The Challenge
An online retail service struggled to manage certificate lifecycles for its large-scale fleet of devices. One employee was responsible for manually auditing, revoking, and renewing certificates across more than 5,000 devices. This created a significant risk of unauthorized devices accessing the network. It also delayed employees seeking access to the network.
Further complicating the situation, the company used a hybrid fleet of Chromebooks, Macs, and Windows machines. The Chromebooks are kept in the company’s warehouses, where they cycle through shared use among warehouse staff. Those devices hold certificates indefinitely.
Remote corporate employees use Macs, which often do not authenticate to the network for as long as 90 days. Without auto-revocation, dormant certificates consumed device licenses indefinitely. And when NinjaOne replaced AirWatch for Windows, native SCEP support for the company’s Windows devices disappeared.
The company needed a single platform that could handle three fundamentally different enrollment methods and device use patterns under one certificate authority and RADIUS service. Legacy solutions that assumed uniform MDM environments could not adapt to this fleet diversity.
The Solution
SecureW2 implemented a unified certificate management solution that minimizes the risk window and gives the IT team continuous visibility into all their devices.
The deployment adapts to three distinct device populations. The more than 3,000 warehouse Chromebooks now receive certificates through a Google Admin integration with SecureW2. These devices operate in a shared-use model, so certificates are tied to the device rather than the user, with no auto-revocation applied. Okta provides identity for user-level authentication where applicable, and Meraki access points handle 802.1X on the wireless side.
The approximately 2,000 corporate and hybrid Macs receive certificates through Jamf SCEP profiles. The company configured 90-day auto-revocation so that if a Mac does not authenticate within 90 days, its certificate is automatically revoked and the license reclaimed. This keeps license counts accurate across a remote workforce that may go weeks between office visits.
The Windows devices enroll through the JoinNow self-service landing page, a BYOD-style flow that provisions certificates without MDM-based SCEP since NinjaOne does not support native SCEP enrollment.
The Results
- Secured more than 5,000 devices across three platforms — Chromebooks, Macs, and Windows — all through a single cloud PKI and Cloud RADIUS platform
- Drastically reduced the organization’s risk profile by automating certificate lifecycle management so that unauthorized devices are automatically stripped of network access
- Controlled license usage through a 90-day auto-revocation for Macs which reclaims licenses from dormant remote devices while keeping warehouse Chromebooks active
The company is also considering expanding its platform capabilities for Datadog integration. This would add RADIUS event monitoring across warehouse and corporate locations and add operational visibility to the certificate-based authentication layer.