Zum Hauptinhalt springen
Deutsch

Migration von On-Premises RADIUS (NPS) zu RADIUS as a Service

Dieser maßgebliche Leitfaden beschreibt die technische Architektur, die Implementierungsmethodik und die geschäftlichen Auswirkungen der Migration vom On-Premises Microsoft Network Policy Server (NPS) zu einem Cloud-nativen RADIUS as a Service-Modell. Er bietet IT-Führungskräften und Netzwerkarchitekten praktische Frameworks, um den Betriebsaufwand zu reduzieren, Single Points of Failure zu eliminieren und die Unternehmensauthentifizierung über verteilte Standorte hinweg zu sichern.

📖 5 Min. Lesezeit📝 1,066 Wörter🔧 2 ausgearbeitete Beispiele3 Übungsfragen📚 8 Schlüsseldefinitionen

Diesen Leitfaden anhören

Podcast-Transkript ansehen
PODCAST SCRIPT: Migrating from On-Premises RADIUS (NPS) to RADIUS as a Service Duration: ~10 minutes | Voice: UK English, Male, Senior Consultant tone --- SEGMENT 1: INTRODUCTION AND CONTEXT Welcome to the Purple WiFi technical briefing series. Today we're tackling a migration that's sitting on the roadmap of a significant number of enterprise IT teams right now: moving away from on-premises RADIUS — specifically Microsoft's Network Policy Server — to a cloud-hosted RADIUS as a Service model. If you're managing WiFi authentication across a hotel group, a retail estate, a stadium, or a public-sector campus, this is directly relevant to you. The on-premises NPS model has served us well for the better part of two decades, but the operational overhead, the single-point-of-failure risk, and the scaling limitations are becoming increasingly hard to justify — particularly when cloud-native alternatives now offer enterprise-grade reliability at a fraction of the total cost of ownership. Over the next ten minutes, we'll cover the technical architecture of both approaches, walk through a structured migration methodology, look at two real-world implementation scenarios, and finish with the key decision frameworks you need to make this call confidently. Let's get into it. --- SEGMENT 2: TECHNICAL DEEP-DIVE First, let's make sure we're aligned on what RADIUS actually does in your network stack. RADIUS — Remote Authentication Dial-In User Service — is the protocol defined in RFC 2865 that handles authentication, authorisation, and accounting for network access. In a WiFi context, it's the backbone of IEEE 802.1X port-based access control. When a device connects to a WPA2-Enterprise or WPA3-Enterprise SSID, the access point acts as a RADIUS client — what we call a Network Access Server — and forwards the authentication request to the RADIUS server. The server validates the credentials, typically against Active Directory or an LDAP directory, and returns an Access-Accept or Access-Reject response. That's the fundamental flow. Now, in the on-premises NPS model — Network Policy Server is Microsoft's RADIUS implementation bundled with Windows Server — you're running that authentication logic on hardware you own, in a data centre or server room you maintain. The NPS server holds your network policies, your certificate infrastructure for EAP-TLS or PEAP-MSCHAPv2, and your connection request policies. It works. It's mature. But it comes with a set of operational realities that compound over time. The first is hardware dependency. Your NPS server is a physical or virtual machine that requires patching, capacity planning, and eventual hardware refresh. In a multi-site deployment — say, a hotel group with properties across the UK — you're either running a centralised NPS with WAN dependency, or you're deploying NPS instances at each site and managing them individually. Neither is elegant. The second is availability. A single NPS instance is a single point of failure for your entire authentication infrastructure. Yes, you can deploy NPS in a failover pair, but that doubles your hardware and licensing overhead, and it still doesn't give you the geographic redundancy that a cloud service provides natively. The third is scalability. NPS was designed for corporate LAN environments. When you're handling thousands of concurrent authentication requests during a stadium event or a conference centre peak, the throughput limitations of a single NPS instance become very apparent. Authentication latency spikes, and users experience connection failures at exactly the moment you can least afford it. RADIUS as a Service addresses all three of these constraints architecturally. The cloud RADIUS provider runs a distributed, geo-redundant cluster of RADIUS servers. Your access points point to cloud-hosted RADIUS endpoints rather than an on-premises server. Authentication requests are load-balanced across the cluster, and failover is automatic and transparent. The provider handles patching, capacity scaling, and certificate management. From your perspective as the network operator, RADIUS becomes a consumed service rather than a managed component. The authentication protocols themselves don't change. You're still running IEEE 802.1X with EAP-TLS, PEAP-MSCHAPv2, or EAP-TTLS depending on your client device mix. The difference is where the RADIUS server lives and who is responsible for its operational continuity. There's an important security consideration here that I want to address directly, because it comes up in almost every client conversation. Moving RADIUS to the cloud means your authentication traffic is traversing the public internet to reach the cloud RADIUS endpoint. This is mitigated through two mechanisms. First, RADIUS traffic between the Network Access Server and the RADIUS server is protected using a shared secret and MD5-based message authentication. Second, and more importantly for modern