j2VK6oalrA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.54.0",
         "@typescript-eslint/types": "8.54.0",
@@ -3581,8 +3577,7 @@
       "version": "5.5.0",
       "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz",
       "integrity": "sha512-hqJHYaQb5OptNunnyAnkHyM8aCjZ1MEIDTQu1iIbbTD/xops91NB5yq1ZK/dC2JDbVWtF23zUtl9JE2NqwT87A==",
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/@xyflow/react": {
       "version": "12.10.0",
@@ -3621,7 +3616,6 @@
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -4044,7 +4038,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.9.0",
         "caniuse-lite": "^1.0.30001759",
@@ -4667,7 +4660,6 @@
       "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
       "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
       "license": "ISC",
-      "peer": true,
       "engines": {
         "node": ">=12"
       }
@@ -5196,7 +5188,6 @@
       "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz",
       "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -5394,7 +5385,6 @@
       "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@rtsao/scc": "^1.1.0",
         "array-includes": "^3.1.9",
@@ -6688,7 +6678,6 @@
       "resolved": "https://registry.npmjs.org/jiti/-/jiti-1.21.7.tgz",
       "integrity": "sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A==",
       "license": "MIT",
-      "peer": true,
       "bin": {
         "jiti": "bin/jiti.js"
       }
@@ -7446,7 +7435,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",
@@ -7654,7 +7642,6 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
       "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -7695,7 +7682,6 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
       "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "scheduler": "^0.27.0"
       },
@@ -8590,7 +8576,6 @@
       "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.19.tgz",
       "integrity": "sha512-3ofp+LL8E+pK/JuPLPggVAIaEuhvIz4qNcf3nA1Xn2o/7fb7s/TYpHhwGDv1ZU3PkBluUVaF8PyCHcm48cKLWQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@alloc/quick-lru": "^5.2.0",
         "arg": "^5.0.2",
@@ -8757,7 +8742,6 @@
       "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
       "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -8923,7 +8907,6 @@
       "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -9251,7 +9234,6 @@
       "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }
diff --git a/src/app/(dashboard)/device-security/devices/page.tsx b/src/app/(dashboard)/device-security/devices/page.tsx
new file mode 100644
index 00000000..22a44885
--- /dev/null
+++ b/src/app/(dashboard)/device-security/devices/page.tsx
@@ -0,0 +1,41 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Paragraph from "@components/Paragraph";
+import SkeletonTable from "@components/skeletons/SkeletonTable";
+import { ShieldCheckIcon } from "lucide-react";
+import React, { lazy, Suspense } from "react";
+import PageContainer from "@/layouts/PageContainer";
+
+const DevicesTable = lazy(
+  () => import("@/modules/device-security/DevicesTable"),
+);
+
+export default function DevicesPage() {
+  return (
+    <PageContainer>
+      <div className={"p-default py-6"}>
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href={"/device-security/devices"}
+            label={"Device Security"}
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href={"/device-security/devices"}
+            label={"Devices"}
+            active
+          />
+        </Breadcrumbs>
+        <h1>Device Certificates</h1>
+        <Paragraph>
+          Certificates issued to devices in your network. Renew or revoke
+          certificates to control device access.
+        </Paragraph>
+      </div>
+      <Suspense fallback={<SkeletonTable />}>
+        <DevicesTable />
+      </Suspense>
+    </PageContainer>
+  );
+}
diff --git a/src/app/(dashboard)/device-security/enrollments/page.tsx b/src/app/(dashboard)/device-security/enrollments/page.tsx
new file mode 100644
index 00000000..ab928a6a
--- /dev/null
+++ b/src/app/(dashboard)/device-security/enrollments/page.tsx
@@ -0,0 +1,42 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Paragraph from "@components/Paragraph";
+import SkeletonTable from "@components/skeletons/SkeletonTable";
+import { ShieldCheckIcon } from "lucide-react";
+import React, { lazy, Suspense } from "react";
+import PageContainer from "@/layouts/PageContainer";
+
+const EnrollmentsTable = lazy(
+  () => import("@/modules/device-security/EnrollmentsTable"),
+);
+
+export default function EnrollmentsPage() {
+  return (
+    <PageContainer>
+        <div className="p-default py-6">
+          <Breadcrumbs>
+            <Breadcrumbs.Item
+              href="/device-security/enrollments"
+              label="Device Security"
+              icon={<ShieldCheckIcon size={13} />}
+            />
+            <Breadcrumbs.Item
+              href="/device-security/enrollments"
+              label="Enrollments"
+              active
+            />
+          </Breadcrumbs>
+          <h1>Device Enrollments</h1>
+          <Paragraph>
+            Review and manage device enrollment requests. Approve or reject
+            pending requests to control which devices can connect to your
+            network.
+          </Paragraph>
+        </div>
+        <Suspense fallback={<SkeletonTable />}>
+          <EnrollmentsTable />
+        </Suspense>
+    </PageContainer>
+  );
+}
diff --git a/src/app/(dashboard)/device-security/inventory/page.tsx b/src/app/(dashboard)/device-security/inventory/page.tsx
new file mode 100644
index 00000000..52191cd9
--- /dev/null
+++ b/src/app/(dashboard)/device-security/inventory/page.tsx
@@ -0,0 +1,2 @@
+import InventoryPage from "@/modules/device-security/InventoryPage";
+export default InventoryPage;
diff --git a/src/app/(dashboard)/device-security/layout.tsx b/src/app/(dashboard)/device-security/layout.tsx
new file mode 100644
index 00000000..6ad601b6
--- /dev/null
+++ b/src/app/(dashboard)/device-security/layout.tsx
@@ -0,0 +1,16 @@
+import { globalMetaTitle } from "@utils/meta";
+import type { Metadata } from "next";
+import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
+import React from "react";
+
+export const metadata: Metadata = {
+  title: `Device Security - ${globalMetaTitle}`,
+};
+
+export default function DeviceSecurityLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return <DeviceSecurityProvider>{children}</DeviceSecurityProvider>;
+}
diff --git a/src/app/(dashboard)/device-security/page.tsx b/src/app/(dashboard)/device-security/page.tsx
new file mode 100644
index 00000000..7ce120ef
--- /dev/null
+++ b/src/app/(dashboard)/device-security/page.tsx
@@ -0,0 +1,5 @@
+import { redirect } from "next/navigation";
+
+export default function DeviceSecurityPage() {
+  redirect("/device-security/settings");
+}
diff --git a/src/app/(dashboard)/device-security/settings/page.tsx b/src/app/(dashboard)/device-security/settings/page.tsx
new file mode 100644
index 00000000..012b1181
--- /dev/null
+++ b/src/app/(dashboard)/device-security/settings/page.tsx
@@ -0,0 +1,7 @@
+"use client";
+
+import DeviceSecuritySettings from "@/modules/device-security/DeviceSecuritySettings";
+
+export default function SettingsPage() {
+  return <DeviceSecuritySettings />;
+}
diff --git a/src/app/(dashboard)/device-security/trusted-cas/page.tsx b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
new file mode 100644
index 00000000..1f201ad3
--- /dev/null
+++ b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
@@ -0,0 +1,54 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import { Callout } from "@components/Callout";
+import Paragraph from "@components/Paragraph";
+import SkeletonTable from "@components/skeletons/SkeletonTable";
+import { usePortalElement } from "@hooks/usePortalElement";
+import { ShieldCheckIcon } from "lucide-react";
+import React, { lazy, Suspense } from "react";
+import PageContainer from "@/layouts/PageContainer";
+
+const TrustedCAsTable = lazy(
+  () => import("@/modules/device-security/TrustedCAsTable"),
+);
+
+export default function TrustedCAsPage() {
+  const { ref: headingRef, portalTarget } =
+    usePortalElement<HTMLHeadingElement>();
+
+  return (
+    <PageContainer>
+      <div className={"p-default py-6"}>
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href={"/device-security/trusted-cas"}
+            label={"Device Security"}
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href={"/device-security/trusted-cas"}
+            label={"Trusted CAs"}
+            active
+          />
+        </Breadcrumbs>
+        <h1 ref={headingRef}>Trusted CAs</h1>
+        <Paragraph>
+          Certificate Authorities trusted for device authentication. Upload CA
+          certificates when devices bring their own certificates signed by
+          external authorities.
+        </Paragraph>
+        <div className="mt-3">
+          <Callout variant="info">
+            Trusted CAs are used when devices present certificates signed by an
+            external CA. This is different from the built-in CA used for
+            certificate issuance.
+          </Callout>
+        </div>
+      </div>
+      <Suspense fallback={<SkeletonTable />}>
+        <TrustedCAsTable headingTarget={portalTarget} />
+      </Suspense>
+    </PageContainer>
+  );
+}
diff --git a/src/assets/icons/DeviceSecurityIcon.tsx b/src/assets/icons/DeviceSecurityIcon.tsx
new file mode 100644
index 00000000..1e1905e9
--- /dev/null
+++ b/src/assets/icons/DeviceSecurityIcon.tsx
@@ -0,0 +1,19 @@
+import { iconProperties, IconProps } from "@/assets/icons/IconProperties";
+
+export default function DeviceSecurityIcon(props: IconProps) {
+  return (
+    <svg
+      width="16"
+      height="16"
+      viewBox="0 0 24 24"
+      xmlns="http://www.w3.org/2000/svg"
+      {...iconProperties(props)}
+    >
+      <path
+        fillRule="evenodd"
+        clipRule="evenodd"
+        d="M12 1L2 5.5V11c0 6.08 4.26 11.74 10 13.16C17.74 22.74 22 17.08 22 11V5.5L12 1zm0 2.28l8 3.74V11c0 5.07-3.44 9.79-8 11.12C7.44 20.79 4 16.07 4 11V7.02l8-3.74zM16.5 9.5l-5.17 5.17-2.83-2.84-1.41 1.41 4.24 4.25 6.58-6.58L16.5 9.5z"
+      />
+    </svg>
+  );
+}
diff --git a/src/components/HelpText.tsx b/src/components/HelpText.tsx
index 87555949..1e8448a1 100644
--- a/src/components/HelpText.tsx
+++ b/src/components/HelpText.tsx
@@ -5,14 +5,17 @@ type Props = {
   children?: React.ReactNode;
   margin?: boolean;
   className?: string;
+  id?: string;
 };
 export default function HelpText({
   children,
   margin = true,
   className,
+  id,
 }: Props) {
   return (
     <span
+      id={id}
       className={cn(
         "text-[.8rem] dark:text-nb-gray-300 block font-light tracking-wide",
         margin && "mb-2",
