The Challenge
An AI-powered biotech startup with more than 100 employees planned to move its headquarters while adding new staff. This created four main challenges for the IT team:
- Secure Wi-Fi had to work on move-in day. A phased rollout wasn’t an option; connectivity from the start was a fundamental requirement of the deployment.
- The network needed to accommodate a multi-MDM environment. Addigy managed 80% of the fleet (macOS), while Intune covered the rest (Windows). Successful certificate delivery through both MDM platforms without separate enrollment workflows was crucial.
- Wired access was not secured. Anyone who walked into the building could plug in and access the network, which was a serious security risk. No certificate-based control existed for wired ports.
- The team wanted to upgrade network security for remote workers. Logins through a secure access service edge (SASE) provider required passwords, which the company wanted to replace with certificates.
The Solution
The company chose the SecureW2 JoinNow Platform based on its ability to integrate with both Addigy and Intune from a single PKI platform. JoinNow also offered cloud-based RADIUS support for Juniper Mist wireless infrastructure and Okta as the identity provider.
SecureW2 engineers set up secure Wi-Fi on Apple devices using custom mobile configuration profiles with RADIUS client certificates and Okta FastPass integration. SCEP delivered certificates through Addigy to macOS endpoints, which comprised roughly 80% of the device fleet. Intune configuration for Windows followed using standard SCEP profiles.
Employees arriving at the new headquarters were able to connect to the corporate network on the first attempt. With the biggest challenges solved, the IT team set their sights on securing wired and SASE access, as well as creating a secure guest Wi-Fi network.
JoinNow cloud RADIUS handled authentication for each access layer — wireless, wired, and SASE — using EAP-TLS with real-time identity checks against Okta. Within a few months, wired 802.1X was live on Juniper network switches with the RADIUS server, closing the physical access security gap. SASE authentication through Cato Networks was also confirmed operational, giving the startup certificate-based access control over remote devices.
The Results
- Move-in day connectivity: Mac devices connected at the new headquarters on first attempt with no IT intervention.
- Three access layers on one platform: Wi-Fi (EAP-TLS), wired 802.1X (Juniper EX4400), and SASE (Cato Networks) all run on the same cloud PKI and RADIUS server.
- Multi-MDM, single PKI: Addigy (macOS) and Intune (Windows) both deliver certificates from one platform with no duplicate infrastructure
Down the road, code signing certificates and SentinelOne EDR integration are both on the agenda, which will add more security functions for the fast-growing startup.