The Challenge
A multi-state managed security service provider designs surveillance, access control, and situational awareness systems for large, high-value facilities. Their physical systems were locked down, but the organization noticed a key shortfall. Their clients’ cameras, access readers, and IoT devices sat on enterprise networks authenticated by pre-shared keys or open connections, a major security gap for environments where safety is paramount.
Furthermore, the lack of a secure onboarding process for personal devices in many cases meant that BYOD traffic introduced additional unmanaged risks to these sensitive networks.
The company decided to correct this shortfall by standardizing a robust 802.1X framework across its client base and transitioning from legacy credentials to certificate-based authentication. A few challenges stood in the way:
- No scalable cert-based WPA2-Enterprise for Managed Service Provider (MSP) clients: The existing setup could not support certificate-based 802.1X at scale across multiple client environments.
- Internal validation: The organization needed to run SecureW2 in production on its own network before recommending it to clients with strict security requirements.
- Incompatible infrastructure: The client used Jamf Now as their iOS MDM, and it lacked the SCEP and API infrastructure necessary for the automated issuance of certificates. The infrastructure required an immediate upgrade or migration.
The Solution
The SecureW2 team configured self-service BYOD onboarding for the client through the JoinNow MultiOS enrollment portal, allowing users to secure Android, iOS, and Windows devices via an automated, IT-independent workflow. Corporate device enrollment runs through Intune for Windows and Android using SCEP profiles.
The Jamf Now limitation prompted the team to evaluate other options. They considered Jamf Pro, which exposes SCEP and API endpoints or consolidating iOS management under Intune to simplify the MDM stack.
Multi-tenant PKI framework planning is underway for future customer deployments. The organization plans to provision each client as a sub-account under its parent organization, isolating certificate hierarchies and RADIUS configurations while managing everything from a single interface.
The client also plans to extend certificate-based authentication beyond user hardware to physical infrastructure, such as surveillance cameras and access control systems.
The Results
- BYOD enrollment successful across three operating systems: Android, iPhone, and Windows devices completed self-service onboarding without issues
- MDM limitation caught during internal testing: The Jamf Now SCEP gap was identified before the team recommended the new architecture to any clients — validating the eat-your-own-cooking approach
The internal deployment serves its intended purpose: proving the platform works before introducing it to clients with high-security requirements. With BYOD validated and corporate device enrollment running through Intune, the next milestone is the first multi-tenant client deployment.