Logo

Provisioners

Menu path: Configuration > Advanced Access Configuration Overview > Provisioners.

Provisioners automate client configuration of client devices following authentication. Provisioners are referenced in Connection Profiles. Provisioners can be created for each type of device or device application and for each of the Roles that can apply.

The general format and usage of this page is discussed in General GUI Usage.

The Android and Windows provisioners are automatically download profiles to clients. Apple devices have the necessary functions built-in. Agents for Android devices are downloaded from the Android Play Store. The Windows agent is included with A3 and automatically installed during provisioner execution.

The Provisioners page lists available provisioners. Selecting on any of the provisioners makes it available for editing. A provisioner can be deleted with the DELETE button, and cloned for new provisioner definition with the CLONE button.

New provisioners are added with the New Provisioner button. The available types of provisioners are:

Accept

The Accept provisioner enables client connections based on their operating system. The fields in the form used for creation and editing are:

Field Usage Example
Provisioning ID A unique name for the provisioner. Android OK
Description A further description of the provisioner. Accept all Android Devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Role The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. Android

Android

Android provisioning is used for any Android-based device. The following domains should be included in the active passthrough domains in Fencing *.ggpht.com, *.googleusercontent.com, android.clients.google.com, *.googleapis.com, *.android.clients.

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Android
Description A further description of the provisioner. Students using Android devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
SSID The SSID configuration that will be created on the client device. student-internal
Broadcast Network If enabled, the SSID is a visible, broadcast network. If disabled, the SSID is a hidden network.

slider-off icon

Security Type

The type of security applied to the SSID. The choices are:

  • Open
  • WEP - requires further specification of the Wi-Fi Key
  • WPA - requires further specification of the Wi-Fi Key
  • WPA2 - if no EAP is chosen in EAP Type, requires further specification of EAP Type, and Wi-Fi Key
WPA2
Enable DPSK If enabled, dynamic keys will be generated.

slider-off icon

Wi-Fi Key The pre-shared key needed to join the SSID. 1234567890
EAP Type

Used when Security type is set to WPA2. The choices are:

  • PEAP - requires further specification of RADIUS server certificate path
  • EAP-TLS - requires further specification of PKI Provider
  • No EAP
PEAP
Wi-Fi Key The Wi-Fi Key used to join the SSID when the Security type is WPA2 and EAP type is No EAP.  
RADIUS Server Certificate Path The address within the A3 server where the server certificate is located. The default setting is /usr/local/A3/conf/ssl/server.crt. Used for the WPA2 Security type with PEAP EAP type. /usr/local/A3/conf/ssl/server.crt
PKI Provider The choice of PKI provider when the Security type is WPA2 and EAP type is EAP-TLS.  

Deny

The Deny provisioner deny client connections based on their operating system. The fields in the form used for creation and editing are:

Field Usage Example
Provisioning ID A unique name for the provisioner. iOS Deny
Description A further description of the provisioner. Deny all iOS devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. iOS

Dynamic PSK

The Cisco DPSK (dynamic pre-shared keys) provisioner causes keys to be dynamically generated.

Field Usage Example
Provisioning ID A unique name for the provisioner. Need DPSK
Description A further description of the provisioner. Devices with DPSKs
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
SSID The SSID configuration that will be created on the client device. student-internal
OS A lists of operating system indicating which operating systems the provisioner will be applied to.  
PSK length The length of the PSK keys to be generated. The minimum length is eight characters. 8

IBM

??? This looks like its MaaS360, but I can't find any details ???>

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Android
Description A further description of the provisioner. Students using Android devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
Username    
Client Secret    
Host    
Port    
Protocol    
API URL    
OS A lists of operating system indicating which operating systems the provisioner will be applied to.  
Agent Download URL    

Jamf

The A3 interface to Jamf requires the use of a cloud account.