diff --git a/src/components/Notification.tsx b/src/components/Notification.tsx
index 045d5117..e0409059 100644
--- a/src/components/Notification.tsx
+++ b/src/components/Notification.tsx
@@ -214,3 +214,11 @@ export function notify<T>(props: NotifyProps<T>) {
     duration: Infinity,
   });
 }
+
+notify.error = function notifyError(message: string) {
+  return notify({
+    title: "Error",
+    description: message,
+    promise: Promise.reject(new Error(message)),
+  });
+};
diff --git a/src/contexts/DeviceSecurityProvider.tsx b/src/contexts/DeviceSecurityProvider.tsx
new file mode 100644
index 00000000..416517eb
--- /dev/null
+++ b/src/contexts/DeviceSecurityProvider.tsx
@@ -0,0 +1,242 @@
+"use client";
+
+import useFetchApi, { useApiCall } from "@utils/api";
+import React, { useCallback, useMemo } from "react";
+import { useSWRConfig } from "swr";
+import type {
+  CAConfig,
+  CATestResult,
+  DeviceAuthSettings,
+  DeviceCert,
+  DeviceEnrollment,
+  InventoryConfig,
+  TrustedCA,
+} from "@/interfaces/DeviceSecurity";
+
+type DeviceSecurityContextValue = {
+  // Settings
+  settings: DeviceAuthSettings | undefined;
+  settingsLoading: boolean;
+  updateSettings: (s: Partial<DeviceAuthSettings>) => Promise<DeviceAuthSettings>;
+
+  // Enrollments
+  enrollments: DeviceEnrollment[] | undefined;
+  enrollmentsLoading: boolean;
+  approveEnrollment: (id: string) => Promise<void>;
+  rejectEnrollment: (id: string, reason?: string) => Promise<void>;
+
+  // Devices (issued certs)
+  devices: DeviceCert[] | undefined;
+  devicesLoading: boolean;
+  revokeDevice: (id: string) => Promise<void>;
+  renewDevice: (id: string) => Promise<void>;
+
+  // Trusted CAs
+  trustedCAs: TrustedCA[] | undefined;
+  trustedCAsLoading: boolean;
+  addTrustedCA: (name: string, pem: string) => Promise<TrustedCA>;
+  deleteTrustedCA: (id: string) => Promise<void>;
+
+  // CA Config
+  caConfig: CAConfig | undefined;
+  caConfigLoading: boolean;
+  updateCAConfig: (config: CAConfig) => Promise<CAConfig>;
+  testCAConnection: (config: CAConfig) => Promise<CATestResult>;
+
+  // Inventory Config
+  inventoryConfig: InventoryConfig | undefined;
+  inventoryConfigLoading: boolean;
+  updateInventoryConfig: (config: InventoryConfig) => Promise<InventoryConfig>;
+};
+
+const DeviceSecurityContext = React.createContext(
+  {} as DeviceSecurityContextValue,
+);
+
+export function DeviceSecurityProvider({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  const { mutate } = useSWRConfig();
+
+  const { data: settings, isLoading: settingsLoading } =
+    useFetchApi<DeviceAuthSettings>("/device-auth/settings");
+
+  const { data: enrollments, isLoading: enrollmentsLoading } =
+    useFetchApi<DeviceEnrollment[]>(
+      "/device-auth/enrollments",
+      false,
+      true,
+      true,
+      { refreshInterval: 10_000 },
+    );
+
+  const { data: devices, isLoading: devicesLoading } =
+    useFetchApi<DeviceCert[]>("/device-auth/devices");
+
+  const { data: trustedCAs, isLoading: trustedCAsLoading } =
+    useFetchApi<TrustedCA[]>("/device-auth/trusted-cas");
+
+  const { data: caConfig, isLoading: caConfigLoading } =
+    useFetchApi<CAConfig>("/device-auth/ca/config");
+
+  const { data: inventoryConfig, isLoading: inventoryConfigLoading } =
+    useFetchApi<InventoryConfig>("/device-auth/inventory/config");
+
+  const settingsRequest = useApiCall<DeviceAuthSettings>(
+    "/device-auth/settings",
+  );
+  const enrollmentRequest = useApiCall<void>("/device-auth/enrollments");
+  const deviceRequest = useApiCall<void>("/device-auth/devices");
+  const caRequest = useApiCall<TrustedCA>("/device-auth/trusted-cas");
+  const caConfigRequest = useApiCall<CAConfig>("/device-auth/ca/config");
+  const caTestRequest = useApiCall<CATestResult>("/device-auth/ca/test");
+  const inventoryConfigRequest = useApiCall<InventoryConfig>(
+    "/device-auth/inventory/config",
+  );
+
+  const updateSettings = useCallback(
+    async (s: Partial<DeviceAuthSettings>) => {
+      const updated = await settingsRequest.put(s);
+      await mutate("/device-auth/settings");
+      return updated;
+    },
+    [settingsRequest, mutate],
+  );
+
+  const approveEnrollment = useCallback(
+    async (id: string) => {
+      await enrollmentRequest.post(null, `/${id}/approve`);
+      await mutate("/device-auth/enrollments");
+    },
+    [enrollmentRequest, mutate],
+  );
+
+  const rejectEnrollment = useCallback(
+    async (id: string, reason?: string) => {
+      await enrollmentRequest.post(reason ? { reason } : null, `/${id}/reject`);
+      await mutate("/device-auth/enrollments");
+    },
+    [enrollmentRequest, mutate],
+  );
+
+  const revokeDevice = useCallback(
+    async (id: string) => {
+      await deviceRequest.post(null, `/${id}/revoke`);
+      await mutate("/device-auth/devices");
+    },
+    [deviceRequest, mutate],
+  );
+
+  const renewDevice = useCallback(
+    async (id: string) => {
+      await deviceRequest.post(null, `/${id}/cert/renew`);
+      await mutate("/device-auth/devices");
+    },
+    [deviceRequest, mutate],
+  );
+
+  const addTrustedCA = useCallback(
+    async (name: string, pem: string) => {
+      const created = await caRequest.post({ name, pem });
+      await mutate("/device-auth/trusted-cas");
+      return created;
+    },
+    [caRequest, mutate],
+  );
+
+  const deleteTrustedCA = useCallback(
+    async (id: string) => {
+      await caRequest.del(null, `/${id}`);
+      await mutate("/device-auth/trusted-cas");
+    },
+    [caRequest, mutate],
+  );
+
+  const updateCAConfig = useCallback(
+    async (config: CAConfig) => {
+      const updated = await caConfigRequest.put(config);
+      await mutate("/device-auth/ca/config");
+      return updated;
+    },
+    [caConfigRequest, mutate],
+  );
+
+  const testCAConnection = useCallback(
+    async (config: CAConfig) => {
+      return await caTestRequest.post(config);
+    },
+    [caTestRequest],
+  );
+
+  const updateInventoryConfig = useCallback(
+    async (config: InventoryConfig) => {
+      const updated = await inventoryConfigRequest.put(config);
+      await mutate("/device-auth/inventory/config");
+      return updated;
+    },
+    [inventoryConfigRequest, mutate],
+  );
+
+  const value = useMemo(
+    () => ({
+      settings,
+      settingsLoading,
+      updateSettings,
+      enrollments,
+      enrollmentsLoading,
+      approveEnrollment,
+      rejectEnrollment,
+      devices,
+      devicesLoading,
+      revokeDevice,
+      renewDevice,
+      trustedCAs,
+      trustedCAsLoading,
+      addTrustedCA,
+      deleteTrustedCA,
+      caConfig,
+      caConfigLoading,
+      updateCAConfig,
+      testCAConnection,
+      inventoryConfig,
+      inventoryConfigLoading,
+      updateInventoryConfig,
+    }),
+    [
+      settings,
+      settingsLoading,
+      updateSettings,
+      enrollments,
+      enrollmentsLoading,
+      approveEnrollment,
+      rejectEnrollment,
+      devices,
+      devicesLoading,
+      revokeDevice,
+      renewDevice,
+      trustedCAs,
+      trustedCAsLoading,
+      addTrustedCA,
+      deleteTrustedCA,
+      caConfig,
+      caConfigLoading,
+      updateCAConfig,
+      testCAConnection,
+      inventoryConfig,
+      inventoryConfigLoading,
+      updateInventoryConfig,
+    ],
+  );
+
+  return (
+    <DeviceSecurityContext.Provider value={value}>
+      {children}
+    </DeviceSecurityContext.Provider>
+  );
+}
+
+export const useDeviceSecurity = () => React.useContext(DeviceSecurityContext);
+export const useDeviceSecurityContext = () =>
+  React.useContext(DeviceSecurityContext);
diff --git a/src/contexts/UsersProvider.tsx b/src/contexts/UsersProvider.tsx
index 67a79f6a..c467e2ee 100644
--- a/src/contexts/UsersProvider.tsx
+++ b/src/contexts/UsersProvider.tsx
@@ -106,6 +106,9 @@ export const useLoggedInUser = () => {
   const { setGlobalApiParams } = useApplicationContext();
   const isOwner = loggedInUser ? loggedInUser?.role === Role.Owner : false;
   const isAdmin = loggedInUser ? loggedInUser?.role === Role.Admin : false;
+  const isCertApprover = loggedInUser
+    ? loggedInUser?.role === Role.CertApprover
+    : false;
 
   const isUser = !isOwner && !isAdmin;
   const isOwnerOrAdmin = isOwner || isAdmin;
@@ -120,6 +123,7 @@ export const useLoggedInUser = () => {
     loggedInUser,
     isOwner,
     isAdmin,
+    isCertApprover,
     isUser,
     isOwnerOrAdmin,
     logout,
diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
new file mode 100644
index 00000000..743f5532
--- /dev/null
+++ b/src/interfaces/DeviceSecurity.ts
@@ -0,0 +1,127 @@
+export type DeviceAuthMode =
+  | "disabled"
+  | "optional"
+  | "cert-only"
+  | "cert-and-sso";
+export type EnrollmentMode = "manual" | "attestation" | "both";
+export type CAType = "builtin" | "vault" | "smallstep" | "scep";
+
+export interface DeviceAuthSettings {
+  mode: DeviceAuthMode;
+  enrollment_mode: EnrollmentMode;
+  ca_type: CAType;
+  cert_validity_days: number;
+  inventory_type: string;
+  require_inventory_check: boolean;
+}
+
+export interface DeviceEnrollment {
+  id: string;
+  peer_id: string;
+  wg_public_key: string;
+  status: "pending" | "approved" | "rejected";
+  reason?: string;
+  created_at: string;
+}
+
+export interface DeviceCert {
+  id: string;
+  peer_id: string;
+  wg_public_key: string;
+  serial: string;
+  not_before: string;
+  not_after: string;
+  revoked: boolean;
+  revoked_at?: string;
+}
+
+export interface TrustedCA {
+  id: string;
+  name: string;
+  created_at: string;
+  pem?: string;
+}
+
+// CA config types — for /device-auth/ca/config endpoints
+
+export interface VaultCAConfig {
+  address: string;
+  token: string; // empty in GET response (redacted)
+  has_token: boolean;
+  mount: string;
+  role: string;
+  namespace: string;
+  timeout_seconds: number;
+}
+
+export interface SmallstepCAConfig {
+  url: string;
+  provisioner_token: string; // empty in GET response
+  has_provisioner_token: boolean;
+  fingerprint: string;
+  timeout_seconds: number;
+}
+
+export interface SCEPCAConfig {
+  url: string;
+  challenge: string; // empty in GET response
+  has_challenge: boolean;
+  timeout_seconds: number;
+}
+
+export interface CAConfig {
+  ca_type: CAType;
+  vault?: VaultCAConfig;
+  smallstep?: SmallstepCAConfig;
+  scep?: SCEPCAConfig;
+}
+
+// CA test result types — for /device-auth/ca/test endpoint
+
+export type CATestStepStatus = "ok" | "error" | "skipped";
+
+export interface CATestStep {
+  name: string;
+  status: CATestStepStatus;
+  detail: string;
+  fix_hint?: string;
+  elapsed_ms: number;
+}
+
+export interface CATestResult {
+  success: boolean;
+  steps: CATestStep[];
+}
+
+// Inventory config types — for /device-auth/inventory/config endpoints
+// Multiple sources can be enabled simultaneously (e.g., Intune for Windows + Jamf for Mac).
