Back

Intelligent Solutions

Partner Handset Auto-Provisioning

Simon Woodhead

Simon Woodhead

3rd August 2022

Today we are announcing the arrival of our new handset Auto-provisioning feature for our Simwood Partner Platform. Auto-provisioning uses the power of cloud-based technologies to help VoIP businesses automatically provision their VoIP devices. When bringing on new customers you’ll be able to allow them permission to connect devices to our platform without getting involved unless you choose to or you can use our API to set up new devices in the background without bothering them. 

Without this automation technology, every VoIP device would require manual provisioning by a qualified technician, at every customer location. And if the phone’s firmware or feature set were to upgrade or change over time – which they often do – it would potentially require a follow-up technician visit. With our new feature you can automate set-up for new user accounts, simplifying the pairing process whilst maintaining high security without compromise. We champion security and discuss this in more detail below.

How It Works

Usually, after buying a VoIP handset, an organisation has to connect it to their network, locate its IP address, navigate to the phone’s GUI from their web browser and then set all of the individual SIP credentials for the user.  

With Auto-provisioning, handsets can be linked to extensions via the Manager or API – all you need is the MAC address, brand and model of the phone and the extension you’d like to connect it to. Once you have added an entry, simply point the phone’s provisioning url toward our server and set it to update, we will then verify the device using its built-in certificate and check the MAC address being present and then the configuration is securely downloaded.

The new Auto-provisioning feature will be ‘turned off’ by default for existing Partners so that there will be no disruption to your normal practices. It can, of course, be enabled by you at any time via the branding interface. Full details of how to do this are in the Auto-provisioning Guide.

Supported Hardware

Our service currently supports Grandstream and Yealink devices – we can supply Grandstreams as required and will be expanding handset support in future updates. You can supply handsets from the approved model list yourself or purchase them through us. If you have a particular brand and model at volume, please get in touch with our support team to discuss the possibility of creating a template for a particular device. 

If you’ve got a large estate of handsets and want to get a brand or model added to the list then please get in touch with us noting that there may be a charge for this. The requirements are as follows:

  • Device support for mTLS via client certificates
  • Device support for TLS v1.2
  • A method of provisioning via provisioning files
  • A device we can use for testing.

Remember, you can always order handsets through us which can be delivered straight to your customer, next day, with no branding and fully configured. Just let us know what you want and who will use it and we will sort out the rest!

Security

Auto-provisioning makes the manual process of on-boarding and off-boarding users seamless and fully automated. It also fills all the loopholes and gaps in security by minimising the impact of human error and providing a better user experience. With a standard HTTPs service, the device will authenticate the server’s certificate (much like your browser would if you go to a secure website), however, we have worked very closely with manufacturers to ensure that we confirm the veracity of each individual handset using  mutual TLS authentication (mTLS) to ensure that the system is secure and easy to use.

In our next step of verification, we retrieve the MAC address stored in the authenticated certificate and check against our database to ensure that there is a provisioning entry for that handset. Unlike most other providers who store SIP usernames and passwords on their provisioning service in plain text (creating a dangerous vulnerability we have seen exploited an unfortunate number of times), we dynamically retrieve the details securely behind the scenes through our API. The best part of all of this? No username and passwords are required to be input on the device! As long as we support the device, you just need to point it to our provisioning service and hit go.

All this is implemented via two routes – a section of our Manager interface where yourselves or end users can select which handset to associate with which extension (so you don’t need to be involved if Betty and Bernice want to swap handsets if you prefer!) as well as a full-featured API where you can retrieve data associated with MAC addresses, check what devices are supported and also add provisioning entries – potentially allowing you to automate handset ordering on your own website.

mTLS is a modern authentication method used in plenty of environments based on a Zero Trust premise and is proven to be a reliable method of securing devices and data as well as making life much simpler for those actually doing the installation.

In summary:

  • We use mTLS (no username and password) to secure our provisioning and unlike others, we don’t store plain text SIP credentials
  • We support a wide variety of devices and are happy to consider adding others to the service
  • We have a fully featured UI and API available to interact with the service

If you would like any further information or a demonstration, please get in touch via your account manager or team@simwood.com!

Related posts