deployments, you should be running RadSec — RADIUS over TLS, defined in RFC 6614 — which wraps the entire RADIUS conversation in a TLS tunnel. This gives you transport-layer encryption equivalent to HTTPS, eliminating the MD5 vulnerability and providing mutual authentication between the NAS and the RADIUS server. Any cloud RADIUS provider worth considering should support RadSec as standard. On the identity integration side, cloud RADIUS services typically support LDAP and LDAPS connections back to your on-premises Active Directory, or native integration with Azure Active Directory and Entra ID via SAML or SCIM. This means you don't need to migrate your user directory — the cloud RADIUS service queries your existing identity store, maintaining your existing user lifecycle management processes. For compliance-conscious organisations — and that includes anyone handling payment card data under PCI DSS, or personal data under GDPR — cloud RADIUS providers that are SOC 2 Type II certified and ISO 27001 accredited provide a stronger compliance posture than most organisations can achieve with self-managed NPS infrastructure. --- SEGMENT 3: IMPLEMENTATION RECOMMENDATIONS AND PITFALLS Right, let's talk about how you actually execute this migration without taking your authentication infrastructure offline. The methodology I recommend is a five-phase approach. Phase one is audit and inventory. Document every RADIUS client — every access point, every switch, every VPN concentrator — along with its current shared secret, the EAP method it's using, and any vendor-specific attributes in your NPS policies. This is the unglamorous work, but skipping it is the number one cause of migration failures. Phase two is pilot deployment. Stand up your cloud RADIUS instance and point a non-production SSID or a single test site at it. Validate that your EAP method works end-to-end, that your identity integration is functioning, and that your accounting data is flowing correctly. Phase three is parallel running. This is the critical risk mitigation step. Configure your access points with both the on-premises NPS server and the cloud RADIUS server as authentication targets, with the cloud service as primary and NPS as fallback. Run in this configuration for a minimum of two weeks across a full business cycle. Monitor authentication success rates, latency, and any policy discrepancies. Phase four is cutover. Remove the NPS fallback configuration and commit to cloud RADIUS as your sole authentication infrastructure. Do this during a planned maintenance window, and have a rollback procedure documented and tested. Phase five is decommission. Once you've validated stable operation for thirty days post-cutover, decommission the NPS servers and reclaim the hardware or virtual machine resources. The pitfalls I see most frequently are: certificate trust chain issues — specifically, client devices that don't trust the cloud RADIUS server's certificate because the CA isn't in their trusted store. Resolve this through your MDM or Group Policy before cutover. The second common pitfall is firewall rules. Cloud RADIUS requires outbound UDP 1812 and 1813 from your access points to the cloud endpoints, or TCP 2083 for RadSec. Ensure your network perimeter allows this traffic. Third: shared secret complexity. If your existing NPS shared secrets are weak, use the migration as an opportunity to rotate to cryptographically strong secrets, or better yet, move to RadSec and eliminate shared secrets entirely. --- SEGMENT 4: RAPID-FIRE Q&A Let me run through the questions I get most often on this topic. Can we keep Active Directory on-premises? Yes, absolutely. Cloud RADIUS connects to your on-premises AD via LDAPS. Your directory stays where it is. What happens if our internet connection goes down? This is the key dependency shift. With cloud RADIUS, internet connectivity becomes a dependency for authentication. Mitigate this with redundant WAN links or a local RADIUS proxy that caches authentication for known devices during outages. Does this affect our PCI DSS compliance? Moving to a certified cloud RADIUS provider typically improves your compliance posture. Ensure your provider can supply SOC 2 Type II reports and is included in your annual QSA assessment scope. How long does a full migration take? For a single site, two to four weeks. For a multi-site estate of fifty or more locations, plan for three to six months with a phased rollout. --- SEGMENT 5: SUMMARY AND NEXT STEPS To wrap up: the case for migrating from on-premises NPS to RADIUS as a Service is compelling on operational, financial, and compliance grounds. The migration itself is low-risk when executed with a structured parallel-running phase. The key technical decisions are your EAP method selection, your identity integration approach, and whether to implement RadSec for transport security — which I'd strongly recommend for any new deployment. Your immediate next steps: conduct the audit of your current RADIUS clients and policies, engage your cloud RADIUS provider for a pilot environment, and review your firewall rules and certificate trust chains before you start. For organisations running Purple WiFi's guest access platform, the RADIUS as a Service capability integrates directly with the guest WiFi authentication flow, giving you a single control plane for both corporate 802.1X authentication and guest network access management — with the analytics and compliance reporting built in. Thanks for listening. The full technical reference guide is available on the Purple website, and our solutions team is available for a scoping conversation if you're ready to move forward. --- END OF SCRIPT

