Home > Theory of Operation > Provisioning

Provisioning

Provisioning plays an important part in the proper configuration of clients. Provisioners are executed as part of Connection Profiles operation as a result of a successful authentication. Provisioners deliver configuration information to clients or verify a device's management status with third-party MDM solutions. On-device agents deliver wireless network settings to client devices. For iOS-based Apple devices, the required functions are built-in. You must download the required agents to Android- and Windows-based devices.

The figure below shows an overview of the components involved in provisioning.

The key elements are:

• Connection Profiles: multiple provisioners can be invoked in the final step of authentication, tying together all other configuration elements. Provisioners are performed in order until one that satisfies operating system and role constraints is executed. See Configuration for an overview of configuration.
• Provisioners: provisioners provide configuration for possible clients, filtering based on operating system, Roles, and other conditions. Several provisioners are built into A3 to perform common tasks:
  • Android
  • Apple
  • Windows
  • Accept: accepts client (filtering on role and OS) without any further provisioning.
  • Deny: denies clients based on role and OS.
  • Interfaces: connect to third party provisioners and MDMs (mobile device managers)
• Roles: the list of all possible roles. Each provisioner has an optional set of roles drawn from this list to use as a filter. Client roles are set as part of authentication as described in Authentication Sources A client's role must match one of the settings in the provisioner role list unless the list is empty.
• Fingerbank: provides operating system identities used by provisioners to filter inapplicable clients.
• PKI Providers: provide an interface to PKI servers that generate certificates used to sign and trust third parties.
• Captive Portal: the captive web portal is used by Android, Apple, and Windows provisioners to configure clients with these operating systems. Android clients are redirected to obtain their agents through the Android Play Store. Apple clients incorporate agent functionality. Windows agents are contained within A3 and are automatically downloaded. Each of these provisioners may specify a new wireless connection from the access point including SSID, EAP, and security type.
• Third party provisioners and MDMs (mobile device managers): The A3 provisioners are interfaces to online systems associated to the MDMs. A3 uses these interfaces to query the MDM to determine if the client is included in their databases. If not, the client is transitioned to a pending status. If the client is in the MDMs database, then it is assumed that the client has been previously configured by the MDM.
• Access point: Android, Apple, and Windows provisioners may specify a new connection from the access point, including SSID, EAP, and security type during their execution.