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-iOS
Description A further description of the provisioner. Students using Apple devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. iOS
Host The JAMF cloud host to contact. The cloud address is of the form: <youraccount>.jamfcloud.com. example.jamfcloud.com
Port The port number to contact the host on. 443 is used for the cloud. 443
Protocol The protocol to use when contacting the host, either http or https. https
API Username The user name when logging into the JAMF service. admin
API Password The password associated with the JAMF user name. secret
Automatic Client Detection If enabled, automatically detects the device's details.

slider on icon

Query JAMF Computers Inventory If enabled, JAMF will query it's database of known computers.  
Query JAMF mobile Devices Inventory If enabled, JAMF will query it's database of known mobile devices.  

Apple Devices

Apple provisioning is used for any Apple device. Two tabs are used for Apple devices:

Settings

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Apple
Description A further description of the provisioner. Students using Apple devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
SSID The SSID that the client will be assigned to. student-internal
Broadcast Network If enabled, the SSID is a visible, broadcast network. If disabled, the SSID is a hidden network.

slider-off icon

Security Type

The type of security applied to the SSID. The choices are:

  • Open
  • WEP - requires further specification of the Wi-Fi Key
  • WPA - requires further specification of the Wi-Fi Key
  • WPA2 - if no EAP is chosen in EAP Type, requires further specification of EAP Type, and Wi-Fi Key
WPA2
Enable DPSK If enabled, dynamic keys will be generated.

slider-off icon

Wi-Fi Key The pre-shared key needed to join the SSID. 1234567890
EAP Type

Used when Security type is set to WPA2. The choices are:

  • PEAP - requires further specification of RADIUS server certificate path
  • EAP-TLS - requires further specification of PKI Provider
  • No EAP
PEAP
Wi-Fi Key The Wi-Fi Key used to join the SSID when the Security type is WPA2 and EAP type is No EAP.  
RADIUS Server Certificate Path The address within the A3 server where the server certificate is located. The default setting is /usr/local/A3/conf/ssl/server.crt. Used for the WPA2 Security type with PEAP EAP type. /usr/local/A3/conf/ssl/server.crt
PKI Provider The choice of PKI provider when the Security type is WPA2 and EAP type is EAP-TLS.  

Signing

Apple devices required signed profiles in order to avoid warnings about missing certificates. The fields in this tab are:

Field Usage Example
Sign Profile If enabled, profiles will be signed with the certificates in this form. slider on icon
The Certificate Used to Sign Profiles, in PEM Format A PEM formatted Apple developer certificate for use when signing profiles send to clients.  
The Private Key Used to Sign Profiles, in PEM Format The PEM formatted key associated with the certificate.  
The Certificate Chain Associated with the Signer Certificate, in PEM Format The PEM formatted certificate chain associated with the signer's certificate.  

Microsoft Intune

Use the following steps to prepare for Intune for use with A3:

  1. Log into the Azure portal and ensure that you have Intune licenses.
  2. From the Azure portal , you'll need to create an application to enable access to the Graph API:
    1. Select Azure Active Directory.
    2. Select App registrations.
    3. Select New registration.
  3. On the Register an application form, enter:
    1. A3, or some other name, in the Name field.
    2. Select Accounts in this organizational directory only (company name).
    3. Select Done.
  4. On the following form entitled with the Name from above:
    1. Copy the following that will be used to configure A3: Application (client) ID, Directory (tenant) ID, and Object ID.
    2. Select Certificates & secrets.
    3. Select New client secret.
    4. This will present a password for use for the application. Copy it now; there will not be an opportunity later.
    5. Add permissions to the API:
      1. Select API permissions.
      2. Select Microsoft Graph.
      3. In the right pane select Application permissions and add two lines: Device.ReadWrite.All and DeviceManagementManagedDevices.Read.All.
    6. Select Grant admin consent.