header_image.png

Zusammenfassung für die Geschäftsleitung

Seit fast zwei Jahrzehnten ist der Microsoft Network Policy Server (NPS) die Standard-RADIUS-Implementierung für Unternehmensnetzwerke. Doch während Betreiber von Veranstaltungsorten über verteilte Standorte – von Einzelhandelsketten bis hin zu globalen Hotelgruppen – expandieren, ist der Betriebsaufwand für die Verwaltung der On-Premises-Authentifizierungsinfrastruktur zu einer erheblichen Belastung geworden.

Die Migration zu RADIUS as a Service verlagert die Authentifizierung von einer verwalteten Hardwarekomponente zu einem genutzten Cloud-Dienst. Dieser architektonische Übergang eliminiert den Single Point of Failure, der bei eigenständigen NPS-Bereitstellungen inhärent ist, beseitigt Hardware-Erneuerungszyklen und bietet die elastische Skalierbarkeit, die für Umgebungen mit hoher Dichte wie Stadien und Konferenzzentren erforderlich ist. Für IT-Manager und Netzwerkarchitekten bietet dieser Leitfaden eine herstellerneutrale, strukturierte Methodik zur Migration der 802.1X-Authentifizierung in die Cloud, ohne den Produktionsverkehr zu beeinträchtigen, die Einhaltung von PCI DSS und GDPR zu gewährleisten und die OpEx der Authentifizierungsinfrastruktur um bis zu 80 % zu senken.

Technischer Deep-Dive: Architektur und Standards

Um die Migration zu verstehen, müssen wir zunächst den architektonischen Wandel bei der Bereitstellung der IEEE 802.1X portbasierten Zugriffskontrolle untersuchen.

Die Einschränkungen von On-Premises NPS

In einer traditionellen Bereitstellung fungieren Access Points als Network Access Server (NAS) und leiten Authentifizierungsanfragen an einen On-Premises NPS-Server weiter. Der NPS-Server bewertet Verbindungsanforderungsrichtlinien, validiert Anmeldeinformationen anhand eines Identitätsspeichers (typischerweise Active Directory über LDAP) und gibt eine Access-Accept- oder Access-Reject-Nachricht zurück.

Dieses Modell weist drei kritische Einschränkungen für moderne Netzwerke auf:

  1. Hardwareabhängigkeit & Wartung: NPS erfordert dedizierte physische oder virtuelle Maschinen, was kontinuierliches Patching, Kapazitätsplanung und Lifecycle-Management erfordert.
  2. Komplexität der Hochverfügbarkeit: Das Erreichen von Redundanz erfordert die Bereitstellung von NPS in einem Failover-Paar, wodurch die Lizenzkosten verdoppelt werden, ohne eine echte geografische Redundanz zu bieten.
  3. Durchsatzengpässe: Während Spitzenzeiten – wie dem Zutritt zu einem Stadion oder den Spitzenhandelszeiten im Einzelhandel – kann eine einzelne NPS-Instanz zu einem Engpass werden, was zu Authentifizierungs-Timeouts und einer verschlechterten Benutzererfahrung führt.

