End-user expectations in enterprise environments are shaped by users’ experiences as consumers. This is especially true of the user experience around network onboarding–the process by which BYOD and guest users connect to the network for the first time with a new device.
The user experience for connecting to the carrier network and home Wi-Fi establishes a frame of reference for what the connectivity experience should be in an enterprise environment. That puts a lot of pressure on IT teams to meet those expectations, especially with the complexity of modern enterprise network environments.
We discussed this dynamic in a previous blog post, titled What Is Secure Onboarding, and Why Is It Such a Challenge? Fortunately, this linkage between consumer experience and enterprise user behavior cuts both ways, and you can also leverage it to your advantage. The key to this is user self-service for network onboarding, with the right mechanism in place so that it’s easy and intuitive for users.
BYOD users will self-serve for secure network onboarding—but don’t use default methods
There was a time not so long ago when our experience as consumers was more high-touch and personal. Airline employees checked you in for a flight when you arrived at the airport, in a fairly labor-intensive process. Now you probably check-in online yourself before you even arrive at the airport using an app developed by the airline. Or you might print your boarding pass at home. If you wait until getting to the airport to check-in, chances are you get your boarding pass from a self-service kiosk. You can also use these kiosks to get the tag for checking your bag, and airline employees encourage you to attach it to the bag yourself. You can still complete the whole process by interacting with a live person, but most of us have become conditioned to this being mostly a self-service process.
You get cash from a bank ATM, not a live teller. You may use the self-checkout line at the grocery store. There are dozens of other examples where people expect and even prefer, to self-serve. Often self-service is better service.
Now back to network onboarding for BYOD and guest access. Here, not every organization takes a self-service approach, even though it seems like a natural fit. In some organizations, IT touches every employee-owned device to enter the conventional pre-shared key (PSK) for network access. This is for the sake of IT security because if the user doesn’t know the PSK they can’t share it with someone who does not belong on the network. This approach does not address the fact that if the user leaves the organization, there is no way to revoke access for that device. It’s also very arduous for IT to have to touch every device that users bring into the environment.
With the right tools in place, you can leverage user affinity for self-service, based upon decades of conditioning as consumers. But you must make it easy for them if you want the self-service model to stick. Default methods for getting users connected—the ones built into your network infrastructure—don’t provide a good user experience.
You could just give a PSK to users for network access and call that self-service (although that would be very bad from a security perspective). Besides the security issues, the problem is when eventually you change that PSK they can’t connect, and self-service goes out the window. Or they bring in a new device and don’t remember the PSK that you gave them—help desk ticket headed your way. They may also need to connect to multiple SSIDs as they move about your environment, each with its own PSK, introducing more complexity.
Or suppose you use MAC authentication (also bad from an IT security perspective). In this scenario they may be asked to re-enter the Wi-Fi password every time they connect, or if they lose connectivity for even a moment. Every prompt to re-authenticate is another chance to forget or mistype the password. Multiply these challenges by several devices per user, and hundreds or thousands of users and the whole self-service model breaks down.
A better method for self-service network onboarding
There has to be a better way, right? That better way is to deploy a purpose-built system for secure network onboarding to streamline and automate the process of getting users connected without IT intervention. If you make it easy for them, users will gladly self-serve, and you get to focus on strategic projects.
The ideal mechanism for this would provide the flexibility to define self-service workflows that work for your organization. It would also let you customize the look and feel of the onboarding portal so that it reflects your organization’s branding. BYOD users should only have to go through the onboarding process once, and not every time they connect. Digital certificates as the basis for network authentication are also a nice-to-have feature.
We have recently published a couple of short screen-capture videos of what the self-service onboarding process looks like using our own Ruckus Cloudpath Enrollment System (which just happens to have the attributes mentioned in the previous paragraph, along with a host of powerful security features). The first video focuses on internal user onboarding, and the second video focuses on guest user onboarding.
The onboarding process takes around a minute and a half, and even with narration, the length of these videos is under three minutes. You can get a better picture of the end-user onboarding experience for a very small investment of time. For a product overview in less than fifteen minutes, you can also access our new on-demand webinar on Cloudpath Enrollment System.
Conclusion
Enterprise users have developed an affinity for self-service based upon their experience as consumers. You can leverage this for getting BYOD and guest users connected to the network with their personal devices. The trick is to make it easy and intuitive for them, but default methods like MAC authentication and conventional PSKs don’t measure up. A purpose-built system for secure network onboarding like Cloudpath Enrollment System makes it easy for users to self-provision their devices for secure access.