The fields in the creation/editing form are:

Field Usage Example
Provisioning ID A unique name for the provisioner. Intune-clients
Description A further description of the provisioner. Registered Intune clients
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. ios
Application ID The Application (client) ID copied in step 4a above.  
Application Secret The client secret copied in step 4d above.  
Tenant ID The Directory (tenant) ID copied in step 4a above.  
Host The name of the boarding host obtained from the API. graph.microsoft.net
Port The port for API access. 443
Protocol The protocol for API access. https
Login The login port for the API. login.microsoftonline.com
Android Agent Download URL

The URI to use for Android client provisioning.

https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal&hl=en_US
iOS Agent Download URL

The URI to use for ios client provisioning.

https://apps.apple.com/us/app/intune-company-portal/id719171358
macOS Agent Download URL

The URI to use for macOS client provisioning.

https://portal.manage.microsoft.com
Authorized Domains A comma-separated list of domains that are required to reach the download URLs. play.google.com,portal.manage.microsoft.com,apps.apple.com,docs.microsoft.com

MobileIron

MobileIron supports provisioning of Android, Apple, and Windows devices. Use the following steps to prepare for MobileIron for use with A3:

  1. Log in to your MobileIron account and select SETTINGS.
    1. Create an MDM certificate for use with Apple devices by selecting Install MDM Certificate.
  2. Create a user with rights to access MobileIron's API:
    1. Select USERS & DEVICES, then Users, and then select Add local user.
    2. Enter information for a user (e.g. a3user), noting the user name and password.
    3. Select SAVE.
    4. Select the ADMIN tab, check the box for the just-entered user, then select Actions and choose Assign to Space.
    5. Select Global space at the top and check API at the bottom.
  3. Obtain the name of the boarding host by adding a fake device to MobileIron. At the end of the process the registration instructions will be displayed. The boarding host is labeled as the Server Address on that page.

The fields in the creation/editing form are:

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Apple
Description A further description of the provisioner. Students using Apple devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. ios
User Name The name of a user with a MobileIron account with rights to access its API. This is obtained in step 2b above. A3 api-user
Client Secret The password associated with the user. It is obtained in step 2b above. secret
Host The name of the boarding host obtained from the MobileIron web UI in step 3 above. If you have an account name, the name is appended at the end of the host name. For example, m.mobileiron.net/companyX. m.mobileiron.net
Android Download URL

The URI to use for Android client provisioning: 

https://m.mobileiron.net/<accountName>/c/d/android.html, where <accountName> is the name of the MobileIron account.

https://m.mobileiron.net/example-co/c/d/android.html
iOS Download URL

The URI to use for ios client provisioning: 

https://m.mobileiron.net/<accountName>/c/d/ios.html, where <accountName> is the name of the MobileIron account.

https://m.mobileiron.net/example-co/c/d/ios.html
Windows Phone Download URL

The URI to use for Windows client provisioning: 

https://m.mobileiron.net/<accountName>/EnrollmentServer/Discovery.svc, where <accountName> is the name of the MobileIron account.

https://m.mobileiron.net/example-co/EnrollmentServer/Discovery.svc
Boarding Host The boarding host obtained in step 3 above.  
Boarding Port The port associated with the boarding host.  

OPSWAT

OPSWAT Metadefender Endpoint provides information about device compliance before and during network access. The following discussion assumes that OPSWAT server components have been installed on the A3 host and are referred to via an IP address of 127.0.0.1 or name of localhost. The following steps are used to configure an OPSWAT account:

  1. Create an OPSWAT Metadefender Endpoint account at https://www.opswat.com/products/metadefender/endpoint/management/.
  2. Create a developer account at https://gears.opswat.com/developers.
    1. Register a new application with a callback URL of http://127.0.0.1/opswat.
    2. Note the client key and client secret.
    3. Obtain an install URL by selecting +Devices, then Enable Metadefender Endpointclient on another device, then Download or send link for guest Metadefender Endpoint clients.
    4. Note the URL at the bottom of the screen.
  3. Generate an OAuth2 access and refresh token:
    1. Access the web page at https://gears.opswat.com/o/oauth/authorize?client_id=<clientid>&response_type=code&redirect_uri=http://127.0.0.1/opswat, where <clientid> is your client key obtained in step 2b.
    2. When the application is authorized, the browser will be redirected to a non-existent web page: http://127.0.0.1/opswat?code=<code>.
    3. Generate the access and refresh tokens using: https://gears.opswat.com/o/oauth/token?client_id=<clientid>&client_secret=<clientsecret>&grant_type=authorization_code&redirect_uri=http://127.0.0.1/opswat&code=<code>. <clientid> and <clientsecret> were obtained in step 2b, while <code> is from step 3b.
    4. The access token and refresh token will be embedded in a message of the form:
    {"access_token":"ab3aec71-fa6a-4752-8804-00c37f934059","token_type":"bearer","refresh_token":
                            "f9e7c698-4d88-42cb-b9ae-c067557e8385","expires_in":43199,"scope":
                            "read","client_id":"1234567890"}
Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Android
Description A further description of the provisioner. Students using Android devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. ios
Client ID The key obtained above when registering an application in step 2b above.  
Client Secret The secret obtained above when registering an application in step 2b above.  
Host The OPSWAT host to use, typically gears.opswat.com. gears.opswat.com
Port The port number to contact the OPSWAT host on, typically 443. 443
Protocol The protocol to use for contacting the host, either https or http. https
Access Token The access token obtained above in step 3d.  
Refresh Token The refresh token obtained above in step 3d.  
Agent Download URL The URL obtained in step 2d above.  

