Enabling enterprise campus connectivity requires IT staff to plan what mobile devices need to be supported as well as how to best manage their access and security.
As enterprises widely embrace private mobile networks to gain more deterministic wireless connectivity, coverage, and performance, they are faced with some new device challenges. One of the biggest challenges is provisioning and bootstrapping user equipment (UE) on enterprise private cellular networks.
In cellular-connected devices of LTE and 5G networks, the SIM (Subscriber Identity Module) contains the credentials or subscription needed to access the service of a particular mobile network.
Credentials can be defined within a SIM or embedded SIM (eSIM) that are provisioned in the UE. SIMs and eSIMs require specific formatting as independent profiles, even if they contain the same information. The credential itself can be put into a physical SIM (removable) or embedded SIM (non-removable). Each of the physical SIM and eSIM modules can support one or more subscriptions.
In response to growing interest in the use of eSIMs, the GSMA (GSM Association) has developed a specification for eSIM use. The goal of the specification is to ensure interoperability and independence for organizations using eSIM technology.
The GSMA specification also defines the processes, systems, and interfaces for remotely
managing eSIMs in a secure and standardized way, so everyone uses the same techniques for downloading, enabling, disabling, and deleting subscriptions.
With the current GSMA specification, to support dual-SIM dual-standby (DSDS) operation, one of the SIM credentials must be in the physical SIM and the other an embedded SIM. Essentially, both credentials cannot come from physical SIM or embedded SIM. However, each of the physical SIM/eSIM can host multiple credentials with at most one credential active at a time.
This new kind of SIM, often referred to as an eUICC (Embedded Universal Integrated Circuit Card), works with any operator subscription in any part of the world, supports multiple subscriptions, and can be programmed to update subscriptions, as required, with an OTA (Over-The-Air) update.
eSIM and eUICC are often used interchangeably, even though there is a difference between the two. The eSIM is the hardware component of the SIM and a physical form that can be soldered into a solution. The eUICC is the software component that allows the remote SIM provisioning of multiple network profiles.
A welcomed change to managing cellular access
Traditionally UEs (such as smart phones consumers use every day) use physical SIM cards that are provided by the cellular mobile network operator. The eSIM represents a significant shift in how to manage cellular connectivity because it allows easily accessing different cellular networks without swapping out the SIM or having any other physical access to the device. For the enterprise, this means much-improved efficiency in distributing user credentials for any size of network.
Within a conference or convention center, for example, credentials can be recycled and made available to specific users in a transient manner and subsequently revoked and reused for other users as demands dictate. This helps maximize the device investment.
Embedded SIM technology that enables remote provisioning of a SIM has been commercially
available for several years, but only in proprietary solutions. The landscape for standardized eSIM support is quickly changing. Among others, Zebra and Apple now support the use of multiple SIMs as well as eSIMs in select devices. And the universe of eSIM support is growing fast.
Within Apple’s IOS, for example, users can specify preferences with the primary and secondary cellular subscriptions between the physical and embedded SIM profiles provisioned on the mobile device (see diagram below).
Ultimately, the goal is to provide the ability to dynamically transition voice and data services across the physical and embedded SIM credentials based on available network connectivity.
Flexible eSIM provisioning options
The provisioning of the eSIM profile can occur in a variety of different ways. One method is for the UE to scan a QR code containing the specific eSIM credential, which then pulls the eSIM profile to the device.
Another method is the use of existing mobile device management (MDM) systems such as JAMF or AirWatch. These MDM systems can be used to generically send devices to a specific SIM provisioning platform that pushes a selected credential to the device. In this model, the eSIM credential to be assigned to the UE is paired with the EID (embedded identity document) of the device, and when the UE accesses the server, this credential is pushed to the device. The EID is a built-in SIM card identifier within the phone.
The IoT model is typically intended for headless devices. The device reaches a predefined SM-SR (subscription manager secure routing) server where it can be authenticated, and the SIM provisioning platform pushes a credential pre-assigned to the device when it accesses the server. The SM-SR server securely delivers the encrypted operator credentials to the SIM and then, once the credentials are installed, remotely manages the SIM allowing the ability to enable, disable or delete credentials as necessary.
While the eSIM ecosystem remains relatively young, the operational benefits derived from the technology are compelling.
eSIMs can increase flexibility, optimize cost, and add longevity to IoT devices by providing more flexible deployment options, thereby helping to maximize the return on (IoT) investment.
A myriad of enterprise use cases
Given that a UE needs to potentially support multiple enterprise credentials on the device and also support adding them dynamically, hosting the enterprise credentials as eSIM is an ideal solution for a wide range of enterprise environments.
The increased use of eSIM technology is perfect for devices or IoT systems that have very long lifetimes. This gives IT staff the ability to easily optimize coverage and reprovision devices to access more optimal cellular networks without human intervention in the field to physically swap SIM cards in myriad devices.
eSIM technology is also essential within large-scale deployments, especially those
with devices in hard-to-reach locations. Being able to change network access credentials using an OTA update can save a considerable amount of time and money.
Also, for some enterprises, there is a desire for the mobile devices to roam between the enterprise cellular network (e.g., CBRS LTE network) and a cellular network. For example, smartphones or handheld devices used by a mobile workforce may need to roam in and out of enterprises network for the mobile workforce for use cases such as enterprise delivery fleet. In such scenarios, dual SIM devices (with pSIM plus eSIM) can be used with two separate subscriptions, one belonging to the enterprise network and the other provided by a cellular network operator.
Finally, eSIMs are extremely useful for industrial applications, especially those that require devices to operate in harsh environments. Using eUICC technology that's soldered into place and not housed in a plastic card, organizations cannot only increase the life expectancy (and boost security) of devices but also gain greater flexibility in performing moves, adds, and changes.
As enterprises embrace private cellular networks, eSIM technology is widely viewed as a welcomed new technology for any company looking to reduce the friction and increasing the flexibility of onboarding client devices – something IT staff can tell you all about.
Mehmet Yavuz is Co-Founder and CTO of Celona.