The Challenge
A leading data and AI platform company with approximately 6,000 employees had avoided traditional network access control entirely. The IT team assumed the technology required on-premises hardware — a nonstarter for an organization built on a cloud-first, automation-first philosophy.
Corporate Wi-Fi ran on pre-shared keys, potentially exposing the network to credential-based attacks despite an otherwise strong security posture. The organization needed a solution to protect the network without introducing cumbersome on-premises hardware or requiring a complete overhaul of existing solutions.
Automation, Cloud Infrastructure and Interoperability
The company onboards more than 20 new employee devices every week through a Mac-first environment managed by Jamf Pro. Manual certificate provisioning at that velocity was not feasible.
The network team needed an automated solution that could replace PSK-based Wi-Fi with EAP-TLS certificate authentication, deploy entirely from the cloud with no on-premises RADIUS or PKI, integrate natively with Okta for identity and Jamf Pro for device management and revoke certificates automatically when employees leave or devices fall out of compliance.
The organization also needed an intuitive solution with minimal maintenance needs. A lean network team managed the entire environment and prioritized ease of use alongside fast time-to-value.
The Solution
The deployment centered on a single Jamf configuration profile that delivers seamless certificate-based Wi-Fi and VPN access to managed devices, with no manual intervention required. The SCEP certificate, corporate SSID configuration and VPN settings are bundled into one profile for consistent and reliable connectivity.
The team sequenced the certificate deployment after CrowdStrike and other software installs to protect against potential enrollment failures. A receipt file on the device confirms enrollment completion before the certificate profile applies.
Identity flows through Okta into Jamf, where user attributes populate the certificate subject fields. The team built a remediation script that checks each device’s username in Jamf and updates the username field with the correct corporate email domain if the field is blank.
For certificate revocation, the team configured two parallel channels: moving a device to a designated Jamf group triggers immediate revocation through the Device Control Platform and deactivating a user in Okta triggers revocation through event hooks tied to the Adaptive Defense integration. The team also activated PKI Intelligence Brief and distribution book notifications during a support session, giving them email alerts on enrollment failures and certificate lifecycle events.
The Results
- 17,000 devices secured: EAP-TLS certificate-based authentication for Wi-Fi and VPN
- Zero on-premises infrastructure: the entire PKI and RADIUS deployment runs in the cloud
- Automated certificate lifecycle: tied to Okta and Jamf, covering enrollment, identity validation and dual-channel revocation
- 20+ devices onboarded weekly: certificates provisioned automatically as part of the standard workflow