+
+export interface StaticInventoryConfig {
+  enabled: boolean;
+  peers: string[];     // WireGuard public keys
+  serials: string[];   // hardware serial numbers (string format, e.g. "C02XL1YLJHD5")
+}
+
+export interface IntuneInventoryConfig {
+  enabled: boolean;
+  tenant_id: string;
+  client_id: string;
+  client_secret: string;    // empty in GET response
+  has_client_secret: boolean;
+  require_compliance: boolean;
+}
+
+export interface JamfInventoryConfig {
+  enabled: boolean;
+  jamf_url: string;
+  client_id: string;
+  client_secret: string;    // empty in GET response
+  has_client_secret: boolean;
+  require_management: boolean;
+}
+
+export interface InventoryConfig {
+  static: StaticInventoryConfig;
+  intune: IntuneInventoryConfig;
+  jamf: JamfInventoryConfig;
+}
diff --git a/src/interfaces/User.ts b/src/interfaces/User.ts
index 9d6cf531..cb0adf1a 100644
--- a/src/interfaces/User.ts
+++ b/src/interfaces/User.ts
@@ -69,4 +69,5 @@ export enum Role {
   BillingAdmin = "billing_admin",
   Auditor = "auditor",
   NetworkAdmin = "network_admin",
+  CertApprover = "cert_approver",
 }
diff --git a/src/layouts/Navigation.tsx b/src/layouts/Navigation.tsx
index 4f14c695..878bf6ac 100644
--- a/src/layouts/Navigation.tsx
+++ b/src/layouts/Navigation.tsx
@@ -5,6 +5,7 @@ import { cn } from "@utils/helpers";
 import AccessControlIcon from "@/assets/icons/AccessControlIcon";
 import ControlCenterIcon from "@/assets/icons/ControlCenterIcon";
 import DNSIcon from "@/assets/icons/DNSIcon";
+import DeviceSecurityIcon from "@/assets/icons/DeviceSecurityIcon";
 import DocsIcon from "@/assets/icons/DocsIcon";
 import PeerIcon from "@/assets/icons/PeerIcon";
 import SettingsIcon from "@/assets/icons/SettingsIcon";
@@ -193,6 +194,58 @@ export default function Navigation({
                     visible={permission.dns.read}
                   />
                 </SidebarItem>
+                <SidebarItem
+                  icon={<DeviceSecurityIcon size={16} />}
+                  label={
+                    <div className={"flex items-center gap-2"}>
+                      Device Security
+                      <SmallBadge
+                        text={"Beta"}
+                        variant={"sky"}
+                        className={"text-[8px] leading-none py-[3px] px-[5px]"}
+                        textClassName={"top-0"}
+                      />
+                    </div>
+                  }
+                  collapsible
+                  visible={!isRestricted}
+                >
+                  <SidebarItem
+                    label="Settings"
+                    href="/device-security/settings"
+                    isChild
+                    exactPathMatch={true}
+                    visible={!isRestricted}
+                  />
+                  <SidebarItem
+                    label="Inventory"
+                    href="/device-security/inventory"
+                    isChild
+                    exactPathMatch={true}
+                    visible={!isRestricted}
+                  />
+                  <SidebarItem
+                    label="Enrollments"
+                    href="/device-security/enrollments"
+                    isChild
+                    exactPathMatch={true}
+                    visible={!isRestricted}
+                  />
+                  <SidebarItem
+                    label="Devices"
+                    href="/device-security/devices"
+                    isChild
+                    exactPathMatch={true}
+                    visible={!isRestricted}
+                  />
+                  <SidebarItem
+                    label="Trusted CAs"
+                    href="/device-security/trusted-cas"
+                    isChild
+                    exactPathMatch={true}
+                    visible={!isRestricted}
+                  />
+                </SidebarItem>
                 <SidebarItem
                   icon={<TeamIcon />}
                   label="Team"
diff --git a/src/modules/device-security/AddTrustedCAModal.tsx b/src/modules/device-security/AddTrustedCAModal.tsx
new file mode 100644
index 00000000..8fa4f765
--- /dev/null
+++ b/src/modules/device-security/AddTrustedCAModal.tsx
@@ -0,0 +1,140 @@
+"use client";
+
+import Button from "@components/Button";
+import HelpText from "@components/HelpText";
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import {
+  Modal,
+  ModalClose,
+  ModalContent,
+  ModalFooter,
+  ModalTrigger,
+} from "@components/modal/Modal";
+import ModalHeader from "@components/modal/ModalHeader";
+import { notify } from "@components/Notification";
+import Separator from "@components/Separator";
+import { Textarea } from "@components/Textarea";
+import { ShieldCheckIcon, PlusCircle } from "lucide-react";
+import React, { useMemo, useState } from "react";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+
+const PEM_HEADER = "-----BEGIN CERTIFICATE-----";
+const PEM_FOOTER = "-----END CERTIFICATE-----";
+
+type Props = {
+  children: React.ReactNode;
+};
+
+export default function AddTrustedCAModal({ children }: Readonly<Props>) {
+  const [open, setOpen] = useState(false);
+
+  return (
+    <Modal open={open} onOpenChange={setOpen} key={open ? 1 : 0}>
+      <ModalTrigger asChild>{children}</ModalTrigger>
+      <AddTrustedCAModalContent onSuccess={() => setOpen(false)} />
+    </Modal>
+  );
+}
+
+type ContentProps = {
+  onSuccess: () => void;
+};
+
+function AddTrustedCAModalContent({ onSuccess }: Readonly<ContentProps>) {
+  const { addTrustedCA } = useDeviceSecurity();
+
+  const [name, setName] = useState("");
+  const [pem, setPem] = useState("");
+
+  const pemError = useMemo(() => {
+    const trimmed = pem.trim();
+    if (trimmed.length === 0) return undefined;
+    if (!trimmed.startsWith(PEM_HEADER)) {
+      return `Must start with "${PEM_HEADER}"`;
+    }
+    if (!trimmed.endsWith(PEM_FOOTER)) {
+      return `Must end with "${PEM_FOOTER}"`;
+    }
+    return undefined;
+  }, [pem]);
+
+  const isDisabled = useMemo(() => {
+    return (
+      name.trim().length === 0 ||
+      pem.trim().length === 0 ||
+      pemError !== undefined
+    );
+  }, [name, pem, pemError]);
+
+  const handleSubmit = () => {
+    const trimmedName = name.trim();
+    const trimmedPem = pem.trim();
+
+    notify({
+      title: "Adding trusted CA",
+      description: `"${trimmedName}" was added successfully`,
+      promise: addTrustedCA(trimmedName, trimmedPem).then(() => {
+        onSuccess();
+      }),
+      loadingMessage: "Adding trusted CA...",
+    });
+  };
+
+  return (
+    <ModalContent maxWidthClass="max-w-lg">
+      <ModalHeader
+        icon={<ShieldCheckIcon />}
+        title="Add Trusted CA"
+        description="Upload a trusted Certificate Authority to authenticate devices"
+        color="netbird"
+      />
+
+      <Separator />
+
+      <div className="px-8 py-6 flex flex-col gap-6">
+        <div>
+          <Label>Name</Label>
+          <HelpText>A descriptive name for this Certificate Authority</HelpText>
+          <Input
+            placeholder="e.g., Corporate Root CA"
+            value={name}
+            onChange={(e) => setName(e.target.value)}
+          />
+        </div>
+
+        <div>
+          <Label>PEM Certificate</Label>
+          <HelpText>
+            Paste the PEM-encoded certificate. Must begin with{" "}
+            <code className="text-xs">{PEM_HEADER}</code>
+          </HelpText>
+          <Textarea
+            placeholder={`${PEM_HEADER}\n...\n-----END CERTIFICATE-----`}
+            value={pem}
+            rows={8}
+            onChange={(e) => setPem(e.target.value)}
+            error={pemError}
+          />
+        </div>
+      </div>
+
+      <ModalFooter className="items-center">
+        <div className="flex gap-3 w-full justify-end">
+          <ModalClose asChild>
+            <Button variant="secondary">Cancel</Button>
+          </ModalClose>
+
+          <Button
+            variant="primary"
+            onClick={handleSubmit}
+            disabled={isDisabled}
+          >
+            <PlusCircle size={16} />
+            Add CA
+          </Button>
+        </div>
+      </ModalFooter>
+    </ModalContent>
+  );
+}
diff --git a/src/modules/device-security/CAConfigSection.tsx b/src/modules/device-security/CAConfigSection.tsx
new file mode 100644
index 00000000..2a798d2f
--- /dev/null
+++ b/src/modules/device-security/CAConfigSection.tsx
@@ -0,0 +1,156 @@
+"use client";
+
+import React from "react";
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import type {
+  CAConfig,
+  CAType,
+  SCEPCAConfig,
+  SmallstepCAConfig,
+  VaultCAConfig,
+} from "@/interfaces/DeviceSecurity";
+import { PasswordField } from "./PasswordField";
+
+const DEFAULT_VAULT: VaultCAConfig = {
+  address: "",
+  token: "",
+  has_token: false,
+  mount: "pki",
+  role: "netbird",
+  namespace: "",
+  timeout_seconds: 30,
+};
+
+const DEFAULT_SMALLSTEP: SmallstepCAConfig = {
+  url: "",
+  provisioner_token: "",
+  has_provisioner_token: false,
+  fingerprint: "",
+  timeout_seconds: 30,
+};
+
+const DEFAULT_SCEP: SCEPCAConfig = {
+  url: "",
+  challenge: "",
+  has_challenge: false,
+  timeout_seconds: 30,
+};
+
+interface CAConfigSectionProps {
+  caType: CAType;
+  config: CAConfig;
+  onChange: (config: CAConfig) => void;
+}
+
+export function CAConfigSection({ caType, config, onChange }: CAConfigSectionProps) {
+  const updateVault = (updates: Partial<VaultCAConfig>) =>
+    onChange({ ...config, ca_type: caType, vault: { ...(config.vault ?? DEFAULT_VAULT), ...updates } });
+
+  const updateSmallstep = (updates: Partial<SmallstepCAConfig>) =>
+    onChange({ ...config, ca_type: caType, smallstep: { ...(config.smallstep ?? DEFAULT_SMALLSTEP), ...updates } });
+
+  const updateSCEP = (updates: Partial<SCEPCAConfig>) =>
+    onChange({ ...config, ca_type: caType, scep: { ...(config.scep ?? DEFAULT_SCEP), ...updates } });
+
+  if (caType === "builtin") return null;
+
+  const title =
+    caType === "vault"
+      ? "HashiCorp Vault Configuration"
+      : caType === "smallstep"
+        ? "Smallstep CA Configuration"
+        : "SCEP Configuration";
+
+  return (
+    <div className="flex flex-col gap-4 rounded-md border border-nb-gray-900 bg-nb-gray-940 p-4">
+      <p className="text-sm font-medium text-nb-gray-300">{title}</p>
+
+      {caType === "vault" && (
+        <div className="flex flex-col gap-3">
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="vault-address">Vault Address</Label>
+            <Input
+              id="vault-address"
+              type="url"
+              placeholder="https://vault.example.com:8200"
+              value={config.vault?.address ?? ""}
+              onChange={(e) => updateVault({ address: e.target.value })}
+            />
+          </div>
+          <PasswordField
+            id="vault-token"
+            label="Token"
+            value={config.vault?.token ?? ""}
+            hasExisting={config.vault?.has_token}
+            onChange={(v) => updateVault({ token: v })}
+          />
+          <div className="grid grid-cols-2 gap-3">
+            <div className="flex flex-col gap-1">
+              <Label htmlFor="vault-mount">Mount</Label>
+              <Input id="vault-mount" placeholder="pki" value={config.vault?.mount ?? ""} onChange={(e) => updateVault({ mount: e.target.value })} />
+            </div>
+            <div className="flex flex-col gap-1">
+              <Label htmlFor="vault-role">Role</Label>
+              <Input id="vault-role" placeholder="netbird" value={config.vault?.role ?? ""} onChange={(e) => updateVault({ role: e.target.value })} />
+            </div>
+          </div>
+          <div className="grid grid-cols-2 gap-3">
+            <div className="flex flex-col gap-1">
+              <Label htmlFor="vault-namespace">Namespace (optional)</Label>
+              <Input id="vault-namespace" value={config.vault?.namespace ?? ""} onChange={(e) => updateVault({ namespace: e.target.value })} />
+            </div>
+            <div className="flex flex-col gap-1">
+              <Label htmlFor="vault-timeout">Timeout (seconds)</Label>
+              <Input id="vault-timeout" type="number" min={1} max={300} value={config.vault?.timeout_seconds ?? 30} onChange={(e) => updateVault({ timeout_seconds: parseInt(e.target.value, 10) || 30 })} />
+            </div>
+          </div>
+        </div>
+      )}
+
+      {caType === "smallstep" && (
+        <div className="flex flex-col gap-3">
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="step-url">Smallstep CA URL</Label>
+            <Input id="step-url" type="url" placeholder="https://ca.example.com" value={config.smallstep?.url ?? ""} onChange={(e) => updateSmallstep({ url: e.target.value })} />
+          </div>
+          <PasswordField
+            id="step-token"
+            label="Provisioner Token"
+            value={config.smallstep?.provisioner_token ?? ""}
+            hasExisting={config.smallstep?.has_provisioner_token}
+            onChange={(v) => updateSmallstep({ provisioner_token: v })}
+          />
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="step-fingerprint">Root CA Fingerprint</Label>
+            <Input id="step-fingerprint" placeholder="sha256:abc123..." value={config.smallstep?.fingerprint ?? ""} onChange={(e) => updateSmallstep({ fingerprint: e.target.value })} />
+          </div>
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="step-timeout">Timeout (seconds)</Label>
+            <Input id="step-timeout" type="number" min={1} max={300} value={config.smallstep?.timeout_seconds ?? 30} onChange={(e) => updateSmallstep({ timeout_seconds: parseInt(e.target.value, 10) || 30 })} />
+          </div>
+        </div>
+      )}
+
+      {caType === "scep" && (
+        <div className="flex flex-col gap-3">
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="scep-url">SCEP URL</Label>
+            <Input id="scep-url" type="url" placeholder="https://scep.example.com/scep" value={config.scep?.url ?? ""} onChange={(e) => updateSCEP({ url: e.target.value })} />
+          </div>
+          <PasswordField
+            id="scep-challenge"
+            label="Challenge (optional)"
+            value={config.scep?.challenge ?? ""}
+            hasExisting={config.scep?.has_challenge}
+            onChange={(v) => updateSCEP({ challenge: v })}
+          />
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="scep-timeout">Timeout (seconds)</Label>
+            <Input id="scep-timeout" type="number" min={1} max={300} value={config.scep?.timeout_seconds ?? 30} onChange={(e) => updateSCEP({ timeout_seconds: parseInt(e.target.value, 10) || 30 })} />
