A3 Online Help

Menu path: Configuration > Advanced Access Configuration Overview > Provisioners.

Provisioners automate client configuration of client devices following authentication. Provisioners are referenced in Connection Profiles. Provisioners can be created for each type of device or device application and for each of the Roles that can apply.

The general format and usage of this page is discussed in General GUI Usage.

The Android and Windows provisioners are automatically download profiles to clients. Apple devices have the necessary functions built-in. Agents for Android devices are downloaded from the Android Play Store. The Windows agent is included with A3 and automatically installed during provisioner execution.

The Provisioners page lists available provisioners. Selecting on any of the provisioners makes it available for editing. A provisioner can be deleted with the DELETE button, and cloned for new provisioner definition with the CLONE button.

New provisioners are added with the New Provisioner button. The available types of provisioners are:

Accept -accepts connections based on client operating system.
Android -provisions devices that use the Android OS.
Apple Devices -provisions Apple devices using mobileconfig.
Deny -denies connections based on client operating system.
Dynamic PSK - content to be provided.
IBM -content to be provided.
Jamf -invokes the JAMF Pro MDM API for Apple computers and mobile devices.
Microsoft Intune - invokes Intune for Android, Microsoft, and Apple clients.
MobileIron - invokes theMobileIron API for Android, Apple, and Windows devices .
OPSWAT -invokes the OPSWAT Metadefender Endpoint API.
SentinelOne -invokes the SentinelOne API for Windows and Mac OSX clients.
Servicenow
Symantec Endpoint Protection Manager (SEPM) -invokes the SEPM API for Windows 32- and 64-bit clients.
Symantec App Center -content to be provided.
Windows -provisions devices that use Windows operating systems.

Accept

The Accept provisioner enables client connections based on their operating system. The fields in the form used for creation and editing are:


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Android OK
Description	A further description of the provisioner.	Accept all Android Devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Role	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	Android

Android

Android provisioning is used for any Android-based device. The following domains should be included in the active passthrough domains in Fencing *.ggpht.com, *.googleusercontent.com, android.clients.google.com, *.googleapis.com, *.android.clients.


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Android
Description	A further description of the provisioner.	Students using Android devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
SSID	The SSID configuration that will be created on the client device.	student-internal
Broadcast Network	If enabled, the SSID is a visible, broadcast network. If disabled, the SSID is a hidden network.
Security Type	The type of security applied to the SSID. The choices are: Open WEP - requires further specification of the Wi-Fi Key WPA - requires further specification of the Wi-Fi Key WPA2 - if no EAP is chosen in EAP Type, requires further specification of EAP Type, and Wi-Fi Key	WPA2
Enable DPSK	If enabled, dynamic keys will be generated.
Wi-Fi Key	The pre-shared key needed to join the SSID.	1234567890
EAP Type	Used when Security type is set to WPA2. The choices are: PEAP - requires further specification of RADIUS server certificate path EAP-TLS - requires further specification of PKI Provider No EAP	PEAP
Wi-Fi Key	The Wi-Fi Key used to join the SSID when the Security type is WPA2 and EAP type is No EAP.
RADIUS Server Certificate Path	The address within the A3 server where the server certificate is located. The default setting is /usr/local/A3/conf/ssl/server.crt. Used for the WPA2 Security type with PEAP EAP type.	/usr/local/A3/conf/ssl/server.crt
PKI Provider	The choice of PKI provider when the Security type is WPA2 and EAP type is EAP-TLS.

Deny

The Deny provisioner deny client connections based on their operating system. The fields in the form used for creation and editing are:


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	iOS Deny
Description	A further description of the provisioner.	Deny all iOS devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	iOS

Dynamic PSK

The Cisco DPSK (dynamic pre-shared keys) provisioner causes keys to be dynamically generated.


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Need DPSK
Description	A further description of the provisioner.	Devices with DPSKs
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
SSID	The SSID configuration that will be created on the client device.	student-internal
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.
PSK length	The length of the PSK keys to be generated. The minimum length is eight characters.	8

IBM

??? This looks like its MaaS360, but I can't find any details ???>


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Android
Description	A further description of the provisioner.	Students using Android devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
Username
Client Secret
Host
Port
Protocol
API URL
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.
Agent Download URL

Jamf

The A3 interface to Jamf requires the use of a cloud account.