Die Cloud RADIUS-Architektur

RADIUS as a Service abstrahiert die Authentifizierungsschicht. Cloud-Anbieter betreiben verteilte, geo-redundante Cluster von RADIUS-Servern. Der NAS verweist auf diese Cloud-Endpunkte, und Anfragen werden automatisch lastverteilt.

architecture_comparison.png

Transportsicherheit: Die Rolle von RadSec Wenn RADIUS in die Cloud verlagert wird, durchläuft der Authentifizierungsverkehr das öffentliche Internet. Während traditionelles RADIUS ein Shared Secret und MD5-Hashing verwendet, müssen moderne Bereitstellungen RadSec (RADIUS over TLS, RFC 6614) implementieren. RadSec umschließt die gesamte RADIUS-Konversation in einem TLS-Tunnel (typischerweise TCP-Port 2083), bietet eine Transport-Layer-Verschlüsselung, die HTTPS entspricht, und eine gegenseitige Authentifizierung zwischen dem NAS und dem Cloud RADIUS-Endpunkt.

Identitätsintegration Cloud RADIUS erfordert keine Migration Ihres Benutzerverzeichnisses. Dienste unterstützen typischerweise LDAPS-Verbindungen zurück zu On-Premises Active Directory oder native API-Integrationen mit Azure Active Directory (Entra ID) über SAML oder SCIM. Dies stellt sicher, dass Ihre bestehenden Benutzer-Lifecycle-Management-Prozesse intakt bleiben.

Für Veranstaltungsorte, die Guest WiFi -Plattformen nutzen, integriert sich Cloud RADIUS direkt und bietet eine einheitliche Steuerungsebene für die 802.1X-Unternehmensauthentifizierung und den Gastnetzwerkzugang, komplett mit erweiterten WiFi Analytics .

Implementierungsleitfaden: Eine 5-Phasen-Methodik

Die Durchführung einer Migration ohne Ausfallzeiten erfordert einen strukturierten, phasenweisen Ansatz.

migration_checklist.png

Phase 1: Audit und Bestandsaufnahme

Bevor Sie Änderungen vornehmen, dokumentieren Sie den aktuellen Zustand:

  • RADIUS Clients: Identifizieren Sie jeden NAS (Access Points, Switches, VPN-Konzentratoren).
  • Richtlinien: Dokumentieren Sie bestehende NPS-Verbindungsanforderungs- und Netzwerkrichtlinien, einschließlich der für die VLAN-Zuweisung verwendeten Vendor-Specific Attributes (VSAs).
  • EAP-Methoden: Identifizieren Sie, welche Extensible Authentication Protocol-Methoden verwendet werden (z. B. EAP-TLS, PEAP-MSCHAPv2).

Phase 2: Pilotbereitstellung

Stellen Sie die Cloud RADIUS-Instanz bereit und konfigurieren Sie eine Nicht-Produktions-SSID oder einen einzelnen Teststandort. Validieren Sie die Identitätsverzeichnisintegration (z. B. Entra ID-Synchronisierung) und stellen Sie sicher, dass die EAP-Methode durchgängig funktioniert.

Phase 3: Parallelbetrieb (Risikominderung)

Konfigurieren Sie die Produktions-NAS-Geräte so, dass sie sowohl den Cloud RADIUS-Server (Primär) als auch den Legacy NPS-Server (Fallback) verwenden. Führen Sie diese Konfiguration für mindestens zwei Wochen aus. Überwachen Sie die Authentifizierungs-Erfolgsraten, Latenzmetriken und Abrechnungsdatenflüsse, um Richtlinienabweichungen vor der Umstellung zu identifizieren.

Phase 4: Umstellung

Entfernen Sie während eines geplanten Wartungsfensters die Legacy NPS-Fallback-Konfiguration von den NAS-Geräten. Verpflichten Sie sich vollständig zur Cloud-Infrastruktur. Stellen Sie sicher, dass Ihr Rollback-Verfahren dokumentiert und getestet ist.

Phase 5: Außerbetriebnahme

Nach 30 Tagen stabilen Betriebs nehmen Sie die Legacy NPS-Server sicher außer Betrieb und fordern die Rechenressourcen zurück.