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
diff --git a/src/modules/device-security/CATestPanel.tsx b/src/modules/device-security/CATestPanel.tsx
new file mode 100644
index 00000000..abf35d60
--- /dev/null
+++ b/src/modules/device-security/CATestPanel.tsx
@@ -0,0 +1,87 @@
+"use client";
+
+import { CheckCircle, ChevronDown, ChevronUp, MinusCircle, XCircle } from "lucide-react";
+import React, { useState } from "react";
+import type { CATestResult, CATestStep } from "@/interfaces/DeviceSecurity";
+
+const STEP_LABELS: Record<string, string> = {
+  generate_csr: "Generate CSR",
+  sign_certificate: "Sign Certificate",
+  verify_certificate: "Verify Certificate",
+  revoke_certificate: "Revoke Certificate",
+  verify_crl: "Verify CRL",
+};
+
+function StepRow({ step }: { step: CATestStep }) {
+  const [expanded, setExpanded] = useState(step.status === "error");
+  const hasDetails = Boolean(step.detail || step.fix_hint);
+
+  const icon =
+    step.status === "ok" ? (
+      <CheckCircle className="h-4 w-4 shrink-0 text-green-500" />
+    ) : step.status === "error" ? (
+      <XCircle className="h-4 w-4 shrink-0 text-red-500" />
+    ) : (
+      <MinusCircle className="h-4 w-4 shrink-0 text-gray-400" />
+    );
+
+  return (
+    <div className="flex flex-col gap-1">
+      <div className="flex items-center justify-between gap-2">
+        <div className="flex items-center gap-2">
+          {icon}
+          <span className="text-sm font-medium">{STEP_LABELS[step.name] ?? step.name}</span>
+          {step.elapsed_ms > 0 && (
+            <span className="text-xs text-gray-400">{step.elapsed_ms}ms</span>
+          )}
+        </div>
+        {hasDetails && (
+          <button
+            type="button"
+            aria-label={expanded ? `Hide ${STEP_LABELS[step.name] ?? step.name} details` : `Show ${STEP_LABELS[step.name] ?? step.name} details`}
+            onClick={() => setExpanded((e) => !e)}
+            className="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+          >
+            {expanded ? <ChevronUp className="h-3 w-3" /> : <ChevronDown className="h-3 w-3" />}
+          </button>
+        )}
+      </div>
+      {expanded && step.detail && (
+        <p className="ml-6 text-xs text-gray-500 dark:text-gray-400">{step.detail}</p>
+      )}
+      {expanded && step.fix_hint && (
+        <div className="ml-6 rounded bg-red-50 p-2 text-xs text-red-700 dark:bg-red-950 dark:text-red-300">
+          <span className="font-medium">How to fix: </span>
+          {step.fix_hint}
+        </div>
+      )}
+    </div>
+  );
+}
+
+export function CATestPanel({ result }: { result: CATestResult }) {
+  return (
+    <div
+      className={`flex flex-col gap-3 rounded-lg border p-4 ${
+        result.success
+          ? "border-green-200 bg-green-50 dark:border-green-800 dark:bg-green-950"
+          : "border-red-200 bg-red-50 dark:border-red-800 dark:bg-red-950"
+      }`}
+    >
+      <p
+        className={`text-sm font-semibold ${
+          result.success
+            ? "text-green-700 dark:text-green-300"
+            : "text-red-700 dark:text-red-300"
+        }`}
+      >
+        {result.success ? "All tests passed" : "Test failed"}
+      </p>
+      <div className="flex flex-col gap-2">
+        {result.steps.map((step) => (
+          <StepRow key={step.name} step={step} />
+        ))}
+      </div>
+    </div>
+  );
+}
diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
new file mode 100644
index 00000000..0a154775
--- /dev/null
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -0,0 +1,510 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Button from "@components/Button";
+import { Callout } from "@components/Callout";
+import FancyToggleSwitch from "@components/FancyToggleSwitch";
+import HelpText from "@components/HelpText";
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import { notify } from "@components/Notification";
+import Paragraph from "@components/Paragraph";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@components/Select";
+import { useHasChanges } from "@hooks/useHasChanges";
+import {
+  AlertTriangleIcon,
+  KeyIcon,
+  ShieldCheckIcon,
+} from "lucide-react";
+import Link from "next/link";
+import React, { useCallback, useEffect, useState } from "react";
+import Skeleton from "react-loading-skeleton";
+import { useDeviceSecurityContext } from "@/contexts/DeviceSecurityProvider";
+import type {
+  CAConfig,
+  CATestResult,
+  CAType,
+  DeviceAuthMode,
+  EnrollmentMode,
+} from "@/interfaces/DeviceSecurity";
+import PageContainer from "@/layouts/PageContainer";
+import { CAConfigSection } from "./CAConfigSection";
+import { CATestPanel } from "./CATestPanel";
+
+const DEVICE_AUTH_MODES: DeviceAuthMode[] = ["disabled", "optional", "cert-only", "cert-and-sso"];
+const ENROLLMENT_MODES: EnrollmentMode[] = ["manual", "attestation", "both"];
+const CA_TYPES: CAType[] = ["builtin", "vault", "smallstep", "scep"];
+
+function isDeviceAuthMode(v: string): v is DeviceAuthMode {
+  return DEVICE_AUTH_MODES.includes(v as DeviceAuthMode);
+}
+function isEnrollmentMode(v: string): v is EnrollmentMode {
+  return ENROLLMENT_MODES.includes(v as EnrollmentMode);
+}
+function isCAType(v: string): v is CAType {
+  return CA_TYPES.includes(v as CAType);
+}
+
+const MODE_LABELS: Record<DeviceAuthMode, string> = {
+  disabled: "Disabled",
+  optional: "Optional",
+  "cert-only": "Certificate Only",
+  "cert-and-sso": "Certificate + SSO",
+};
+
+const MODE_DESCRIPTIONS: Record<DeviceAuthMode, string> = {
+  disabled: "Device certificate authentication is not used",
+  optional: "Devices may authenticate with certificates but it is not required",
+  "cert-only": "Only devices with valid certificates can connect",
+  "cert-and-sso": "Devices must have a valid certificate and SSO authentication",
+};
+
+const ENROLLMENT_LABELS: Record<EnrollmentMode, string> = {
+  manual: "Manual",
+  attestation: "Attestation",
+  both: "Both",
+};
+
+const ENROLLMENT_DESCRIPTIONS: Record<EnrollmentMode, string> = {
+  manual: "You approve each device. New devices wait in the Enrollments queue until an admin clicks Approve",
+  attestation: "Managed devices are approved automatically. Requires your MDM (Intune or Jamf) or a static device allow-list to be configured.",
+  both: "Managed devices get in automatically; unmanaged devices wait for manual approval",
+};
+
+const CA_TYPE_LABELS: Record<CAType, string> = {
+  builtin: "Built-in CA",
+  vault: "HashiCorp Vault",
+  smallstep: "Smallstep CA",
+  scep: "SCEP",
+};
+
+/**
+ * Returns a copy of config that only includes the sub-object for the active
+ * caType. Strips credentials for inactive CA types before sending to the API.
+ */
+function buildCleanCAConfig(config: CAConfig, caType: CAType): CAConfig {
+  const clean: CAConfig = { ca_type: caType };
+  if (caType === "vault" && config.vault) clean.vault = config.vault;
+  else if (caType === "smallstep" && config.smallstep) clean.smallstep = config.smallstep;
+  else if (caType === "scep" && config.scep) clean.scep = config.scep;
+  return clean;
+}
+
+export default function DeviceSecuritySettings() {
+  const {
+    settings,
+    settingsLoading,
+    updateSettings,
+    devices,
+    caConfig,
+    updateCAConfig,
+    testCAConnection,
+  } = useDeviceSecurityContext();
+
+  const [mode, setMode] = useState<DeviceAuthMode>("disabled");
+  const [enrollmentMode, setEnrollmentMode] = useState<EnrollmentMode>("manual");
+  const [caType, setCaType] = useState<CAType>("builtin");
+  const [certValidityDays, setCertValidityDays] = useState(365);
+  const [requireInventoryCheck, setRequireInventoryCheck] = useState(false);
+  const [localCAConfig, setLocalCAConfig] = useState<CAConfig>({ ca_type: "builtin" });
+  const [testResult, setTestResult] = useState<CATestResult | null>(null);
+  const [testing, setTesting] = useState(false);
+
+  const { hasChanges, updateRef } = useHasChanges([
+    mode,
+    enrollmentMode,
+    caType,
+    certValidityDays,
+    requireInventoryCheck,
+    localCAConfig,
+  ]);
+
+  useEffect(() => {
+    if (!settings) return;
+    const newMode = isDeviceAuthMode(settings.mode) ? settings.mode : "disabled";
+    const newEnrollment = isEnrollmentMode(settings.enrollment_mode) ? settings.enrollment_mode : "manual";
+    const newCAType = isCAType(settings.ca_type) ? settings.ca_type : "builtin";
+    const newCertValidity = settings.cert_validity_days > 0 ? settings.cert_validity_days : 365;
+    const newRequireInventoryCheck = settings.require_inventory_check ?? false;
+    setMode(newMode);
+    setEnrollmentMode(newEnrollment);
+    setCaType(newCAType);
+    setCertValidityDays(newCertValidity);
+    setRequireInventoryCheck(newRequireInventoryCheck);
+    updateRef([newMode, newEnrollment, newCAType, newCertValidity, newRequireInventoryCheck, localCAConfig]);
+  }, [settings]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  useEffect(() => {
+    if (!caConfig) return;
+    setLocalCAConfig(caConfig);
+    updateRef([mode, enrollmentMode, caType, certValidityDays, requireInventoryCheck, caConfig]);
+  }, [caConfig]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  const activeCertCount = devices?.filter((d) => !d.revoked).length ?? 0;
+  const showCertOnlyWarning =
+    (mode === "cert-only" || mode === "cert-and-sso") && activeCertCount === 0;
+
+  const handleSave = useCallback(async () => {
+    const settingsPromise = updateSettings({
+      mode,
+      enrollment_mode: enrollmentMode,
+      ca_type: caType,
+      cert_validity_days: certValidityDays,
+      require_inventory_check: requireInventoryCheck,
+    });
+    notify({
+      title: "Device Security Settings",
+      description: "Settings saved successfully.",
+      promise: settingsPromise,
+      loadingMessage: "Saving settings...",
+    });
+    try {
+      await settingsPromise;
+    } catch {
+      return;
+    }
+
+    if (caType !== "builtin") {
+      const caPromise = updateCAConfig(buildCleanCAConfig(localCAConfig, caType));
+      notify({
+        title: "CA Configuration",
+        description: "CA configuration saved successfully.",
+        promise: caPromise,
+        loadingMessage: "Saving CA configuration...",
+      });
+      try {
+        await caPromise;
+      } catch {
+        return;
+      }
+    }
+
+    updateRef([mode, enrollmentMode, caType, certValidityDays, requireInventoryCheck, localCAConfig]);
+  }, [
+    mode,
+    enrollmentMode,
+    caType,
+    certValidityDays,
+    requireInventoryCheck,
+    localCAConfig,
+    settings,
+    updateSettings,
+    updateCAConfig,
+    updateRef,
+  ]);
+
+  const handleTestCA = useCallback(async () => {
+    setTesting(true);
+    setTestResult(null);
+    try {
+      const result = await testCAConnection(buildCleanCAConfig(localCAConfig, caType));
+      setTestResult(result ?? {
+        success: false,
+        steps: [{
+          name: "generate_csr",
+          status: "error" as const,
+          detail: "Request failed. Check network connection and try again.",
+          elapsed_ms: 0,
+        }],
+      });
+    } catch (e) {
+      setTestResult({
+        success: false,
+        steps: [{
+          name: "generate_csr",
+          status: "error" as const,
+          detail: e instanceof Error ? e.message : "Unexpected error",
+          elapsed_ms: 0,
+        }],
+      });
+    } finally {
+      setTesting(false);
+    }
+  }, [localCAConfig, testCAConnection]);
+
+  if (settingsLoading) {
+    return (
+      <PageContainer>
+        <div className={"p-default py-6 max-w-2xl"}>
+          <Skeleton height={24} width={200} className={"mb-6"} />
+          <Skeleton height={32} width={110} className={"mb-10"} />
+          <div className={"mb-8"}>
+            <Skeleton height={17} width={200} className={"mb-2"} />
+            <Skeleton height={80} width={"100%"} />
+          </div>
+          <div className={"mb-8"}>
+            <Skeleton height={17} width={200} className={"mb-2"} />
+            <Skeleton height={80} width={"100%"} />
+          </div>
+          <Skeleton height={80} width={"100%"} />
+        </div>
+      </PageContainer>
+    );
+  }
+
+  if (!settingsLoading && !settings) {
+    return (
+      <PageContainer>
+        <div className={"p-default py-6 max-w-2xl"}>
+          <Callout variant={"error"}>
+            Failed to load device security settings. Please refresh the page and try again.
+          </Callout>
+        </div>
+      </PageContainer>
+    );
+  }
+
+  return (
+    <PageContainer>
+      <div className={"p-default py-6 max-w-2xl"}>
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href={"/device-security"}
+            label={"Device Security"}
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href={"/device-security/settings"}
+            label={"Settings"}
+            active
+            icon={<KeyIcon size={14} />}
+          />
+        </Breadcrumbs>
+
+        <div className={"flex items-start justify-between"}>
+          <div>
+            <h1>Device Security Settings</h1>
+            <Paragraph>
+              Configure device certificate authentication and enrollment.
+            </Paragraph>
+          </div>
+          <Button
+            variant={"primary"}
+            disabled={!hasChanges}
+            onClick={handleSave}
+            data-cy={"save-settings"}
+          >
+            Save Changes
+          </Button>
+        </div>
+
+        <div className={"flex flex-col gap-6 w-full mt-8"}>
+          {/* Authentication Mode */}
+          <SettingRow
+            label="Authentication Mode"
+            help="Controls how device certificates are used for authentication"
+          >
+            <Select
+              value={mode}
+              onValueChange={(v) => {
+                if (isDeviceAuthMode(v)) setMode(v);
+              }}
+            >
+              <SelectTrigger>
+                <SelectValue />
+              </SelectTrigger>
+              <SelectContent>
+                {Object.entries(MODE_LABELS).map(([value, label]) => (
+                  <SelectItem
+                    key={value}
+                    value={value}
+                    description={MODE_DESCRIPTIONS[value as DeviceAuthMode]}
+                  >
+                    {label}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          </SettingRow>
+
+          {showCertOnlyWarning && (
+            <Callout variant={"warning"} icon={<AlertTriangleIcon size={14} />}>
+              No devices currently have active certificates. Switching to
+              certificate-only mode may lock out all devices.