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-iOS
Description	A further description of the provisioner.	Students using Apple devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	iOS
Host	The JAMF cloud host to contact. The cloud address is of the form: <youraccount>.jamfcloud.com.	example.jamfcloud.com
Port	The port number to contact the host on. 443 is used for the cloud.	443
Protocol	The protocol to use when contacting the host, either http or https.	https
API Username	The user name when logging into the JAMF service.	admin
API Password	The password associated with the JAMF user name.	secret
Automatic Client Detection	If enabled, automatically detects the device's details.
Query JAMF Computers Inventory	If enabled, JAMF will query it's database of known computers.
Query JAMF mobile Devices Inventory	If enabled, JAMF will query it's database of known mobile devices.

Apple Devices

Apple provisioning is used for any Apple device. Two tabs are used for Apple devices:

Settings - attributes common to other forms of provisioning.
Signing - certificates required by Apple devices for warning-free connection profiles.

Settings


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Apple
Description	A further description of the provisioner.	Students using Apple devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
SSID	The SSID that the client will be assigned to.	student-internal
Broadcast Network	If enabled, the SSID is a visible, broadcast network. If disabled, the SSID is a hidden network.
Security Type	The type of security applied to the SSID. The choices are: Open WEP - requires further specification of the Wi-Fi Key WPA - requires further specification of the Wi-Fi Key WPA2 - if no EAP is chosen in EAP Type, requires further specification of EAP Type, and Wi-Fi Key	WPA2
Enable DPSK	If enabled, dynamic keys will be generated.
Wi-Fi Key	The pre-shared key needed to join the SSID.	1234567890
EAP Type	Used when Security type is set to WPA2. The choices are: PEAP - requires further specification of RADIUS server certificate path EAP-TLS - requires further specification of PKI Provider No EAP	PEAP
Wi-Fi Key	The Wi-Fi Key used to join the SSID when the Security type is WPA2 and EAP type is No EAP.
RADIUS Server Certificate Path	The address within the A3 server where the server certificate is located. The default setting is /usr/local/A3/conf/ssl/server.crt. Used for the WPA2 Security type with PEAP EAP type.	/usr/local/A3/conf/ssl/server.crt
PKI Provider	The choice of PKI provider when the Security type is WPA2 and EAP type is EAP-TLS.

Signing

Apple devices required signed profiles in order to avoid warnings about missing certificates. The fields in this tab are:


Field	Usage	Example
Sign Profile	If enabled, profiles will be signed with the certificates in this form.
The Certificate Used to Sign Profiles, in PEM Format	A PEM formatted Apple developer certificate for use when signing profiles send to clients.
The Private Key Used to Sign Profiles, in PEM Format	The PEM formatted key associated with the certificate.
The Certificate Chain Associated with the Signer Certificate, in PEM Format	The PEM formatted certificate chain associated with the signer's certificate.

Microsoft Intune

Use the following steps to prepare for Intune for use with A3:

Log into the Azure portal and ensure that you have Intune licenses.
From the Azure portal , you'll need to create an application to enable access to the Graph API:
1. Select Azure Active Directory.
2. Select App registrations.
3. Select New registration.
On the Register an application form, enter:
1. A3, or some other name, in the Name field.
2. Select Accounts in this organizational directory only (company name).
3. Select Done.
On the following form entitled with the Name from above:
1. Copy the following that will be used to configure A3: Application (client) ID, Directory (tenant) ID, and Object ID.
2. Select Certificates & secrets.
3. Select New client secret.
4. This will present a password for use for the application. Copy it now; there will not be an opportunity later.
5. Add permissions to the API:
  1. Select API permissions.
  2. Select Microsoft Graph.
  3. In the right pane select Application permissions and add two lines: Device.ReadWrite.All and DeviceManagementManagedDevices.Read.All.
6. Select Grant admin consent.

