The Challenge
An HR technology company managing nearly 1,000 devices with Jamf (MacOS) and Microsoft Intune (Windows) needed to future-proof its certificate management system ahead of incoming industry revocation standards. They needed to replace a manual, error-prone cleanup process with real-time automation.
The stakes were high: the company was simultaneously undertaking an IDP switchover and an HRIS migration, making zero disruption an absolute requirement.
The team’s challenges included:
- Unrevoked certificates on compromised or decommissioned devices. Without auto-revocation tied to the security posture, certificates remained valid after devices left the fleet or employees left the company, creating the risk of unauthorized network access.
- Stale certificates from test environments. Repeated testing cycles left behind a growing backlog of orphaned certificates from wiped and re-provisioned machines that needed cleanup.
- Manual certificate revocation overhead. Without auto-revocation, the team had to manually track and revoke certificates, a time-consuming process that left security gaps..
- 802.1X continuity. Certificate-based Wi-Fi had to remain stable while the identity provider and HRIS underneath it changed.
The Solution
The company upgraded from the SecureW2 legacy certificate platform to the new JoinNow PKI architecture during renewal. The deployment covered 802.1X wireless authentication (EAP-TLS) across 1,000 devices through Intune and Jamf. Okta serves as the identity provider, and Cloud RADIUS validates certificates against Okta on every authentication attempt.
The upgrade added auto-revocation and continuous trust enforcement, along with automated cleanup of stale test certificates. When a device is wiped or a user is disabled in Okta, the platform revokes the associated certificate automatically — eliminating the risk window and the need for manual tracking that previously consumed IT hours.
Migrating PKI during the Okta switchover and Workday migration let the team build the new certificate architecture on top of the new identity infrastructure from the start, rather than retrofitting it later.
The Results
The completed migration leaves the company with a modern foundation: a new identity provider, new HRIS, and PKI architecture with auto-revocation running underneath both. The decision to upgrade everything at once rather than in sequence prevented the cost of reconfiguring certificate infrastructure twice.
- Eliminated the risk window from unrevoked certificates. Auto-revocation tied to device and identity signals in Jamf, Intune, and Okta ensures certificates are invalidated the moment a device is wiped or a user loses authorization. This closes the gap that previously left the network exposed between manual cleanup cycles.
- Removed the need for manual certificate tracking. Automated revocation and cleanup of stale certificates freed up the team to focus on higher-value work.
- Kept certificate-based Wi-Fi stable through three simultaneous platform migrations.
- Aligned with the industry’s broader movement toward continuous trust verification and reduced reliance on static, long-lived credentials.
Looking ahead, the company anticipates partnering with SecureW2 for guest Wi-Fi and CrowdStrike integration.