+            </Callout>
+          )}
+
+          {/* Enrollment Mode */}
+          <SettingRow
+            label="Enrollment Mode"
+            help="How new devices are enrolled and issued certificates"
+          >
+            <Select
+              value={enrollmentMode}
+              onValueChange={(v) => {
+                if (isEnrollmentMode(v)) setEnrollmentMode(v);
+              }}
+            >
+              <SelectTrigger>
+                <SelectValue />
+              </SelectTrigger>
+              <SelectContent>
+                {Object.entries(ENROLLMENT_LABELS).map(([value, label]) => (
+                  <SelectItem
+                    key={value}
+                    value={value}
+                    description={ENROLLMENT_DESCRIPTIONS[value as EnrollmentMode]}
+                  >
+                    {label}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          </SettingRow>
+
+          {/* Attestation callout */}
+          {(enrollmentMode === "attestation" || enrollmentMode === "both") && (
+            <Callout variant="info">
+              Attestation requires inventory configuration. Configure your MDM (Intune, Jamf) or a static device allow-list.{" "}
+              <Link
+                href="/device-security/inventory"
+                className="font-medium underline"
+              >
+                Go to Inventory →
+              </Link>
+            </Callout>
+          )}
+
+          {/* Inventory check for manual enrollment */}
+          {(enrollmentMode === "manual" || enrollmentMode === "both") && (
+            <FancyToggleSwitch
+              value={requireInventoryCheck}
+              onChange={setRequireInventoryCheck}
+              label="Require inventory check before enrollment"
+              helpText={
+                <>
+                  When enabled, a device serial number must be found in your{" "}
+                  <Link
+                    href="/device-security/inventory"
+                    className="font-medium underline"
+                    onClick={(e) => e.stopPropagation()}
+                  >
+                    configured inventory
+                  </Link>{" "}
+                  before its enrollment request is accepted. Devices not in the inventory are silently rejected and never appear in the approval queue.
+                </>
+              }
+              data-cy={"require-inventory-check"}
+            />
+          )}
+
+          {/* Certificate Authority */}
+          <SettingRow
+            label="Certificate Authority"
+            help="Choose between the built-in CA or an external CA for signing device certificates"
+          >
+            <Select
+              value={caType}
+              onValueChange={(v) => {
+                if (isCAType(v)) {
+                  setCaType(v);
+                  setLocalCAConfig((prev) => ({ ...prev, ca_type: v }));
+                }
+              }}
+            >
+              <SelectTrigger>
+                <SelectValue />
+              </SelectTrigger>
+              <SelectContent>
+                {Object.entries(CA_TYPE_LABELS).map(([value, label]) => (
+                  <SelectItem key={value} value={value}>
+                    {label}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          </SettingRow>
+
+          {/* CA-specific config section */}
+          {caType !== "builtin" && (
+            <CAConfigSection
+              caType={caType}
+              config={localCAConfig}
+              onChange={setLocalCAConfig}
+            />
+          )}
+
+          {/* Test Connection */}
+          {caType !== "builtin" && (
+            <div className="flex items-center gap-3">
+              <Button
+                variant={"secondary"}
+                disabled={testing}
+                onClick={handleTestCA}
+              >
+                {testing ? "Testing..." : "Test Connection"}
+              </Button>
+              {testing && (
+                <span className="text-sm text-nb-gray-400">Running CA test...</span>
+              )}
+            </div>
+          )}
+
+          {/* CA test results */}
+          {testResult && <CATestPanel result={testResult} />}
+
+          {/* Certificate Validity — only for built-in CA */}
+          {caType === "builtin" && (
+            <SettingRow
+              label="Certificate Validity (days)"
+              help="Number of days a device certificate remains valid after issuance"
+            >
+              <Input
+                type={"number"}
+                min={1}
+                max={3650}
+                value={certValidityDays}
+                onChange={(e) => {
+                  const parsed = parseInt(e.target.value, 10);
+                  if (Number.isNaN(parsed)) return;
+                  setCertValidityDays(Math.max(1, Math.min(3650, parsed)));
+                }}
+                data-cy={"cert-validity-days"}
+              />
+            </SettingRow>
+          )}
+
+          {/* Certificate Revocation */}
+          <SettingRow
+            label="Certificate Revocation"
+            help="Revocation uses CRL (Certificate Revocation List), published every 12 hours."
+          >
+            <p className="font-mono text-sm text-nb-gray-400">
+              {"GET /api/v1/device-auth/crl?account_id=<id>"}
+            </p>
+          </SettingRow>
+        </div>
+      </div>
+    </PageContainer>
+  );
+}
+
+function SettingRow({
+  label,
+  help,
+  children,
+}: Readonly<{
+  label: string;
+  help: string;
+  children: React.ReactNode;
+}>) {
+  return (
+    <div
+      className={
+        "flex flex-col gap-1 sm:flex-row w-full sm:gap-4 items-start"
+      }
+    >
+      <div className={"min-w-[330px]"}>
+        <Label>{label}</Label>
+        <HelpText>{help}</HelpText>
+      </div>
+      <div className={"w-full"}>{children}</div>
+    </div>
+  );
+}
diff --git a/src/modules/device-security/DevicesTable.tsx b/src/modules/device-security/DevicesTable.tsx
new file mode 100644
index 00000000..58dcac53
--- /dev/null
+++ b/src/modules/device-security/DevicesTable.tsx
@@ -0,0 +1,251 @@
+"use client";
+
+import Badge from "@components/Badge";
+import Button from "@components/Button";
+import { DataTable } from "@components/table/DataTable";
+import DataTableHeader from "@components/table/DataTableHeader";
+import DataTableRefreshButton from "@components/table/DataTableRefreshButton";
+import NoResults from "@components/ui/NoResults";
+import { ColumnDef, SortingState } from "@tanstack/react-table";
+import dayjs from "dayjs";
+import { RefreshCwIcon, ShieldIcon, ShieldOffIcon } from "lucide-react";
+import { usePathname } from "next/navigation";
+import React, { useCallback } from "react";
+import { useSWRConfig } from "swr";
+import { notify } from "@components/Notification";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import { useLocalStorage } from "@/hooks/useLocalStorage";
+import type { DeviceCert } from "@/interfaces/DeviceSecurity";
+import type { Peer } from "@/interfaces/Peer";
+import useFetchApi from "@utils/api";
+import Link from "next/link";
+import RevokeDeviceModal from "./RevokeDeviceModal";
+
+function truncate(value: string, length = 16): string {
+  if (value.length <= length) return value;
+  return `${value.slice(0, length)}...`;
+}
+
+function formatDate(iso: string): string {
+  return dayjs(iso).format("MMM D, YYYY HH:mm");
+}
+
+function isExpired(notAfter: string): boolean {
+  return dayjs(notAfter).isBefore(dayjs());
+}
+
+function StatusBadge({ cert }: Readonly<{ cert: DeviceCert }>) {
+  if (cert.revoked) {
+    return (
+      <Badge variant="red" size="xs">
+        Revoked
+      </Badge>
+    );
+  }
+  if (isExpired(cert.not_after)) {
+    return (
+      <Badge variant="yellow" size="xs">
+        Expired
+      </Badge>
+    );
+  }
+  return (
+    <Badge variant="green" size="xs">
+      Active
+    </Badge>
+  );
+}
+
+type ActionsCellProps = {
+  cert: DeviceCert;
+  onRenew: (id: string) => void;
+};
+
+function ActionsCell({ cert, onRenew }: Readonly<ActionsCellProps>) {
+  if (cert.revoked) {
+    return null;
+  }
+
+  return (
+    <div className="flex gap-2 justify-end pr-4">
+      <Button
+        variant="secondary"
+        size="xs"
+        onClick={() => onRenew(cert.id)}
+      >
+        <RefreshCwIcon size={14} />
+        Renew
+      </Button>
+      <RevokeDeviceModal device={cert}>
+        <Button variant="danger-outline" size="xs">
+          <ShieldOffIcon size={14} />
+          Revoke
+        </Button>
+      </RevokeDeviceModal>
+    </div>
+  );
+}
+
+function buildColumns(
+  onRenew: (id: string) => void,
+  peerMap: Map<string, Peer>,
+): ColumnDef<DeviceCert>[] {
+  return [
+    {
+      id: "peer",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Peer</DataTableHeader>
+      ),
+      cell: ({ row }) => {
+        const peer = peerMap.get(row.original.peer_id);
+        if (peer) {
+          return (
+            <Link
+              href={`/peer?id=${peer.id}`}
+              className="group flex flex-col"
+              onClick={(e) => e.stopPropagation()}
+            >
+              <span className="font-medium text-nb-gray-100 group-hover:text-netbird transition-colors">
+                {peer.name}
+              </span>
+              <span className="text-xs text-nb-gray-500">
+                {peer.ip}
+              </span>
+            </Link>
+          );
+        }
+        return (
+          <span className="text-nb-gray-400 text-sm" title={row.original.peer_id}>
+            {truncate(row.original.peer_id)}
+          </span>
+        );
+      },
+    },
+    {
+      accessorKey: "wg_public_key",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>WG Public Key</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span
+          className="font-mono"
+          title={row.original.wg_public_key}
+        >
+          {truncate(row.original.wg_public_key)}
+        </span>
+      ),
+    },
+    {
+      accessorKey: "serial",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Serial</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span className="font-mono" title={row.original.serial}>
+          {truncate(row.original.serial)}
+        </span>
+      ),
+    },
+    {
+      accessorKey: "not_before",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Valid From</DataTableHeader>
+      ),
+      sortingFn: "datetime",
+      cell: ({ row }) => (
+        <span>{formatDate(row.original.not_before)}</span>
+      ),
+    },
+    {
+      accessorKey: "not_after",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Expires</DataTableHeader>
+      ),
+      sortingFn: "datetime",
+      cell: ({ row }) => (
+        <span>{formatDate(row.original.not_after)}</span>
+      ),
+    },
+    {
+      accessorKey: "revoked",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Status</DataTableHeader>
+      ),
+      cell: ({ row }) => <StatusBadge cert={row.original} />,
+    },
+    {
+      id: "actions",
+      header: "",
+      cell: ({ row }) => (
+        <ActionsCell cert={row.original} onRenew={onRenew} />
+      ),
+    },
+  ];
+}
+
+export default function DevicesTable() {
+  const { devices, devicesLoading, renewDevice } = useDeviceSecurity();
+  const { data: peers } = useFetchApi<Peer[]>("/peers");
+
+  const peerMap = React.useMemo(() => {
+    if (!peers) return new Map<string, Peer>();
+    return new Map(peers.map((p) => [p.id ?? "", p]));
+  }, [peers]);
+
+  const { mutate } = useSWRConfig();
+  const path = usePathname();
+
+  const [sorting, setSorting] = useLocalStorage<SortingState>(
+    "netbird-table-sort" + path,
+    [{ id: "not_after", desc: true }],
+  );
+
+  const handleRenew = useCallback(
+    (id: string) => {
+      notify({
+        title: "Renewing certificate",
+        description: "Device certificate was successfully renewed",
+        promise: renewDevice(id),
+        loadingMessage: "Renewing device certificate...",
+      });
+    },
+    [renewDevice],
+  );
+
+  const columns = React.useMemo(
+    () => buildColumns(handleRenew, peerMap),
+    [handleRenew, peerMap],
+  );
+
+  const emptyState = (
+    <NoResults
+      title="No device certificates issued"
+      description="Device certificates will appear here once devices enroll and are issued certificates."
+      icon={<ShieldIcon size={20} />}
+    />
+  );
+
+  return (
+    <DataTable
+      text="Devices"
+      sorting={sorting}
+      setSorting={setSorting}
+      columns={columns}
+      data={devices}
+      isLoading={devicesLoading}
+      searchPlaceholder="Search by key or serial..."