The fields in the creation/editing form are:


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Intune-clients
Description	A further description of the provisioner.	Registered Intune clients
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	ios
Application ID	The Application (client) ID copied in step 4a above.
Application Secret	The client secret copied in step 4d above.
Tenant ID	The Directory (tenant) ID copied in step 4a above.
Host	The name of the boarding host obtained from the API.	graph.microsoft.net
Port	The port for API access.	443
Protocol	The protocol for API access.	https
Login	The login port for the API.	login.microsoftonline.com
Android Agent Download URL	The URI to use for Android client provisioning.	https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal&hl=en_US
iOS Agent Download URL	The URI to use for ios client provisioning.	https://apps.apple.com/us/app/intune-company-portal/id719171358
macOS Agent Download URL	The URI to use for macOS client provisioning.	https://portal.manage.microsoft.com
Authorized Domains	A comma-separated list of domains that are required to reach the download URLs.	play.google.com,portal.manage.microsoft.com,apps.apple.com,docs.microsoft.com

MobileIron

MobileIron supports provisioning of Android, Apple, and Windows devices. Use the following steps to prepare for MobileIron for use with A3:

Log in to your MobileIron account and select SETTINGS.
1. Create an MDM certificate for use with Apple devices by selecting Install MDM Certificate.
Create a user with rights to access MobileIron's API:
1. Select USERS & DEVICES, then Users, and then select Add local user.
2. Enter information for a user (e.g. a3user), noting the user name and password.
3. Select SAVE.
4. Select the ADMIN tab, check the box for the just-entered user, then select Actions and choose Assign to Space.
5. Select Global space at the top and check API at the bottom.
Obtain the name of the boarding host by adding a fake device to MobileIron. At the end of the process the registration instructions will be displayed. The boarding host is labeled as the Server Address on that page.

The fields in the creation/editing form are:


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Apple
Description	A further description of the provisioner.	Students using Apple devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	ios
User Name	The name of a user with a MobileIron account with rights to access its API. This is obtained in step 2b above.	A3 api-user
Client Secret	The password associated with the user. It is obtained in step 2b above.	secret
Host	The name of the boarding host obtained from the MobileIron web UI in step 3 above. If you have an account name, the name is appended at the end of the host name. For example, m.mobileiron.net/companyX.	m.mobileiron.net
Android Download URL	The URI to use for Android client provisioning: https://m.mobileiron.net/<accountName>/c/d/android.html, where <accountName> is the name of the MobileIron account.	https://m.mobileiron.net/example-co/c/d/android.html
iOS Download URL	The URI to use for ios client provisioning: https://m.mobileiron.net/<accountName>/c/d/ios.html, where <accountName> is the name of the MobileIron account.	https://m.mobileiron.net/example-co/c/d/ios.html
Windows Phone Download URL	The URI to use for Windows client provisioning: https://m.mobileiron.net/<accountName>/EnrollmentServer/Discovery.svc, where <accountName> is the name of the MobileIron account.	https://m.mobileiron.net/example-co/EnrollmentServer/Discovery.svc
Boarding Host	The boarding host obtained in step 3 above.
Boarding Port	The port associated with the boarding host.

OPSWAT

OPSWAT Metadefender Endpoint provides information about device compliance before and during network access. The following discussion assumes that OPSWAT server components have been installed on the A3 host and are referred to via an IP address of 127.0.0.1 or name of localhost. The following steps are used to configure an OPSWAT account:

Create an OPSWAT Metadefender Endpoint account at https://www.opswat.com/products/metadefender/endpoint/management/.
Create a developer account at https://gears.opswat.com/developers.
1. Register a new application with a callback URL of http://127.0.0.1/opswat.
2. Note the client key and client secret.
3. Obtain an install URL by selecting +Devices, then Enable Metadefender Endpointclient on another device, then Download or send link for guest Metadefender Endpoint clients.
4. Note the URL at the bottom of the screen.
Generate an OAuth2 access and refresh token:
1. Access the web page at https://gears.opswat.com/o/oauth/authorize?client_id=<clientid>&response_type=code&redirect_uri=http://127.0.0.1/opswat, where <clientid> is your client key obtained in step 2b.
2. When the application is authorized, the browser will be redirected to a non-existent web page: http://127.0.0.1/opswat?code=<code>.
3. Generate the access and refresh tokens using: https://gears.opswat.com/o/oauth/token?client_id=<clientid>&client_secret=<clientsecret>&grant_type=authorization_code&redirect_uri=http://127.0.0.1/opswat&code=<code>. <clientid> and <clientsecret> were obtained in step 2b, while <code> is from step 3b.
4. The access token and refresh token will be embedded in a message of the form:
```
{"access_token":"ab3aec71-fa6a-4752-8804-00c37f934059","token_type":"bearer","refresh_token":
                        "f9e7c698-4d88-42cb-b9ae-c067557e8385","expires_in":43199,"scope":
                        "read","client_id":"1234567890"}
```