Best Practices & Compliance

Beim Entwurf Ihrer Cloud RADIUS-Architektur halten Sie sich an die folgenden Standards:

  • RadSec vorschreiben: Senden Sie niemals RADIUS-Verkehr über das öffentliche Internet mit Standard-UDP 1812/1813, wenn RadSec (TCP 2083) von Ihrer NAS-Hardware unterstützt wird.
  • Zertifikatsvertrauensketten: Stellen Sie sicher, dass Client-Geräte dem Zertifikat vertrauenifizierungsstelle (CA), die das Zertifikat des Cloud-RADIUS-Servers ausgestellt hat. Verteilen Sie die Root-CA vor der Migration über MDM oder Gruppenrichtlinien an verwaltete Geräte.
  • Compliance-Haltung: Wählen Sie einen Cloud-RADIUS-Anbieter, der eine SOC 2 Typ II-Zertifizierung und ISO 27001-Akkreditierung besitzt. Dies vereinfacht Ihre jährlichen PCI DSS-Bewertungen erheblich, insbesondere für Umgebungen im Einzelhandel und im Gastgewerbe .

Für umfassendere Netzwerkdesign-Prinzipien konsultieren Sie unsere Leitfäden zu WiFi für Unternehmen einrichten: Ein Playbook für 2026 und Verständnis von RSSI und Signalstärke für optimale Kanalplanung .

Fehlerbehebung & Risikominderung

Fehlermodus Grundursache Minderungsstrategie
Authentifizierungs-Timeouts Firewall blockiert ausgehenden UDP 1812/1813 oder TCP 2083. Überprüfen Sie, ob die Perimeter-Firewall-Regeln ausgehenden Datenverkehr zu den spezifischen IP-Bereichen des Cloud-RADIUS-Anbieters zulassen.
Zertifikatsvertrauensfehler Client-Geräten fehlt die Root-CA in ihrem vertrauenswürdigen Speicher. Stellen Sie die Root-CA vor Phase 3 (Parallelbetrieb) über MDM/GPO bereit.
VLAN-Zuweisung fehlgeschlagen Anbieterspezifische Attribute (VSAs) in Cloud-Richtlinien nicht korrekt zugeordnet. Replizieren Sie während Phase 1 exakte VSA-String-Formate von NPS in die Cloud-RADIUS-Richtlinien-Engine.
Auswirkungen eines WAN-Ausfalls Internetverlust unterbricht den Zugriff auf Cloud-RADIUS. Stellen Sie redundante WAN-Verbindungen bereit oder implementieren Sie einen lokalen RADIUS-Proxy, der Anmeldeinformationen für bekannte Geräte zwischenspeichert.

ROI & Geschäftsauswirkungen

Die Migration zu RADIUS as a Service liefert messbare Geschäftsergebnisse:

  • Kostenreduzierung: Eliminiert Hardwarebeschaffung, Windows Server-Lizenzierung und den technischen Aufwand für Patches und Wartung. Die typische OpEx-Reduzierung beträgt 60-80%.
  • Zuverlässigkeits-SLA: Cloud-Anbieter bieten finanziell abgesicherte 99,99% Uptime-SLAs, verglichen mit den typischen 97-98%, die bei Single-Site-NPS-Bereitstellungen erreicht werden.
  • Agilität: Neue Standorte können sofort ohne Bereitstellung lokaler Authentifizierungs-Hardware online gebracht werden, was die Bereitstellungszeiten für Transport -Hubs und Gesundheitseinrichtungen beschleunigt.

Hören Sie unserem erfahrenen Beratungsteam zu, wie es die strategischen Implikationen in diesem 10-minütigen Briefing erörtert:

Schlüsseldefinitionen

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

The core protocol used by enterprise WiFi networks to validate user credentials before granting network access.

NPS (Network Policy Server)

Microsoft's implementation of a RADIUS server and proxy, bundled as a role in Windows Server.

The legacy on-premises infrastructure that organizations are actively migrating away from to reduce maintenance overhead.

NAS (Network Access Server)

The device that acts as the gateway to the network and passes authentication requests to the RADIUS server.

In a wireless context, the NAS is typically the WiFi Access Point or Wireless LAN Controller.

RadSec (RADIUS over TLS)

A protocol defined in RFC 6614 that transports RADIUS packets over a TCP connection encrypted with TLS.

Essential for cloud RADIUS deployments to ensure credential data is encrypted while traversing the public internet.