+      getStartedCard={emptyState}
+    >
+      {() => (
+        <DataTableRefreshButton
+          isDisabled={!devices || devices.length === 0}
+          onClick={() => {
+            mutate("/device-auth/devices");
+          }}
+        />
+      )}
+    </DataTable>
+  );
+}
diff --git a/src/modules/device-security/EnrollmentsTable.tsx b/src/modules/device-security/EnrollmentsTable.tsx
new file mode 100644
index 00000000..3d8fde09
--- /dev/null
+++ b/src/modules/device-security/EnrollmentsTable.tsx
@@ -0,0 +1,307 @@
+"use client";
+
+import Badge from "@components/Badge";
+import Button from "@components/Button";
+import { DataTable } from "@components/table/DataTable";
+import DataTableHeader from "@components/table/DataTableHeader";
+import DataTableRefreshButton from "@components/table/DataTableRefreshButton";
+import { notify } from "@components/Notification";
+import NoResults from "@components/ui/NoResults";
+import { ColumnDef, SortingState } from "@tanstack/react-table";
+import dayjs from "dayjs";
+import { CheckCircleIcon, ShieldAlertIcon, XCircleIcon } from "lucide-react";
+import { usePathname } from "next/navigation";
+import React, { useCallback } from "react";
+import { useSWRConfig } from "swr";
+import { useDialog } from "@/contexts/DialogProvider";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import { useLocalStorage } from "@/hooks/useLocalStorage";
+import type { DeviceEnrollment } from "@/interfaces/DeviceSecurity";
+import type { Peer } from "@/interfaces/Peer";
+import useFetchApi from "@utils/api";
+import Link from "next/link";
+
+const STATUS_BADGE_VARIANT = {
+  pending: "yellow",
+  approved: "green",
+  rejected: "red",
+} as const;
+
+const STATUS_LABEL = {
+  pending: "Pending",
+  approved: "Approved",
+  rejected: "Rejected",
+} as const;
+
+function truncate(value: string, length = 12): string {
+  if (value.length <= length) return value;
+  return `${value.slice(0, length)}...`;
+}
+
+function formatDate(iso: string): string {
+  return dayjs(iso).format("MMM D, YYYY HH:mm");
+}
+
+function StatusBadge({
+  status,
+}: Readonly<{ status: DeviceEnrollment["status"] }>) {
+  return (
+    <Badge variant={STATUS_BADGE_VARIANT[status]} size="xs">
+      {STATUS_LABEL[status]}
+    </Badge>
+  );
+}
+
+function ActionsCell({
+  enrollment,
+  onApprove,
+  onReject,
+}: Readonly<{
+  enrollment: DeviceEnrollment;
+  onApprove: (id: string) => void;
+  onReject: (id: string) => void;
+}>) {
+  if (enrollment.status !== "pending") {
+    return null;
+  }
+
+  return (
+    <div className="flex gap-2">
+      <Button
+        variant="primary"
+        size="xs"
+        onClick={() => onApprove(enrollment.id)}
+      >
+        <CheckCircleIcon size={14} />
+        Approve
+      </Button>
+      <Button
+        variant="danger"
+        size="xs"
+        onClick={() => onReject(enrollment.id)}
+      >
+        <XCircleIcon size={14} />
+        Reject
+      </Button>
+    </div>
+  );
+}
+
+function buildColumns(
+  onApprove: (id: string) => void,
+  onReject: (id: string) => void,
+  peerMap: Map<string, Peer>,
+): ColumnDef<DeviceEnrollment>[] {
+  return [
+    {
+      accessorKey: "id",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>ID</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span title={row.original.id}>{truncate(row.original.id)}</span>
+      ),
+    },
+    {
+      accessorKey: "peer_id",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Peer</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => {
+        const peer = peerMap.get(row.original.peer_id);
+        if (peer) {
+          return (
+            <Link
+              href={`/peer?id=${peer.id}`}
+              className="group flex flex-col"
+              onClick={(e) => e.stopPropagation()}
+            >
+              <span className="font-medium text-nb-gray-100 group-hover:text-netbird transition-colors">
+                {peer.name}
+              </span>
+              <span className="text-xs text-nb-gray-500" title={row.original.peer_id}>
+                {truncate(row.original.peer_id)}
+              </span>
+            </Link>
+          );
+        }
+        return (
+          <span className="text-nb-gray-400" title={row.original.peer_id}>
+            {truncate(row.original.peer_id)}
+          </span>
+        );
+      },
+    },
+    {
+      accessorKey: "wg_public_key",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>WG Public Key</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span title={row.original.wg_public_key}>
+          {truncate(row.original.wg_public_key, 16)}
+        </span>
+      ),
+    },
+    {
+      accessorKey: "status",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Status</DataTableHeader>
+      ),
+      cell: ({ row }) => <StatusBadge status={row.original.status} />,
+    },
+    {
+      id: "reason",
+      accessorKey: "reason",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Reason</DataTableHeader>
+      ),
+      cell: ({ row }) => {
+        const reason = row.original.reason;
+        return (
+          <span
+            className={"text-nb-gray-400 text-sm"}
+            title={reason}
+          >
+            {reason ? (
+              <span className={"text-nb-gray-100"}>{reason}</span>
+            ) : (
+              <span className={"text-nb-gray-500"}>—</span>
+            )}
+          </span>
+        );
+      },
+    },
+    {
+      accessorKey: "created_at",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Created</DataTableHeader>
+      ),
+      sortingFn: "datetime",
+      cell: ({ row }) => <span>{formatDate(row.original.created_at)}</span>,
+    },
+    {
+      id: "actions",
+      header: "",
+      cell: ({ row }) => (
+        <ActionsCell
+          enrollment={row.original}
+          onApprove={onApprove}
+          onReject={onReject}
+        />
+      ),
+    },
+  ];
+}
+
+export default function EnrollmentsTable() {
+  const {
+    enrollments,
+    enrollmentsLoading,
+    approveEnrollment,
+    rejectEnrollment,
+  } = useDeviceSecurity();
+  const { confirm } = useDialog();
+  const { mutate } = useSWRConfig();
+  const path = usePathname();
+
+  const [sorting, setSorting] = useLocalStorage<SortingState>(
+    "netbird-table-sort" + path,
+    [{ id: "created_at", desc: true }],
+  );
+
+  const { data: peers } = useFetchApi<Peer[]>("/peers");
+
+  const peerMap = React.useMemo(() => {
+    if (!peers) return new Map<string, Peer>();
+    return new Map(peers.map((p) => [p.id ?? "", p]));
+  }, [peers]);
+
+  const handleApprove = useCallback(
+    async (id: string) => {
+      const choice = await confirm({
+        title: "Approve enrollment?",
+        description: "This device will be issued a certificate and allowed to connect.",
+        confirmText: "Approve",
+        cancelText: "Cancel",
+        type: "default",
+      });
+
+      if (!choice) return;
+
+      try {
+        await approveEnrollment(id);
+      } catch {
+        notify({
+          title: "Failed to approve enrollment",
+          description: "Please try again.",
+        });
+      }
+    },
+    [approveEnrollment, confirm],
+  );
+
+  const handleReject = useCallback(
+    async (id: string) => {
+      const choice = await confirm({
+        title: "Reject enrollment?",
+        description: "The device will be denied access. You can set a reason below.",
+        confirmText: "Reject",
+        cancelText: "Cancel",
+        type: "danger",
+      });
+
+      if (!choice) return;
+
+      // TODO: prompt for rejection reason via a dedicated modal
+      try {
+        await rejectEnrollment(id, undefined);
+      } catch {
+        notify({
+          title: "Failed to reject enrollment",
+          description: "Please try again.",
+        });
+      }
+    },
+    [rejectEnrollment, confirm],
+  );
+
+  const columns = React.useMemo(
+    () => buildColumns(handleApprove, handleReject, peerMap),
+    [handleApprove, handleReject, peerMap],
+  );
+
+  if (!enrollmentsLoading && (!enrollments || enrollments.length === 0)) {
+    return (
+      <NoResults
+        title="No enrollment requests"
+        description="There are no device enrollment requests at this time."
+        icon={<ShieldAlertIcon size={20} />}
+      />
+    );
+  }
+
+  return (
+    <DataTable
+      text="Enrollments"
+      sorting={sorting}
+      setSorting={setSorting}
+      columns={columns}
+      data={enrollments}
+      isLoading={enrollmentsLoading}
+      searchPlaceholder="Search by ID, peer, or key..."
+    >
+      {() => (
+        <DataTableRefreshButton
+          isDisabled={!enrollments || enrollments.length === 0}
+          onClick={() => {
+            mutate("/device-auth/enrollments");
+          }}
+        />
+      )}
+    </DataTable>
+  );
+}
diff --git a/src/modules/device-security/InventoryPage.tsx b/src/modules/device-security/InventoryPage.tsx
new file mode 100644
index 00000000..8226157e
--- /dev/null
+++ b/src/modules/device-security/InventoryPage.tsx
@@ -0,0 +1,571 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Button from "@components/Button";
+import { Callout } from "@components/Callout";
+import { Checkbox } from "@components/Checkbox";
+import FancyToggleSwitch from "@components/FancyToggleSwitch";
+import HelpText from "@components/HelpText";
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import { notify } from "@components/Notification";
+import Paragraph from "@components/Paragraph";
+import { cn } from "@utils/helpers";
+import { useHasChanges } from "@hooks/useHasChanges";
+import {
+  DatabaseIcon,
+  LayoutListIcon,
+  MonitorSmartphoneIcon,
+  ShieldCheckIcon,
+  SmartphoneIcon,
+} from "lucide-react";
+import Link from "next/link";
+import React, { useCallback, useEffect, useState } from "react";
+import Skeleton from "react-loading-skeleton";
+import { useDeviceSecurityContext } from "@/contexts/DeviceSecurityProvider";
+import type {
+  InventoryConfig,
+  IntuneInventoryConfig,
+  JamfInventoryConfig,
+  StaticInventoryConfig,
+} from "@/interfaces/DeviceSecurity";
+import PageContainer from "@/layouts/PageContainer";
+import { PasswordField } from "./PasswordField";
+
+// ── Defaults ──────────────────────────────────────────────────────────────────
+
+const DEFAULT_STATIC: StaticInventoryConfig = {
+  enabled: false,
+  peers: [],
+  serials: [],
+};
+
+const DEFAULT_INTUNE: IntuneInventoryConfig = {
+  enabled: false,
+  tenant_id: "",
+  client_id: "",
+  client_secret: "",
+  has_client_secret: false,
+  require_compliance: false,
+};
+
+const DEFAULT_JAMF: JamfInventoryConfig = {
+  enabled: false,
+  jamf_url: "",
+  client_id: "",
+  client_secret: "",
+  has_client_secret: false,
+  require_management: false,
+};
+
+const DEFAULT_CONFIG: InventoryConfig = {
+  static: DEFAULT_STATIC,
+  intune: DEFAULT_INTUNE,
+  jamf: DEFAULT_JAMF,
+};
+
+// ── Static source form ────────────────────────────────────────────────────────
+
+type StaticTab = "peers" | "serials";
+
+interface StaticFormProps {
+  config: StaticInventoryConfig;
+  onChange: (config: StaticInventoryConfig) => void;
+}
+
+function StaticForm({ config, onChange }: StaticFormProps) {
+  const [activeTab, setActiveTab] = useState<StaticTab>("peers");
+  const peersValue = config.peers.join("\n");
+
+  const handlePeersChange = (raw: string) => {
+    const newPeers = raw
+      .split(/[\n,]+/)
+      .map((s) => s.trim())
+      .filter(Boolean);
+    onChange({ ...config, peers: newPeers });
+  };
+
+  return (
+    <div
+      className={cn(
+        "border border-nb-gray-900 border-t-0 rounded-b-md bg-nb-gray-940",
+        "px-5 pt-3 pb-5 mx-[0.25rem]",
+      )}
+    >
+      {/* Sub-tabs */}
+      <div className="flex border-b border-nb-gray-900 mb-4">
+        {(["peers", "serials"] as StaticTab[]).map((tab) => (
+          <button
+            key={tab}
+            type="button"
+            onClick={() => setActiveTab(tab)}
+            className={cn(
+              "px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors",
+              activeTab === tab
+                ? "border-netbird text-netbird"
+                : "border-transparent text-nb-gray-400 hover:text-nb-gray-200",
+            )}
+          >
+            {tab === "peers" ? "WireGuard Keys" : "Serial Numbers"}
+          </button>
+        ))}
+      </div>
+
+      {activeTab === "peers" && (
+        <div className="flex flex-col gap-2">
+          <HelpText>
+            WireGuard public keys of NetBird peers allowed to enroll automatically.
+            The key is matched against the peer&apos;s WireGuard identity during attestation.
+          </HelpText>
+          <textarea
+            rows={6}
+            value={peersValue}
+            onChange={(e) => handlePeersChange(e.target.value)}
+            placeholder={"Paste one WireGuard public key per line"}
+            spellCheck={false}
+            className={cn(
+              "w-full rounded-md border border-nb-gray-900 bg-nb-gray-950",
+              "px-3 py-2 text-sm font-mono text-nb-gray-100",
+              "placeholder:text-nb-gray-600",
+              "focus:outline-none focus:ring-1 focus:ring-netbird focus:border-netbird",
+              "resize-y min-h-[120px]",
+            )}
+          />
+          <HelpText>
+            {config.peers.length > 0
+              ? `${config.peers.length} key${config.peers.length !== 1 ? "s" : ""} in list`
+              : "No keys configured"}
+          </HelpText>
+        </div>
+      )}
+
+      {activeTab === "serials" && (
+        <div className="flex flex-col gap-2">
+          <HelpText>
+            Hardware serial numbers of devices allowed to enroll automatically.
+            Use the serial number reported by the OS — on macOS:{" "}
+            <code className="bg-nb-gray-900 px-1 rounded text-xs">
+              system_profiler SPHardwareDataType | grep Serial
+            </code>
+            , on Windows:{" "}
+            <code className="bg-nb-gray-900 px-1 rounded text-xs">
+              wmic bios get SerialNumber
+            </code>
+            . One serial per line.
