By providing unified onboarding for a broad spectrum of devices, the Cloudpath Enrollment System product enables capabilities spanning numerous solution categories.

Automated Device Enablement

device-enableCloudpath is the industry’s first comprehensive Automated Device Enablement (ADE) solution, combining broad onboarding capabilities and advanced certificate management to securely enable devices throughout and across enterprises.

The ADE approach to device enablement ensures the infrastructure-controlled security of devices through unique, standards-based device certificates rather than intrusive and support-intensive management agents. Cloudpath provides the industry’s first turnkey solution for enabling a broad spectrum of laptops, tablets, and phones for certificate-based network and data access. Learn more…

BYOD Onboarding

byodCloudpath provides automated, self-service onboarding for employees and others with personal devices (BYOD). Designed on the concept of least-privilege, Cloudpath distinguishes personal devices from IT-owned assets and applies the appropriate policies. With support for automated configuration of certificates, Wi-Fi, email, and more, Cloudpath ensures personal devices are onboarded effortlessly and secured appropriately without intrusive management agents.

Certificate Management

cert-manageThe use of certificates has traditionally been hindered by the challenges of distributing certificates and the overhead of managing the lifecycle of certificates. Cloudpath solves both of these issues, providing a zero-touch approach to distributing and managing certificates.

Cloudpath is designed to distribute certificates for all types of end users. Cloudpath features the ability to distribute certificates in a self-service, automated manner from a variety of sources, including the onboard certificate infrastructure, Microsoft Certificate Services, or from third-party certificate authorities.

The onboard certificate infrastructure provides a simple-to-use, robust certificate system with complete flexibility and automation over all aspects of certificate management.

If you have Microsoft Certificate Services deployed, you may choose to have Cloudpath issue certificates from Microsoft CA for select use cases, such as IT-owned assets. Unlike systems that rely solely upon SCEP and Microsoft NDES, Cloudpath properly registers each certificate to the appropriate user in Active Directory, rather than SCEP_ADMIN, to ensure user management within Active Directory functions as expected.

Regardless of how you choose to mix-and-match certificate sources, Cloudpath makes certificate management intuitive, including:

  • Ensuring each device is issued the appropriate certificate.
  • Providing visibility into user, device, and policy information associated with each certificate.
  • Automatically managing the lifecycle and permissions based upon policies.
  • Providing automated notifications to users, administrators, and external systems regarding the issuance, revocation, and expiration of certificates.

Certificates for Chromebooks

cert-manageChromebooks are beloved for being simple and secure. With Cloudpath ES, you can now deploy the gold standard in security, certificates, to Chromebooks in an automated manner.

Whether issuing from an existing Microsoft CA or through the built-in PKI, Cloudpath ES ensures every device receives the appropriate certificate without IT overhead. Once installed, the certificate is available for a wide array of uses, including certificate-based WiFi, web authentication, and more.

For managed Chromebooks, Cloudpath ES deploys both user and device certificates. Either way, the certificates are TPM-backed, meaning they are burned into hardware for maximum protection.

For unmanaged Chromebooks, Cloudpath ES provides self-service, automated installation of the certificate along with related services, such as WPA2-Enterprise WiFi using EAP-TLS.


identityCloudpath combines the industry’s most flexible system for establishing identity along with the world’s most secure form of authentication. During enrollment, Cloudpath determines the user’s identity through a variety of mechanisms, including credentials, sponsorship vouchers, one-time-passwords, and more. Cloudpath then translates the identity into a secure certificate, unique to the device, which will be used for all future accesses. This eliminates the need to store and transmit enterprise credentials on personal devices, greatly reducing the opportunities for compromised enterprise credentials.

Guest Access

Cloudpath provides a complete guest access system to identify and onboard guests, contractors, partners, and other external users. Cloudpath provides a full range of options for establishing identity and privileges, including sponsorship, email, SMS, social media, custom OAuth, voucher codes, as well as click-to-join. With control over access privileges and length of access, Cloudpath ensures external users are identified and onboarded without the need for IT involvement.

