Trezor Model T is a great product. I bought it for hardware-based Bitcoin wallets but it's working well for SSH via trezor-agent (ed25519) and U2F. It has per-identity keys for SSH and requires auth to use U2F or an SSH identity via the touchscreen just like Bitcoin payments.
Conversation
It's up to the companies making an SoC (like Qualcomm, Samsung, Huawei) and their downstream customers (HTC, LG, Google, etc.) to determine what kind of enterprise management features are included. I'm not aware of a mobile SoC integrating features anything like that at all.
1
1
A mobile SoC is of course an enormously complex set of proprietary systems and they contain assorted cryptography, virtualization, verified boot and secure enclave features among other things. Phone vendors are in control of how features like TrustZone are used on a Qualcomm SoC.
1
2
If they want to include a bunch of enterprise management features in the Trusted Execution Environment, it's something that the hardware is capable of supporting since it supports arbitrary applets. The phone vendor controls the signing keys so they choose what will be run there.
It's not how mobile device management for enterprises is done in practice. From my experience, they do it at the operating system level and at most use features like remote attestation supported by the Trusted Execution Environment, rather than implementing management there.
1