+          </HelpText>
+          <textarea
+            rows={8}
+            value={config.serials.join("\n")}
+            onChange={(e) => {
+              const newSerials = e.target.value
+                .split(/[\n,]+/)
+                .map((s) => s.trim())
+                .filter(Boolean);
+              onChange({ ...config, serials: newSerials });
+            }}
+            placeholder={"Paste one serial number per line\nC02XL1YLJHD5\nPF2RJKAM\nR90VM1XXPK"}
+            spellCheck={false}
+            className={cn(
+              "w-full rounded-md border border-nb-gray-900 bg-nb-gray-950",
+              "px-3 py-2 text-sm font-mono text-nb-gray-100",
+              "placeholder:text-nb-gray-600",
+              "focus:outline-none focus:ring-1 focus:ring-netbird focus:border-netbird",
+              "resize-y min-h-[150px]",
+            )}
+          />
+          <HelpText>
+            {config.serials.length > 0
+              ? `${config.serials.length} serial${config.serials.length !== 1 ? "s" : ""} in list`
+              : "No serials configured"}
+          </HelpText>
+        </div>
+      )}
+    </div>
+  );
+}
+
+// ── Intune source form ─────────────────────────────────────────────────────────
+
+interface IntuneFormProps {
+  config: IntuneInventoryConfig;
+  onChange: (config: IntuneInventoryConfig) => void;
+}
+
+function IntuneForm({ config, onChange }: IntuneFormProps) {
+  const update = (patch: Partial<IntuneInventoryConfig>) =>
+    onChange({ ...config, ...patch });
+
+  return (
+    <div
+      className={cn(
+        "border border-nb-gray-900 border-t-0 rounded-b-md bg-nb-gray-940",
+        "px-5 pt-4 pb-5 flex flex-col gap-4 mx-[0.25rem]",
+      )}
+    >
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="intune-tenant-id">Tenant ID</Label>
+        <Input
+          id="intune-tenant-id"
+          placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          value={config.tenant_id}
+          onChange={(e) => update({ tenant_id: e.target.value })}
+        />
+      </div>
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="intune-client-id">Client ID (Application ID)</Label>
+        <Input
+          id="intune-client-id"
+          placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          value={config.client_id}
+          onChange={(e) => update({ client_id: e.target.value })}
+        />
+      </div>
+      <PasswordField
+        id="intune-client-secret"
+        label="Client Secret"
+        value={config.client_secret}
+        hasExisting={config.has_client_secret}
+        onChange={(v) => update({ client_secret: v })}
+      />
+      <div className="flex items-center gap-3">
+        <Checkbox
+          id="intune-require-compliance"
+          checked={config.require_compliance}
+          onCheckedChange={(checked) =>
+            update({ require_compliance: checked === true })
+          }
+        />
+        <div>
+          <Label htmlFor="intune-require-compliance" className="cursor-pointer">
+            Require device compliance
+          </Label>
+          <HelpText>
+            Only enroll devices that are marked as compliant in Intune.
+          </HelpText>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+// ── Jamf source form ──────────────────────────────────────────────────────────
+
+interface JamfFormProps {
+  config: JamfInventoryConfig;
+  onChange: (config: JamfInventoryConfig) => void;
+}
+
+function JamfForm({ config, onChange }: JamfFormProps) {
+  const update = (patch: Partial<JamfInventoryConfig>) =>
+    onChange({ ...config, ...patch });
+
+  return (
+    <div
+      className={cn(
+        "border border-nb-gray-900 border-t-0 rounded-b-md bg-nb-gray-940",
+        "px-5 pt-4 pb-5 flex flex-col gap-4 mx-[0.25rem]",
+      )}
+    >
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="jamf-server-url">Server URL</Label>
+        <Input
+          id="jamf-server-url"
+          type="url"
+          placeholder="https://yourorg.jamfcloud.com"
+          value={config.jamf_url}
+          onChange={(e) => update({ jamf_url: e.target.value })}
+        />
+      </div>
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="jamf-client-id">Client ID (API Role)</Label>
+        <Input
+          id="jamf-client-id"
+          placeholder="netbird-integration"
+          value={config.client_id}
+          onChange={(e) => update({ client_id: e.target.value })}
+        />
+      </div>
+      <PasswordField
+        id="jamf-client-secret"
+        label="Client Secret"
+        value={config.client_secret}
+        hasExisting={config.has_client_secret}
+        onChange={(v) => update({ client_secret: v })}
+      />
+      <div className="flex items-center gap-3">
+        <Checkbox
+          id="jamf-require-management"
+          checked={config.require_management}
+          onCheckedChange={(checked) =>
+            update({ require_management: checked === true })
+          }
+        />
+        <div>
+          <Label htmlFor="jamf-require-management" className="cursor-pointer">
+            Require device management
+          </Label>
+          <HelpText>
+            Only enroll devices that are actively managed in Jamf Pro.
+          </HelpText>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+// ── Coming soon placeholder ───────────────────────────────────────────────────
+
+function ComingSoonSource({
+  icon,
+  label,
+  description,
+}: {
+  icon: React.ReactNode;
+  label: string;
+  description: string;
+}) {
+  return (
+    <div className="flex items-center gap-4 px-5 py-4 rounded-md border border-nb-gray-910 bg-nb-gray-900/30 opacity-60">
+      <div className="text-nb-gray-400">{icon}</div>
+      <div className="flex-1">
+        <div className="flex items-center gap-2">
+          <span className="text-sm font-medium text-nb-gray-200">{label}</span>
+          <span className="inline-flex items-center rounded-full bg-nb-gray-800 px-2 py-0.5 text-xs font-medium text-nb-gray-400">
+            Coming soon
+          </span>
+        </div>
+        <p className="text-xs text-nb-gray-500">{description}</p>
+      </div>
+    </div>
+  );
+}
+
+// ── Main page ─────────────────────────────────────────────────────────────────
+
+export default function InventoryPage() {
+  const { inventoryConfig, inventoryConfigLoading, updateInventoryConfig, settings } =
+    useDeviceSecurityContext();
+
+  const [localConfig, setLocalConfig] = useState<InventoryConfig>(DEFAULT_CONFIG);
+
+  const { hasChanges, updateRef } = useHasChanges([localConfig]);
+
+  useEffect(() => {
+    if (!inventoryConfig) return;
+    setLocalConfig({
+      static: inventoryConfig.static ?? DEFAULT_STATIC,
+      intune: inventoryConfig.intune ?? DEFAULT_INTUNE,
+      jamf: inventoryConfig.jamf ?? DEFAULT_JAMF,
+    });
+    updateRef([inventoryConfig]);
+  }, [inventoryConfig, updateRef]);
+
+  const updateStatic = useCallback(
+    (patch: Partial<StaticInventoryConfig>) =>
+      setLocalConfig((prev) => ({ ...prev, static: { ...prev.static, ...patch } })),
+    [],
+  );
+
+  const updateIntune = useCallback(
+    (cfg: IntuneInventoryConfig) =>
+      setLocalConfig((prev) => ({ ...prev, intune: cfg })),
+    [],
+  );
+
+  const updateJamf = useCallback(
+    (cfg: JamfInventoryConfig) =>
+      setLocalConfig((prev) => ({ ...prev, jamf: cfg })),
+    [],
+  );
+
+  const handleSave = useCallback(async () => {
+    if (localConfig.intune.enabled) {
+      if (!localConfig.intune.tenant_id || !localConfig.intune.client_id) {
+        notify.error("Tenant ID and Client ID are required for Intune");
+        return;
+      }
+    }
+    if (localConfig.jamf.enabled) {
+      if (!localConfig.jamf.jamf_url) {
+        notify.error("Server URL is required for Jamf");
+        return;
+      }
+    }
+    const savePromise = updateInventoryConfig(localConfig);
+    notify({
+      title: "Device Inventory",
+      description: "Inventory configuration saved successfully.",
+      promise: savePromise,
+      loadingMessage: "Saving inventory configuration...",
+    });
+    try {
+      const saved = await savePromise;
+      updateRef([saved ?? localConfig]);
+    } catch {
+      return;
+    }
+  }, [localConfig, updateInventoryConfig, updateRef]);
+
+  const enrollmentMode = settings?.enrollment_mode;
+  const attestationActive =
+    enrollmentMode === "attestation" || enrollmentMode === "both";
+
+  if (inventoryConfigLoading) {
+    return (
+      <PageContainer>
+        <div className="p-default py-6 max-w-2xl">
+          <Skeleton height={24} width={200} className="mb-6" />
+          <Skeleton height={32} width={160} className="mb-10" />
+          <div className="mb-8">
+            <Skeleton height={60} width="100%" className="mb-3" />
+            <Skeleton height={60} width="100%" className="mb-3" />
+            <Skeleton height={60} width="100%" />
+          </div>
+        </div>
+      </PageContainer>
+    );
+  }
+
+  if (!inventoryConfigLoading && !inventoryConfig) {
+    return (
+      <PageContainer>
+        <div className="p-default py-6 max-w-2xl">
+          <Callout variant="error">
+            Failed to load inventory configuration. Please refresh the page and try again.
+          </Callout>
+        </div>
+      </PageContainer>
+    );
+  }
+
+  return (
+    <PageContainer>
+      <div className="p-default py-6 max-w-2xl">
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href="/device-security"
+            label="Device Security"
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href="/device-security/inventory"
+            label="Inventory"
+            active
+            icon={<LayoutListIcon size={14} />}
+          />
+        </Breadcrumbs>
+
+        <div className="flex items-start justify-between">
+          <div>
+            <h1>Device Inventory</h1>
+            <Paragraph>
+              Configure device allow-lists or MDM integrations for attestation enrollment.
+              Multiple sources can be active simultaneously.
+            </Paragraph>
+          </div>
+          <Button
+            variant="primary"
+            onClick={handleSave}
+            disabled={!hasChanges}
+            data-cy="save-inventory"
+          >
+            Save Changes
+          </Button>
+        </div>
+
+        {/* Status callout */}
+        <div className="mt-6 mb-8">
+          {attestationActive ? (
+            <Callout variant="success">
+              Inventory is active. Managed devices are automatically approved during enrollment.{" "}
+              <Link href="/device-security/settings" className="underline font-medium">
+                View Settings →
+              </Link>
+            </Callout>
+          ) : (
+            <Callout variant="warning">
+              Attestation is not enabled. To use inventory-based enrollment, enable Attestation
+              mode in{" "}
+              <Link href="/device-security/settings" className="underline font-medium">
+                Settings →
+              </Link>
+            </Callout>
+          )}
+        </div>
+
+        <div className="flex flex-col gap-4">
+          {/* Static allow-list */}
+          <div className="flex flex-col">
+            <FancyToggleSwitch
+              value={localConfig.static.enabled}
+              onChange={(v) => updateStatic({ enabled: v })}
+              label={
+                <>
+                  <DatabaseIcon size={15} />
+                  Static Allow-List
+                </>
+              }
+              helpText="Manually maintained list of WireGuard keys or serial numbers."
+            />
+            {localConfig.static.enabled && (
+              <StaticForm
+                config={localConfig.static}
+                onChange={(cfg) =>
+                  setLocalConfig((prev) => ({ ...prev, static: cfg }))
+                }
+              />
+            )}
+          </div>
+
+          {/* Microsoft Intune */}
+          <div className="flex flex-col">
+            <FancyToggleSwitch
+              value={localConfig.intune.enabled}
+              onChange={(v) => updateIntune({ ...localConfig.intune, enabled: v })}
+              label={
+                <>
+                  <MonitorSmartphoneIcon size={15} />
+                  Microsoft Intune
+                </>
+              }
+              helpText="Approve Windows and other managed devices from Microsoft Intune."
+            />
+            {localConfig.intune.enabled && (
+              <IntuneForm config={localConfig.intune} onChange={updateIntune} />
+            )}
+          </div>
+
+          {/* Jamf Pro */}
+          <div className="flex flex-col">
+            <FancyToggleSwitch
+              value={localConfig.jamf.enabled}
+              onChange={(v) => updateJamf({ ...localConfig.jamf, enabled: v })}
+              label={
+                <>
+                  <SmartphoneIcon size={15} />
+                  Jamf Pro
+                </>
+              }
+              helpText="Approve macOS and iOS devices managed by Jamf Pro."