Enterprise Roaming

XpressConnect provides industry-first support for certificate-based enterprise roaming, enabling contractors and partners to move between enterprises in a seamless, secure manner. With policies defined by IT and extended by business users, Cloudpath ensures secure access is extended to partners without the associated IT overhead and ongoing support costs.

Gaming Devices

Gaming devices, with a lack of WPA2-Enterprise support, provide unique challenges, particularly for universities. While Cloudpath continues to encourage and assist manufacturers with adding WPA2-Enterprise support, Cloudpath provides mechanisms today to help secure these devices through a combination of automated authorization and device registration.


mdmCloudpath delivers the key features of Mobile Device Management (MDM) without the need for intrusive and expensive MDM on-device agents. It does this by enabling certificate-based security which can be controlled from the infrastructure rather than via a management agent. Cloudpath provides the security and control enterprise needs with a light-handed approach that reaches a broader spectrum of users.

First, Cloudpath automatically issues and installs a unique certificate, tied to policies based on user, device and intended use, on every device. The ability to use the certificate, along with the rights associated with the certificate, are tracked and controlled within Cloudpath. Next, Cloudpath provides automated configuration for specific uses of the unique certificate. Most commonly, this is configuration of the device for secure WPA2-Enterprise Wi-Fi access with the appropriate role, VLAN, or ACL assignment. Additionally, integration of the certificate with existing services, such as Active Sync, provide additional capabilities such as remote email wipe. Plus, with the ability to define multiple policies, Cloudpath provides a consistent onboarding approach for all types of users, including BYOD, partners, and guests.

The Cloudpath approach to MDM, which is based on enabling capabilities, is non-intrusive, does not prevent use of the device in multiple environments, and fits ideally with BYOD, partner, contractor, and guest use cases.

NAC – Posture

nacThe posture component of network access control (NAC) ensures that devices comply with best practices, such as the use of firewalls and antivirus. Cloudpath embeds best practice compliance checks and automated resolution for a variety of operating systems into the onboarding process, ensuring every device complies with best practices before joining the secure network. Through both built-in functionality as well as integration with third party NAC agents, Cloudpath has an option for every environment and every use case.


Cloudpath ES contains an integrated, certificate-optimized RADIUS server, as well as support for external RADIUS servers, to simplify the definition and enforcement of RADIUS policies. During device enrollment, Cloudpath associates user, device, and policy information into a unified and optimized store, allowing policies such as VLAN, role, and ACL, to be applied easily and efficiently, reducing EAP timeout issues commonly plaguing RADIUS deployments. In addition, the certificate-based authentication enabled by Cloudpath provides unmatched options for secure site survivability in distributed environments.

Wi-Fi Onboarding for EAP-TLS

onboardCloudpath provides unmatched user and management simplicity for secure WPA2-Enterprise Wi-Fi using EAP-TLS. The days of using unencrypted Wi-Fi are over; Cloudpath makes extending secure Wi-Fi to all users simple. Whether a visitor with Internet-only access, or a contractor or BYOD user with limited internal access, Cloudpath ensures each device is onboarded in a self-service, automated manner with the appropriate policy and without the need for IT involvement.

Profiling, Visibility, & Reporting

profilingEffectively running an enterprise network requires visibility into devices and control over their access. By tracking user, device, and policy information, Cloudpath provides rich visibility into the devices granted access to the network. Visibility is only the beginning; Cloudpath also provides control over each device’s access. Whether you need to drop a single device, block all devices for a user, or eliminate an entire policy class, Cloudpath makes it simple and keeps it all out-of-band.

To keep the enterprise informed on the utilization of the network, Cloudpath provides on-demand, scheduled, and API-based reports with information about users, devices, policies, certificates, and more.