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Android
Description	A further description of the provisioner.	Students using Android devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	ios
Client ID	The key obtained above when registering an application in step 2b above.
Client Secret	The secret obtained above when registering an application in step 2b above.
Host	The OPSWAT host to use, typically gears.opswat.com.	gears.opswat.com
Port	The port number to contact the OPSWAT host on, typically 443.	443
Protocol	The protocol to use for contacting the host, either https or http.	https
Access Token	The access token obtained above in step 3d.
Refresh Token	The refresh token obtained above in step 3d.
Agent Download URL	The URL obtained in step 2d above.

SentinelOne

SentinelOne performs provisioning for Windows and Mac OSX clients. Version 2.0 of the Sentinel API is now supported. In order to prepare for integration with A3, follow these steps:

Download the SentinelOne agents to A3's web server area at /usr/local/A3/html/common.
1. Log in to the SentinelOne management console.
2. Download the Windows and Mac OSX agents to your computer in the Settings>Updates page.
3. Move the files to A3 using SCP into a web accessible space below /usr/local/A3/html/common. In this description, the following locations will be used:
  1. /usr/local/A3/html/common/SentinelOne.exe for the Windows agent.
  2. /usr/local/A3/html/common/SentinelOne.pkg for the Mac OSX agent.
Create an API user to access the SentinelOne API.
1. Go to Settings>Users
2. Enter the particulars for a user (e.g. a3user). Note the user name and password.


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Windows
Description	A further description of the provisioner.	Students using Windows devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	windows
Host	The name of the SentinelOne instance, usually of the form <company>.sentinelone.net.	companyX.sentinelone.net
Port	The port number to access the host on. Usually 443.	443
Protocol	The protocol to access the host with, one of https or http. Usually https.	https
API User Name	The user name obtained in step 2b above.	a3user
API Password	The password associated with the API username, obtained in step 2b above.	secret
Windows Agent Download URL	The URI of the SentinelOne.exe agent within the server. E.g. /common/SentinelOne.exe in this description.	/common/SentinelOne.exe
Mac OSX Agent Download URL	The URI of the SentinelOne.pkg agent within the server. E.g. /common/SentinelOne.pkg in this description.	/common/SentinelOne.pkg

Servicenow


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Windows
Description	A further description of the provisioner.	Students using Windows devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	windows
Username	The Servicenow user name	admin
Client Secret	The secret used to secure Servicenow access.	****
Host	The Servicenow host.
Protocol	One of http: or https: used to access the Servicenow host.	https
MAC table name	The Servicenow MAC table used to verify client computers.	NYCOffice
Agent table name	The Servicenow agent table name used to verify clients.	NYCAgents

Symantec Endpoint Protection Manager (SEPM)

SEPM is used for provisioning Windows 32- and 64-bit clients. Use the following steps to prepare SEPM for use with A3:

