The Challenge
At a private high school, every student carries a personal phone alongside a school-issued device. Faculty and staff bring their own devices, too. The network administrator managed this sprawl across three platforms: Microsoft Intune for school-owned and BYOD student devices, Jamf for a subset of the fleet, and Google Workspace for Chromebooks.
Password-based guest Wi-Fi was a constant headache. Students often discovered the password within hours of the monthly rotation, shared it freely, and used it to bypass the managed network. The IT team spent cycles changing credentials and chasing unauthorized connections instead of focusing on infrastructure improvements.
The harder problem was lifecycle management. Every spring, a graduating class left the school — but their digital certificates and device records stayed behind. Identifying which certificates belonged to departed students, revoking them in bulk, and cleaning up device records across enrollment types was a time-consuming manual process with no automated workflow.
The Solution
The school began using the JoinNow Platform to issue digital certificates for Wi-Fi authentication across school-owned devices and student BYOD.
Student cell phones received user-based certificates tied to Azure AD identity, while school-owned devices received device-based certificates pushed through Intune. Jamf and Google Workspace handled additional device populations through their own enrollment configurations.
The cloud-based RADIUS authenticated every connection, replacing password-based Wi-Fi for the managed network. Certificates carried four-year validity periods aligned to a student’s expected enrollment, reducing renewal overhead for the small IT team.
Later on, the school deployed the latest PKI architecture, enabling continuous trust enforcement by checking device compliance attributes from Entra ID, Intune, and Jamf throughout the certificate lifecycle, not only at the moment of issuance. If a device fell out of compliance or a student’s account was disabled, the enforcement layer could respond in near real time.
The SecureW2 support team demonstrated a bulk revocation workflow for graduating students, using Intune excluded groups and portal-based batch operations to clean up certificate records at scale. The process gave the network administrator a repeatable method for each graduation cycle instead of manual record-by-record cleanup.
Moving forward, the school is considering implementing a captive portal or sponsored access workflow that would replace the shared-password guest network entirely and solve the problem of students accessing the Wi-Fi portal.
The Results
- Three MDM platforms— issuing certificates through a single PKI
- Continuous trust enforcementactive— device compliance checked throughout the certificate lifecycle, not just at issuance
- Bulk revocation workflow — established for annual graduation cleanup, replacing manual certificate management
- Guest Wi-Fi portal— under evaluation to replace the shared-password system
The deployment grew from basic certificate issuance to a continuous trust model in three years. For a school where every student is a potential vector for unauthorized network access, tying Wi-Fi authentication to verified identity and live compliance data fundamentally changed the security posture.