SentinelOne

SentinelOne performs provisioning for Windows and Mac OSX clients. Version 2.0 of the Sentinel API is now supported. In order to prepare for integration with A3, follow these steps:

  1. Download the SentinelOne agents to A3's web server area at /usr/local/A3/html/common.
    1. Log in to the SentinelOne management console.
    2. Download the Windows and Mac OSX agents to your computer in the Settings>Updates page.
    3. Move the files to A3 using SCP into a web accessible space below /usr/local/A3/html/common. In this description, the following locations will be used:
      1. /usr/local/A3/html/common/SentinelOne.exe for the Windows agent.
      2. /usr/local/A3/html/common/SentinelOne.pkg for the Mac OSX agent.
  2. Create an API user to access the SentinelOne API.
    1. Go to Settings>Users
    2. Enter the particulars for a user (e.g. a3user). Note the user name and password.

 

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Windows
Description A further description of the provisioner. Students using Windows devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. windows
Host The name of the SentinelOne instance, usually of the form <company>.sentinelone.net. companyX.sentinelone.net
Port The port number to access the host on. Usually 443. 443
Protocol The protocol to access the host with, one of https or http. Usually https. https
API User Name The user name obtained in step 2b above. a3user
API Password The password associated with the API username, obtained in step 2b above. secret
Windows Agent Download URL The URI of the SentinelOne.exe agent within the server. E.g. /common/SentinelOne.exe in this description. /common/SentinelOne.exe
Mac OSX Agent Download URL The URI of the SentinelOne.pkg agent within the server. E.g. /common/SentinelOne.pkg in this description. /common/SentinelOne.pkg

Servicenow

 

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Windows
Description A further description of the provisioner. Students using Windows devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. windows
Username The Servicenow user name admin
Client Secret The secret used to secure Servicenow access. ****
Host The Servicenow host.  
Protocol One of http: or https: used to access the Servicenow host. https
MAC table name The Servicenow MAC table used to verify client computers. NYCOffice
Agent table name The Servicenow agent table name used to verify clients. NYCAgents

Symantec Endpoint Protection Manager (SEPM)

SEPM is used for provisioning Windows 32- and 64-bit clients. Use the following steps to prepare SEPM for use with A3:

