The Challenge
A food manufacturing company operating multiple production sites across the United Kingdom struggled to keep its fleet of mission-critical devices online and connected to the network.
The devices, including many shared kiosk terminals and factory floor workstations, are essential to maintaining uptime. However, reliance on a legacy credential-based authentication solution led to frequent loss of network access, creating bottlenecks that impacted the whole organization.
The fleet included approximately 900 Windows machines managed through Intune, alongside iOS and Android devices used by onsite engineers and operations staff. Many of these devices were shared kiosk terminals with no single primary user assigned.
The organization relied on user-based SCEP certificates, which require a signed-in user during the enrollment process. This model didn’t work with shared kiosks, which sit at the Windows login screen waiting for any authorized employee to sign in.
Without a user session, the device could not request a certificate, and without a certificate, the device could not connect to Wi-Fi. The team was concerned about engineers arriving at a production site and being unable to connect to the network until someone logged in, defeating the purpose of always-on factory connectivity.
The company also needed to standardize certificate attributes across all three operating system platforms. Windows, iOS, and Android each handle SCEP enrollment differently, and the device lookup attributes had to match across all platforms for Cloud RADIUS to apply consistent network policies. VLAN assignment, compliance checking, and BYOD access for personal devices all depended on getting this cross-platform alignment right.
The Solution
The SecureW2 team worked closely with the manufacturer to build a custom deployment, using JoinNow PKI with JoinNow Cloud RADIUS configured for global RADIUS across multiple geographic sites.
For the manufacturer’s standard user devices, Intune distributes user SCEP certificates that authenticates each employee to the corporate SSID via EAP-TLS. For the shared and kiosk devices, the SecureW2 team added a machine SCEP certificate profile alongside a machine Wi-Fi profile. Machine certificates deploy during the device enrollment phase — before any user signs in — giving kiosk devices network connectivity at the Windows login screen.
Azure Device ID serves as the primary lookup attribute across all platforms, replacing device name as the identifier. Device names can change; Azure Device IDs do not. This standardization means Cloud RADIUS applies the same lookup logic whether the connecting device runs Windows, iOS, or Android. Network policies evaluate the certificate, confirm the device is managed, and assign the correct VLAN.
SecureW2 also expanded accessibility beyond the existing ecosystem. The guest portal provides branded self-service access for visitors. A BYOD self-service portal is in testing for employees who bring personal devices. Samsung Knox integration is being explored for Android-managed devices to extend certificate enrollment to additional factory hardware.
The Results
- Shared device problem solved: machine certificates authenticate kiosks and factory workstations before any user signs in
- 1,300+ devices enrolled across Windows, iOS, and Android with consistent Azure Device ID lookup
- Global RADIUS serves multiple production sites from a single cloud-hosted RADIUS configuration
- BYOD self-service portal in testing to extend secure access to employee personal devices