a few more cents to dump on this. We've begun working on a slightly different approach, which requires that X machine has checked in within the last Y minutes via osquery and that a, b, c, d checks have passed. This relies on certain scheduled queries data being available from our backend logging systems, but avoid the issue of needed to get a "live" response back from live queries. I feel like the time window we work within (usually 5-10 minutes) provides "enough" guarantee on the identity of the laptop, combined with the device cert, to give a high level of confidence to the access request