The emergence and innovation of enterprise private cellular networks, so-called 5G LANs, represents a major opportunity for organizations to deliver new levels of deterministic wireless service that until now hasn’t been feasible. These private mobile networks are typically deployed, operated, and managed by enterprise IT or in-house network staff.
Still, one of the biggest challenges IT staff can face in the introduction of 5G LANs is dealing with the myriad of different client devices accessing and authenticating to this new type of enterprise mobile network.
Fortunately, for enterprise IT staff, cellular networks are inherently more secure than conventional wireless LANs (WLANs) and, with the right approach, can be made easier to connect to for users as well as IT staff.
But understanding the intricacies and nuances of mobile device management (MDM) and MDM operation on private LTE and 5G cellular networks is essential to the successful deployment of enterprise 5G LANs.
When deploying a private cellular infrastructure, enterprise IT must first determine the preferred choice of user devices based on their business model and employee engagement aspects involved. It is possible that an enterprise will want to use different types of devices based on the user groups within the enterprise that must be managed. These typically include three main types:
- Company Owned business-only devices: procured by the company, provisioned, secured, and always monitored as well as being maintained and managed by the enterprise
- Corporate-owned, personally enabled devices: owned by the enterprise, pre-configured to maintain data security requirements and regulated for specific types of access
- Pre-approved mobile devices from which users can choose. enterprise policy dependent and configured with security protocols and business applications with a shared responsibility between company and user
Weighing the trade-offs
Enterprises need to make appropriate choices by weighing the trade-offs involved. Trade-offs between enterprise security needs and incurred costs with employee satisfaction, flexibility of device control, and productivity should always be considered. Some compromises may need to be made based on the employees and the enterprise types involved.
Enabling enterprise campus connectivity to new private cellular networks requires IT to plan the devices to support and manage their access and security postures. The choices will dictate the extent of control that enterprise IT has over the devices as well as the costs incurred for supporting the device population.
To ensure seamless continuity with existing IT infrastructure, the installation and administration of these new private mobile networks should ideally mimic the deployment ease of Wi-Fi while retaining the functionality and operations of a cellular 3GPP network. But this is often easier said than done.
The difference with cellular
With cellular networks, devices access and authentication to the network functions differently compared to conventional WLANs. In the cellular world, robust security is built into the network with media access scheduled and completely controlled by the infrastructure. Users don’t have to do anything – just like with your personal cell phone. This is extremely attractive to enterprise IT teams.
Within a cellular network, it is the device, not the user, that is authenticated to the network. This creates new benefits as well as new challenges to enterprise IT staff having to manage a wide range of different types of user equipment (UE) accessing the network.
Usernames and password credentials, as well as certificates, have typically been used to access and authenticate to the enterprise WLANs. But with cellular networks, these methods are effectively replaced by a physical or electronic subscriber identity modules (SIMs).
In cellular-connected devices, the SIM contains the credentials or subscription needed to access the service of a particular mobile network. Credentials can be defined within a SIM or embedded SIM (eSIM) that are provisioned in the UE.
SIMs and eSIMs require specific formatting as independent profiles, even if they contain the same information. The credential itself can be put into a physical-SIM (removable) or embedded SIM (non-removable). Each of the physical SIM and eSIM modules can support one or more subscriptions.
A SIM lock, also referred to as a network, carrier, or subsidy lock, is a technical restriction built into many mobile devices. These are primarily used by service providers to restrict the use of phones to specific countries or networks. Phones can be locked to accept only SIM cards with certain International Mobile Subscriber Identities (IMSIs) that may be restricted.
Phones that are not locked are called SIM-free or unlocked and do not impose any SIM restrictions. An unlocked phone is a device that isn’t tied to one specific carrier. Once a subscriber’s contract with a carrier expires, the user can request the operator to unlock the phone. Unlocked smart devices can also be purchased unlocked.
Unlocked devices provide a lot of flexibility because they allow for one or more enterprise credentials to be added to the device. Roaming with the enterprise network with such devices is supported with dual-SIM profiles, one for mobile network operators (MNO) and the other for enterprise network(s).
If the device needs to support enterprise credentials, it must be in an unlocked state even if the MNO credential is supported in the device.
As with any cellular 3GPP network, specific identifiers are needed for mobile devices to find, associate with, and authenticate to the enterprise network. Because enterprise deployments are typically physically limited or local in nature, common identifiers are used with the address spaces for the identifiers are shared among different entities.
Each of the physical SIM and embedded SIM modules can support one or more credentials. With the GSMA specification, to support dual SIM operation, one of the SIM credentials must be in the physical-SIM slot and the other an embedded-SIM. Essentially, both credentials cannot come from physical SIM or embedded SIM. However, each of the physical or embedded SIMs can host multiple credentials with at most one credential active at a time.
From a UE device capability perspective, additional credentials can be added to the embedded SIM. The physical SIM cannot be updated to add newer credentials. The UE can support switching across credentials already provisioned within the physical SIM.
Given that a UE needs to potentially support multiple enterprise credentials on the device and support adding them dynamically, hosting the enterprise credentials as embedded SIM seems most suitable for devices like handheld mobile devices. If static provisioning is sufficient, physical SIMs with enterprise credentials can be supported, such as security cameras deployed on campus.
The subscriptions and access to the cellular network are regulated by enterprise IT. The mobile devices operating
on the private enterprise 5G LAN are typically identified, configured, and issued to users. But this is changing.
Automation is key
The big challenge for most enterprises will be how to efficiently streamline or automate this onboarding or client bootstrapping process. Clearly, having to deploy hundreds or thousands of physical SIM cards can be a daunting task for IT staff. But it doesn’t have to be. In fact, this can be turned into a big positive for IT staff.
One approach to this dilemma is the use of QR (quick response) codes that can be easily distributed for users to scan. The QR code contains the specific eSIM credential, which pulls the eSIM profile to the device. QR codes can be distributed to users who can scan the code and self-install the requisite profile for their device.
The second method generically sends the UE to a specific SIM provisioning platform that pushes the pre-defined credential to the device. In this MDM model, the device is provided the SM-DP+ (subscription manager data preparation) server address to reach. The eSIM credential to be assigned to the UE is paired in this server with the EID (electronic identification) of the device.
The SIM provisioning platform then pushes a credential pre-assigned to the device when it accesses the server.
The UE can be set up to directly reach the subscription manager data preparation platform (SM-DP+). This is an eSIM management server where the device can securely download the requisite eSIM profile it stores onto the eUICC.
With such simple techniques, enterprise IT staff finally can more easily automate the bootstrapping of mobile devices. By effectively removing any manual user intervention, IT staff can smoothly transition to new 5G LANs to support use cases and devices that conventional enterprise wireless can’t – all while radically improving the security and experience of network users.
Srinivasan Balasubramanian is a distinguished member of technical staff, Office of CTO, at Celona.