diff --git a/android/src/main/java/com/tailscale/ipn/App.kt b/android/src/main/java/com/tailscale/ipn/App.kt
index 7a6088c..909e305 100644
--- a/android/src/main/java/com/tailscale/ipn/App.kt
+++ b/android/src/main/java/com/tailscale/ipn/App.kt
@@ -151,7 +151,7 @@ class App : UninitializedApp(), libtailscale.AppContext, ViewModelStoreOwner {
     // Check if a directory URI has already been stored.
     val storedUri = getStoredDirectoryUri()
     val rm = getSystemService(Context.RESTRICTIONS_SERVICE) as RestrictionsManager
-    val hardwareAttestation = rm.applicationRestrictions.getBoolean(MDMSettings.KEY_HARDWARE_ATTESTATION, false)
+    val hardwareAttestation = rm.applicationRestrictions.getBoolean(MDMSettings.KEY_HARDWARE_ATTESTATION, true)
     if (storedUri != null && storedUri.toString().startsWith("content://")) {
       startLibtailscale(storedUri.toString(), hardwareAttestation)
     } else {
diff --git a/android/src/main/java/com/tailscale/ipn/util/HardwareKeyStore.kt b/android/src/main/java/com/tailscale/ipn/util/HardwareKeyStore.kt
index 24b9d98..e439286 100644
--- a/android/src/main/java/com/tailscale/ipn/util/HardwareKeyStore.kt
+++ b/android/src/main/java/com/tailscale/ipn/util/HardwareKeyStore.kt
@@ -2,7 +2,6 @@
 // SPDX-License-Identifier: BSD-3-Clause
 package com.tailscale.ipn.util
 
-import android.content.pm.PackageManager
 import android.os.Build
 import android.security.keystore.KeyGenParameterSpec
 import android.security.keystore.KeyProperties
@@ -18,7 +17,13 @@ class HardwareKeysNotSupported : Exception("hardware-backed keys are not support
 // HardwareKeyStore implements the callbacks necessary to implement key.HardwareAttestationKey on
 // the Go side. It uses KeyStore with a StrongBox processor.
 class HardwareKeyStore() {
-    var keyStoreKeys = HashMap<String, KeyPair>();
+    // keyStoreKeys should be a singleton. Even if multiple HardwareKeyStores are created, we should
+    // not create distinct underlying key maps.
+    companion object {
+        val keyStoreKeys: HashMap<String, KeyPair> by lazy {
+            HashMap<String, KeyPair>()
+        }
+    }
     val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
         load(null)
     }
diff --git a/libtailscale/keystore.go b/libtailscale/keystore.go
index d0d2ee9..7857bb2 100644
--- a/libtailscale/keystore.go
+++ b/libtailscale/keystore.go
@@ -48,7 +48,7 @@ func (k *hardwareAttestationKey) fetchPublic() error {
 
 	pubRaw, err := k.appCtx.HardwareAttestationKeyPublic(k.id)
 	if err != nil {
-		return fmt.Errorf("loading public key from KeyStore: %w", err)
+		return fmt.Errorf("loading public key for id %q from KeyStore: %w", k.id, err)
 	}
 	pubAny, err := x509.ParsePKIXPublicKey(pubRaw)
 	if err != nil {