The most common questions we get in reference to onboarding new users aren’t related to using the software, but rather how to direct users to the software. SecureW2 has developed an intuitive process for users to self-configure their devices for the network, which strongly encourages them to onboard. Unfortunately, some users experience roadblocks when navigating to the onboarding software. In the past, people have expressed confusion when there are multiple SSIDs to choose from, and have been hindered by the limitations of captive portals. Onboarding all users to use the secure network is vital to maintaining network integrity. Drawing from years of onboarding experience and valuable feedback from customers, we’ve compiled the most effective methods organizations employ to get users to the onboarding client. The most successful onboarding deployments we have seen use a combination of the following methods for greater visibility and an improved user experience.
Enroll Off Campus
A straightforward approach to the problem emphasizes that users complete the onboarding configuration process before stepping on-site. A common method of doing this is emailing the onboarding URL to network users, but any secure method of communicating the URL will suffice. The user is allowed to configure at their own leisure and are connected once they are on-site. Many organizations that utilize Eduroam have found success deploying this method. User’s who travel to several sites connected by Eduroam need only configure their device once to connect to any participating networks. This method is highly efficient and user-friendly, but relies on the diligence of the organization to distribute the onboarding URL to everyone on the network and on the users to acknowledge and complete the self-configuration off-site.
Another approach that many organizations have found success with is advertising a vanity URL for prospective users to register. This URL should be something simple and easy to remember, such as “wifi.university.edu”. Once users navigate to the website, they are taken directly to the onboarding client and can enroll for a certificate promptly. Completing this method does require the use of data or internet access, so it’s primarily aimed at onboarding mobile devices. The process is simple and effective, allowing users to register at their leisure and certifies that everyone on the network is browsing on the secure SSID.
Most wireless users are accustomed to connecting via an onboarding SSID. Users connect to an open SSID for network onboarding purposes, and after connecting, a captive portal redirects users to the onboarding client. This method performs differently between varying OS, so it’s important to inform users of the process each OS requires. Network administrators must ensure particular settings are configured for a successful deployment, such as restricting the scope of the SSID. The onboarding SSID is not intended to be used as a full browser, so it should be restricted to just the onboarding landing page, and allow the google play store, kindle store, etc. to accommodate the limits of some OS. If an organization intends to implement this strategy, they must effectively distribute information to network users. With a thorough deployment plan, users will be able to seamlessly enroll for certificates.
Time Restricted SSID
A related process to the use of an onboarding SSID is deploying a time-restricted guest SSID. Dedicated network users would connect to the fully functioning guest SSID and have the option to enroll for access to the secure network. But after an allotted time of network use, the user will be forced to either onboard to the secure SSID or register as a guest user, lest they lose their network connection. The only issue that may arise is that the process requires more steps to complete than others. Network users will have to connect to the guest SSID, register to be authenticated, and then be redirected to the onboarding client. Depending on the OS of the device, additional steps may be required as well, such as downloading the JoinNow app on Android devices. No part of the process is complex, but it can be assumed that the more steps involved in the process, the more users will get held up.
The final method we’ll discuss is deploying a hidden secure SSID. This process requires users to connect to a visible onboarding SSID and complete the configuration process. Upon completion, users are redirected to the hidden SSID for full, secure browsing. The primary goal of this network deployment type is to guarantee that all network users are connected to the secure SSID. If the secure network is hidden, they have no way of manually connecting without first completing the onboarding configuration process. The entire network will be protected because every user will be browsing on a secure SSID. This method also makes it easier for new users to identify which network to connect to because the only one that is visible would be the onboarding SSID.
Choosing any combination of these methods to navigate users to the enrollment process will be effective if the organization is dutifly prepared for the event. Each process is designed to require a minimal number of steps so users don’t become frustrated and skip using the safest network available. As long as the organization takes the time to plan and execute an effective information distribution campaign, their users will be securely onboarded and everyone will be able to safely connect.