EAP (Extensible Authentication Protocol)

An authentication framework frequently used in wireless networks and point-to-point connections.

Determines how the client and server securely exchange credentials (e.g., certificates via EAP-TLS, or passwords via PEAP).

VSA (Vendor-Specific Attribute)

Custom attributes defined by hardware vendors within the RADIUS protocol to support proprietary features.

Crucial during migration; VSAs are often used to assign authenticated users to specific network VLANs dynamically.

LDAPS (Lightweight Directory Access Protocol over SSL)

A secure protocol for querying and modifying directory services like Active Directory.

Used by cloud RADIUS services to securely query on-premises identity stores without migrating the user directory to the cloud.

802.1X

An IEEE standard for port-based network access control (PNAC).

The underlying standard that uses RADIUS to ensure only authenticated devices can pass traffic onto the enterprise LAN or WLAN.

Ausgearbeitete Beispiele

A 200-property hotel group currently runs local NPS servers at each site for staff 802.1X authentication. They are migrating to Entra ID (Azure AD) and want to decommission the local servers. How should they approach the migration?

  1. Deploy a cloud RADIUS service that integrates natively with Entra ID via SAML/SCIM.
  2. Configure the cloud RADIUS policies to map Entra ID groups (e.g., 'Front Desk', 'Management') to specific VLAN VSAs.
  3. At a pilot property, configure the access points to use RadSec to connect to the cloud RADIUS endpoint.
  4. Push the cloud RADIUS server's Root CA to all staff devices via Microsoft Intune.
  5. Run parallel authentication at the pilot site, then execute a phased rollout across the remaining 199 properties.
Kommentar des Prüfers: This approach removes 200 physical/virtual servers from the estate, drastically reducing the attack surface and maintenance overhead. Integrating directly with Entra ID eliminates the need for complex site-to-site VPNs back to a central Active Directory.

A stadium with 50,000 capacity experiences authentication failures on their corporate SSID during major events because their on-premises NPS server cannot handle the throughput of thousands of devices roaming simultaneously.

  1. Audit the existing NPS policies and EAP methods.
  2. Provision a cloud RADIUS service capable of auto-scaling to handle high authentications per second (APS).
  3. Establish an LDAPS connection from the cloud RADIUS service to the stadium's on-premises Active Directory.
  4. Update the stadium's high-density wireless LAN controllers to point to the cloud RADIUS endpoints as the primary authentication servers.
Kommentar des Prüfers: By offloading the RADIUS processing to a cloud cluster, the stadium leverages elastic compute resources that scale dynamically during event ingress, resolving the bottleneck without requiring the venue to over-provision expensive local hardware.

Übungsfragen

Q1. Your organization is migrating to Cloud RADIUS. The security team mandates that no authentication traffic can be sent over the internet in cleartext or using deprecated hashing algorithms like MD5. What protocol must you configure on your wireless LAN controllers?

Hinweis: Look for the protocol that wraps RADIUS in a TLS tunnel.

Musterlösung anzeigen

You must configure RadSec (RADIUS over TLS). RadSec establishes a TLS tunnel over TCP port 2083 between the NAS and the cloud RADIUS server, providing transport-layer encryption and mutual authentication, satisfying the security team's requirements.

Q2. During Phase 3 (Parallel Running) of your migration, you notice that users are authenticating successfully against the cloud RADIUS server, but they are not being placed in the correct network segments. What is the most likely configuration gap?

Hinweis: How does a RADIUS server tell an access point which network segment to use?

Musterlösung anzeigen

The Vendor-Specific Attributes (VSAs) for dynamic VLAN assignment have not been configured correctly in the cloud RADIUS policies. You must ensure the exact VSA strings used in the legacy NPS server are replicated in the cloud environment so the NAS knows which VLAN to assign to the user.

Q3. A client device is repeatedly failing EAP-TLS authentication against the new cloud RADIUS service, but it works fine against the legacy NPS server. The device logs show an 'untrusted server' error. How do you resolve this?

Hinweis: EAP-TLS requires the client to trust the server's identity.

Musterlösung anzeigen

The client device does not have the Root Certificate Authority (CA) that issued the cloud RADIUS server's certificate in its trusted root store. You must deploy the Root CA to the client device using a Mobile Device Management (MDM) solution or Group Policy.