+            />
+            {localConfig.jamf.enabled && (
+              <JamfForm config={localConfig.jamf} onChange={updateJamf} />
+            )}
+          </div>
+
+          {/* Coming soon */}
+          <ComingSoonSource
+            icon={<MonitorSmartphoneIcon size={18} />}
+            label="Fleet"
+            description="Sync managed devices from FleetDM / osquery"
+          />
+          <ComingSoonSource
+            icon={<ShieldCheckIcon size={18} />}
+            label="Webhook"
+            description="Approve devices via a custom webhook endpoint"
+          />
+        </div>
+      </div>
+    </PageContainer>
+  );
+}
diff --git a/src/modules/device-security/PasswordField.tsx b/src/modules/device-security/PasswordField.tsx
new file mode 100644
index 00000000..97076f33
--- /dev/null
+++ b/src/modules/device-security/PasswordField.tsx
@@ -0,0 +1,41 @@
+"use client";
+
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import { Eye, EyeOff } from "lucide-react";
+import React, { useState } from "react";
+
+export interface PasswordFieldProps {
+  id: string;
+  label: string;
+  value: string;
+  hasExisting?: boolean;
+  onChange: (value: string) => void;
+}
+
+export function PasswordField({ id, label, value, hasExisting, onChange }: PasswordFieldProps) {
+  const [show, setShow] = useState(false);
+  return (
+    <div className="flex flex-col gap-1">
+      <Label htmlFor={id}>{label}</Label>
+      <div className="relative">
+        <Input
+          id={id}
+          type={show ? "text" : "password"}
+          value={value}
+          placeholder={hasExisting && !value ? "••••••••" : undefined}
+          onChange={(e) => onChange(e.target.value)}
+          className="pr-10"
+        />
+        <button
+          type="button"
+          className="absolute inset-y-0 right-0 flex items-center pr-3 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+          onClick={() => setShow((s) => !s)}
+          aria-label={show ? "Hide" : "Show"}
+        >
+          {show ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
+        </button>
+      </div>
+    </div>
+  );
+}
diff --git a/src/modules/device-security/RevokeDeviceModal.tsx b/src/modules/device-security/RevokeDeviceModal.tsx
new file mode 100644
index 00000000..4d83d634
--- /dev/null
+++ b/src/modules/device-security/RevokeDeviceModal.tsx
@@ -0,0 +1,93 @@
+"use client";
+
+import Button from "@components/Button";
+import {
+  Modal,
+  ModalClose,
+  ModalContent,
+  ModalFooter,
+  ModalTrigger,
+} from "@components/modal/Modal";
+import ModalHeader from "@components/modal/ModalHeader";
+import { notify } from "@components/Notification";
+import Separator from "@components/Separator";
+import { ShieldOffIcon } from "lucide-react";
+import React, { useState } from "react";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import type { DeviceCert } from "@/interfaces/DeviceSecurity";
+
+type Props = {
+  device: DeviceCert;
+  children: React.ReactNode;
+};
+
+function truncate(value: string, length = 20): string {
+  if (value.length <= length) return value;
+  return `${value.slice(0, length)}...`;
+}
+
+export default function RevokeDeviceModal({ device, children }: Readonly<Props>) {
+  const [open, setOpen] = useState(false);
+  const { revokeDevice } = useDeviceSecurity();
+
+  const handleRevoke = async () => {
+    notify({
+      title: "Revoking device certificate",
+      description: "Device certificate was successfully revoked",
+      promise: revokeDevice(device.id).then(() => {
+        setOpen(false);
+      }),
+      loadingMessage: "Revoking device certificate...",
+    });
+  };
+
+  return (
+    <Modal open={open} onOpenChange={setOpen}>
+      <ModalTrigger asChild>{children}</ModalTrigger>
+      <ModalContent maxWidthClass="max-w-md">
+        <ModalHeader
+          icon={<ShieldOffIcon />}
+          title="Revoke Device Certificate"
+          description="This action cannot be undone. The device will no longer be able to authenticate using this certificate."
+          color="red"
+        />
+        <Separator />
+        <div className="px-8 py-6 flex flex-col gap-4">
+          <div className="flex flex-col gap-1">
+            <span className="text-xs text-nb-gray-400 uppercase tracking-wide">
+              WireGuard Public Key
+            </span>
+            <span
+              className="font-mono text-sm text-nb-gray-200"
+              title={device.wg_public_key}
+            >
+              {truncate(device.wg_public_key, 32)}
+            </span>
+          </div>
+          <div className="flex flex-col gap-1">
+            <span className="text-xs text-nb-gray-400 uppercase tracking-wide">
+              Serial Number
+            </span>
+            <span
+              className="font-mono text-sm text-nb-gray-200"
+              title={device.serial}
+            >
+              {truncate(device.serial, 32)}
+            </span>
+          </div>
+        </div>
+        <ModalFooter className="items-center">
+          <div className="flex gap-3 w-full justify-end">
+            <ModalClose asChild>
+              <Button variant="secondary">Cancel</Button>
+            </ModalClose>
+            <Button variant="danger" onClick={handleRevoke}>
+              <ShieldOffIcon size={16} />
+              Revoke
+            </Button>
+          </div>
+        </ModalFooter>
+      </ModalContent>
+    </Modal>
+  );
+}
diff --git a/src/modules/device-security/TrustedCAsTable.tsx b/src/modules/device-security/TrustedCAsTable.tsx
new file mode 100644
index 00000000..bbaaff18
--- /dev/null
+++ b/src/modules/device-security/TrustedCAsTable.tsx
@@ -0,0 +1,197 @@
+"use client";
+
+import Button from "@components/Button";
+import { DataTable } from "@components/table/DataTable";
+import DataTableHeader from "@components/table/DataTableHeader";
+import { notify } from "@components/Notification";
+import NoResults from "@components/ui/NoResults";
+import { ColumnDef, SortingState } from "@tanstack/react-table";
+import dayjs from "dayjs";
+import { ChevronDown, ChevronUp, ClipboardCopyIcon, PlusCircle, ShieldCheckIcon, Trash2 } from "lucide-react";
+import { usePathname } from "next/navigation";
+import React, { useCallback, useMemo, useState } from "react";
+import { useDialog } from "@/contexts/DialogProvider";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import { useLocalStorage } from "@/hooks/useLocalStorage";
+import type { TrustedCA } from "@/interfaces/DeviceSecurity";
+import AddTrustedCAModal from "@/modules/device-security/AddTrustedCAModal";
+
+function formatDate(iso: string): string {
+  return dayjs(iso).format("MMM D, YYYY HH:mm");
+}
+
+type DeleteCellProps = {
+  ca: TrustedCA;
+  onDelete: (id: string) => void;
+};
+
+function DeleteCell({ ca, onDelete }: Readonly<DeleteCellProps>) {
+  return (
+    <div className="flex justify-end pr-4">
+      <Button
+        variant="danger-outline"
+        size="sm"
+        onClick={() => onDelete(ca.id)}
+      >
+        <Trash2 size={16} />
+        Delete
+      </Button>
+    </div>
+  );
+}
+
+function CertPEMViewer({ pem }: { pem: string }) {
+  const [expanded, setExpanded] = useState(false);
+
+  const handleCopy = () => {
+    navigator.clipboard.writeText(pem);
+  };
+
+  return (
+    <div className="flex flex-col">
+      <button
+        type="button"
+        onClick={() => setExpanded((v) => !v)}
+        className="flex items-center gap-1 text-xs text-nb-gray-400 hover:text-nb-gray-200 transition-colors w-fit"
+      >
+        {expanded ? <ChevronUp size={12} /> : <ChevronDown size={12} />}
+        {expanded ? "Hide certificate" : "View certificate"}
+      </button>
+      {expanded && (
+        <div className="relative mt-2">
+          <pre className="text-xs font-mono text-nb-gray-300 bg-nb-gray-950 border border-nb-gray-900 rounded-md p-3 overflow-x-auto whitespace-pre-wrap break-all max-h-48 overflow-y-auto">
+            {pem}
+          </pre>
+          <button
+            type="button"
+            onClick={handleCopy}
+            title="Copy PEM"
+            className="absolute top-2 right-2 text-nb-gray-400 hover:text-nb-gray-100 transition-colors"
+          >
+            <ClipboardCopyIcon size={14} />
+          </button>
+        </div>
+      )}
+    </div>
+  );
+}
+
+function buildColumns(
+  onDelete: (id: string) => void,
+): ColumnDef<TrustedCA>[] {
+  return [
+    {
+      accessorKey: "name",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Name</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <div className="flex flex-col gap-1">
+          <span className="font-medium">{row.original.name}</span>
+          {row.original.pem && (
+            <CertPEMViewer pem={row.original.pem} />
+          )}
+        </div>
+      ),
+    },
+    {
+      accessorKey: "created_at",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Created</DataTableHeader>
+      ),
+      sortingFn: "datetime",
+      cell: ({ row }) => (
+        <span className="text-nb-gray-400">
+          {formatDate(row.original.created_at)}
+        </span>
+      ),
+    },
+    {
+      id: "actions",
+      header: "",
+      cell: ({ row }) => (
+        <DeleteCell ca={row.original} onDelete={onDelete} />
+      ),
+    },
+  ];
+}
+
+type Props = {
+  headingTarget?: HTMLHeadingElement | null;
+};
+
+export default function TrustedCAsTable({ headingTarget }: Readonly<Props>) {
+  const { trustedCAs, trustedCAsLoading, deleteTrustedCA } = useDeviceSecurity();
+  const { confirm } = useDialog();
+  const path = usePathname();
+
+  const [sorting, setSorting] = useLocalStorage<SortingState>(
+    "netbird-table-sort" + path,
+    [{ id: "created_at", desc: true }],
+  );
+
+  const handleDelete = useCallback(
+    async (id: string) => {
+      const ca = trustedCAs?.find((c) => c.id === id);
+      const label = ca?.name ?? id;
+
+      const choice = await confirm({
+        title: `Delete '${label}'?`,
+        description:
+          "Are you sure you want to delete this trusted CA? Devices authenticated with this CA may lose access.",
+        confirmText: "Delete",
+        cancelText: "Cancel",
+        type: "danger",
+      });
+
+      if (!choice) return;
+
+      notify({
+        title: label,
+        description: "Trusted CA was successfully deleted",
+        promise: deleteTrustedCA(id),
+        loadingMessage: "Deleting trusted CA...",
+      });
+    },
+    [trustedCAs, confirm, deleteTrustedCA],
+  );
+
+  const columns = useMemo(() => buildColumns(handleDelete), [handleDelete]);
+
+  const addButton = (
+    <AddTrustedCAModal>
+      <Button variant="primary" size="sm">
+        <PlusCircle size={16} />
+        Add CA
+      </Button>
+    </AddTrustedCAModal>
+  );
+
+  const emptyState = (
+    <NoResults
+      title="No trusted CAs added."
+      description="Add a trusted Certificate Authority to enable device certificate authentication."
+      icon={<ShieldCheckIcon size={20} />}
+    >
+      <div className={"mt-6"}>{addButton}</div>
+    </NoResults>
+  );
+
+  return (
+    <DataTable
+      text="Trusted CAs"
+      sorting={sorting}
+      setSorting={setSorting}
+      columns={columns}
+      data={trustedCAs ?? []}
+      isLoading={trustedCAsLoading}
+      searchPlaceholder="Search by name..."
+      headingTarget={headingTarget}
+      getStartedCard={emptyState}
+      rightSide={() =>
+        trustedCAs && trustedCAs.length > 0 ? addButton : null
+      }
+    />
+  );
+}
diff --git a/src/modules/users/UserInvitesTable.tsx b/src/modules/users/UserInvitesTable.tsx
index e898573f..857856eb 100644
--- a/src/modules/users/UserInvitesTable.tsx
+++ b/src/modules/users/UserInvitesTable.tsx
@@ -26,6 +26,7 @@ import {
   Link2,
   MailPlus,
   NetworkIcon,
+  ShieldCheckIcon,
   Trash2,
   User2,
 } from "lucide-react";
@@ -115,6 +116,12 @@ function InviteRoleCell({ invite }: { invite: UserInvite }) {
             Network Admin
           </>
         )}
+        {role === Role.CertApprover && (
+          <>
+            <ShieldCheckIcon size={14} />
+            Cert Approver
+          </>
+        )}
       </Badge>
     </div>
   );
diff --git a/src/modules/users/UserRoleSelector.tsx b/src/modules/users/UserRoleSelector.tsx
index 401d1883..180992e3 100644
--- a/src/modules/users/UserRoleSelector.tsx
+++ b/src/modules/users/UserRoleSelector.tsx
@@ -11,6 +11,7 @@ import {
   CreditCard,
   EyeIcon,
   NetworkIcon,
+  ShieldCheckIcon,
   User2,
 } from "lucide-react";
 import * as React from "react";
@@ -64,6 +65,11 @@ export const UserRoles = [
     value: Role.User,
     icon: User2,
   },
+  {
+    name: "Cert Approver",
+    value: Role.CertApprover,
+    icon: ShieldCheckIcon,
+  },
 ];
 
 export function UserRoleSelector({
diff --git a/src/modules/users/table-cells/UserRoleCell.tsx b/src/modules/users/table-cells/UserRoleCell.tsx
index 08fb7d8e..76a7ccf9 100644
--- a/src/modules/users/table-cells/UserRoleCell.tsx
+++ b/src/modules/users/table-cells/UserRoleCell.tsx
@@ -1,6 +1,6 @@
 import Badge from "@components/Badge";
 import { cn } from "@utils/helpers";
-import { Cog, CreditCardIcon, EyeIcon, NetworkIcon, User2 } from "lucide-react";
+import { Cog, CreditCardIcon, EyeIcon, NetworkIcon, ShieldCheckIcon, User2 } from "lucide-react";
 import React from "react";
 import NetBirdIcon from "@/assets/icons/NetBirdIcon";
 import { Role, User } from "@/interfaces/User";
@@ -51,6 +51,12 @@ export default function UserRoleCell({ user }: Readonly<Props>) {
             Network Admin
           </>
         )}
+        {role === Role.CertApprover && (
+          <>
+            <ShieldCheckIcon size={14} />
+            Cert Approver
+          </>
+        )}
       </Badge>
     </div>
   );
diff --git a/src/utils/api.tsx b/src/utils/api.tsx
index ddba852a..14d535b8 100644
--- a/src/utils/api.tsx
+++ b/src/utils/api.tsx
@@ -81,6 +81,7 @@ export function useNetBirdFetch(ignoreError: boolean = false): {
   const handleErrors = useApiErrorHandling(ignoreError);
 
   const isTokenExpired = async () => {
+    if (!token) return true;
     let attempts = 4;
     while (isExpired(token) && attempts > 0) {
       await sleep(500);