Create SEPM policies and groups using the Symantec interfaces. This discussion will use the default policies and default groups.
Create the install package using the SEPM UI.
1. Select Clients from the left, then select the group that clients should belong to, and then select Add a client.
2. On the wizard page select New Package Deployment and select Next.
3. On the next page, select a Windows Install Package, then select the desired contents, and then select Next.
4. On the next page, select Save Package and select Next.
5. On the next page, select where you would like to place the package. C:\temp will be used in this discussion. Select Next.
6. In the final wizard page, confirm the settings and select Next.
Move the sep.exe and sep64.exe files to A3 using SCEP into a web accessible space below /usr/local/a3/html/common. In this description, the following locations will be used:
1. /usr/local/A3/html/common/sep.exe for the 32-bit Windows agent.
2. /usr/local/A3/html/common/sep64.exe for the 64-bit Windows agent.
Obtain OAuth2 access and refresh tokens to access the SEPM API:
1. Use a browser to access https://localhost:8446/sepm .
2. Accept any certificate error and log in with your SEPM credentials.
3. Select Add an application.
4. Take note of the Client ID and Client Secret for the displayed application.
Generate the authorization code:
1. Access the following page in your browser, substituting the Client ID from step 4d for <clientid>: https://localhost:8446/sepm/oauth/authorize?response_type=code&client_id=<clientid>&redirect_uri=http://localhost/.
2. The browser will be redirected to a non-existent web page: http://127.0.0.1/?code=<code>.
3. Generate the access and refresh tokens with https://localhost:8446/sepm/oauth/token?grant_type=authorization_code&client_id=<clientid>&client_secret=<clientsecret>&redirect_uri=http://localhost/&code=<code>. <clientid> and <clientsecret> were obtained in step 4d, and <code> was obtained in step 5b.
4. The access token and refresh token will be embedded in a message of the form:

{"access_token":"4e3ab3ab-7b1e-4d24-9f5e-c347599a8a72","token_type":"bearer","refresh_token":
                    "e03fd915-e9dd-45a6-a05a-e5a1c53c1ccd","expires_in":43199}

The fields in the SEPM provisioner form are:


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Windows
Description	A further description of the provisioner.	Students using Windows devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	windows
Client ID	The client ID obtained in step 4d above.	a3user
Client Secret	The client secret obtained in step 4d above.	secret
Host	The IP address of SEPM host.	localhost
Port	The port to use to contact the SEPM API, usually 8446.	8446
Protocol	The protocol to use to contact the SEPM API, one of https or http.	https
Access Token	The access token obtained in step 5d above.
Refresh Token	The refresh token obtained in step 5d above.
Agent Download URL	The HTTP path where the 32-bit package was placed on the A3 server.	http://localhost/common/sep.exe
Alt Agent Download URL	The HTTP path where the 64-bit package was placed on the A3 server.	http://localhost/common/sep64.exe

Symantec App Center


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Android
Description	A further description of the provisioner.	Students using Android devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A lists of operating system indicating which operating systems the provisioner will be applied to.	ios
User Name
Client Secret
Host
Port
Protocol
Api URL
Agent Download URL

Windows

The fields in the Windows provisioner form are:


Field	Usage	Example
Provisioning ID	A unique name for the provisioner.	Student-Windows
Description	A further description of the provisioner.	Students using Windows devices
Enforce	Indicates whether to apply the provisioner during authentication and on the captive portal.
Auto register	Indicates whether or not devices should be automatically registered on the network if they are authorized by the provisioner.
Auto role	Indicates whether the Role to Apply is configured on the device if it is authorized by the provisioner.
Role to apply	If Apply Role is set, then this is the role to apply.
Roles	The list of roles for which the provisioner will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
SSID	The SSID configuration that will be created on the client device.	student-internal
Broadcast Network	If enabled, the SSID is a visible, broadcast network. If disabled, the SSID is a hidden network.
Security Type	The type of security applied to the SSID. The choices are: Open WEP - requires further specification of the Wi-Fi Key WPA - requires further specification of the Wi-Fi Key WPA2 - if no EAP is chosen in EAP Type, requires further specification of EAP Type, and Wi-Fi Key	WPA2
Enable DPSK	If enabled, dynamic keys will be generated.
Wi-Fi Key	The pre-shared key needed to join the SSID.	1234567890
EAP Type	Used when Security type is set to WPA2. The choices are: PEAP - requires further specification of RADIUS server certificate path EAP-TLS - requires further specification of PKI Provider No EAP	PEAP
Wi-Fi Key	The Wi-Fi Key used to join the SSID when the Security type is WPA2 and EAP type is No EAP.
RADIUS Server Certificate Path	The address within the A3 server where the server certificate is located. The default setting is /usr/local/A3/conf/ssl/server.crt. Used for the WPA2 Security type with PEAP EAP type.	/usr/local/A3/conf/ssl/server.crt
PKI Provider	The choice of PKI provider when the Security type is WPA2 and EAP type is EAP-TLS.