  1. Create SEPM policies and groups using the Symantec interfaces. This discussion will use the default policies and default groups.
  2. Create the install package using the SEPM UI.
    1. Select Clients from the left, then select the group that clients should belong to, and then select Add a client.
    2. On the wizard page select New Package Deployment and select Next.
    3. On the next page, select a Windows Install Package, then select the desired contents, and then select Next.
    4. On the next page, select Save Package and select Next.
    5. On the next page, select where you would like to place the package. C:\temp will be used in this discussion. Select Next.
    6. In the final wizard page, confirm the settings and select Next.
  3. Move the sep.exe and sep64.exe files to A3 using SCEP into a web accessible space below /usr/local/a3/html/common. In this description, the following locations will be used:
    1. /usr/local/A3/html/common/sep.exe for the 32-bit Windows agent.
    2. /usr/local/A3/html/common/sep64.exe for the 64-bit Windows agent.
  4. Obtain OAuth2 access and refresh tokens to access the SEPM API:
    1. Use a browser to access https://localhost:8446/sepm .
    2. Accept any certificate error and log in with your SEPM credentials.
    3. Select Add an application.
    4. Take note of the Client ID and Client Secret for the displayed application.
  5. Generate the authorization code:
    1. Access the following page in your browser, substituting the Client ID from step 4d for <clientid>: https://localhost:8446/sepm/oauth/authorize?response_type=code&client_id=<clientid>&redirect_uri=http://localhost/.
    2. The browser will be redirected to a non-existent web page: http://127.0.0.1/?code=<code>.
    3. Generate the access and refresh tokens with https://localhost:8446/sepm/oauth/token?grant_type=authorization_code&client_id=<clientid>&client_secret=<clientsecret>&redirect_uri=http://localhost/&code=<code>. <clientid> and <clientsecret> were obtained in step 4d, and <code> was obtained in step 5b.
    4. The access token and refresh token will be embedded in a message of the form:
{"access_token":"4e3ab3ab-7b1e-4d24-9f5e-c347599a8a72","token_type":"bearer","refresh_token":
                    "e03fd915-e9dd-45a6-a05a-e5a1c53c1ccd","expires_in":43199}

The fields in the SEPM provisioner form are:

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Windows
Description A further description of the provisioner. Students using Windows devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. windows
Client ID The client ID obtained in step 4d above. a3user
Client Secret The client secret obtained in step 4d above. secret
Host The IP address of SEPM host. localhost
Port The port to use to contact the SEPM API, usually 8446. 8446
Protocol The protocol to use to contact the SEPM API, one of https or http. https
Access Token The access token obtained in step 5d above.  
Refresh Token The refresh token obtained in step 5d above.  
Agent Download URL The HTTP path where the 32-bit package was placed on the A3 server. http://localhost/common/sep.exe
Alt Agent Download URL The HTTP path where the 64-bit package was placed on the A3 server. http://localhost/common/sep64.exe

Symantec App Center

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Android
Description A further description of the provisioner. Students using Android devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
OS A lists of operating system indicating which operating systems the provisioner will be applied to. ios
User Name    
Client Secret    
Host    
Port    
Protocol    
Api URL    
Agent Download URL    

Windows

The fields in the Windows provisioner form are:

Field Usage Example
Provisioning ID A unique name for the provisioner. Student-Windows
Description A further description of the provisioner. Students using Windows devices
Enforce Indicates whether to apply the provisioner during authentication and on the captive portal. services running icon
Auto register Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner. service stopped icon
Auto role Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner. service stopped icon
Role to apply If Apply Role is set, then this is the role to apply.
Roles The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined. guests students
SSID The SSID configuration that will be created on the client device. student-internal
Broadcast Network If enabled, the SSID is a visible, broadcast network. If disabled, the SSID is a hidden network.

slider-off icon

Security Type

The type of security applied to the SSID. The choices are:

  • Open
  • WEP - requires further specification of the Wi-Fi Key
  • WPA - requires further specification of the Wi-Fi Key
  • WPA2 - if no EAP is chosen in EAP Type, requires further specification of EAP Type, and Wi-Fi Key
WPA2
Enable DPSK If enabled, dynamic keys will be generated.

slider-off icon

Wi-Fi Key The pre-shared key needed to join the SSID. 1234567890
EAP Type

Used when Security type is set to WPA2. The choices are:

  • PEAP - requires further specification of RADIUS server certificate path
  • EAP-TLS - requires further specification of PKI Provider
  • No EAP
PEAP
Wi-Fi Key The Wi-Fi Key used to join the SSID when the Security type is WPA2 and EAP type is No EAP.  
RADIUS Server Certificate Path The address within the A3 server where the server certificate is located. The default setting is /usr/local/A3/conf/ssl/server.crt. Used for the WPA2 Security type with PEAP EAP type. /usr/local/A3/conf/ssl/server.crt
PKI Provider The choice of PKI provider when the Security type is WPA2 and EAP type is EAP-TLS.  

Copyright © 2021 Extreme Networks. All rights reserved. Published April 2021.