Staff WiFi that knows exactly who is on your network
Replace shared passwords with per-user, certificate-based access tied to your identity provider. Staff sign in once with the account they already have, and access is revoked the moment they leave.
One identity. One pass. Every device, every site.
Here is the path from sign-in to the moment access stops, as simple as adding a pass to a mobile wallet.
Authenticate
Staff open the Purple app and sign in with the account they already have - Microsoft Entra ID, Okta, or Google Workspace. No new password to set or remember.
Generate a WiFi pass
Purple issues a unique, certificate-based WiFi pass to the device, as simple as adding a card to a mobile wallet.
Get online
The device authenticates over WPA2/3-Enterprise with 802.1X. Each user gets their own encryption keys, so no one on the network can read anyone else’s traffic.
Stay connected
Devices reconnect on their own across every site, on Windows, macOS, Linux, iOS, and Android. No repeated logins, no captive portals to fill in.
Auto-revocation
Disable someone in your directory and Purple drops their WiFi within minutes over SCIM. No estate-wide password to rotate, no ticket to raise.
No on-site RADIUS to run. Purple operates the cloud RADIUS that replaces FreeRADIUS and Windows NPS, with multi-region failover and a 99.999% uptime SLA. Every authentication is logged with user, device, time, and location, so your audit trail writes itself. Read the full architecture in the enterprise WiFi security guide.
Run staff WiFi for every site from one place
Connect your directory, watch who is on the network in real time, and prove every connection - without touching a RADIUS box.
Connect your identity provider in minutes
Staff authenticate with the account they already have. Group membership drives VLAN policy, and SCIM provisions and revokes access automatically as people join, move, and leave.
See and prove every connection
A live user directory shows who can reach the network and how they authenticate. Every session is logged with user, device, time, and location for compliance, and the same occupancy data helps reclaim up to 35% of unused office space.
Ask your WiFi data in plain English
Query active sessions, bandwidth spikes, or compliance history using natural language. Answers are generated instantly from your network session data, making deep audits as simple as asking a question.
Design the WiFi pass once, issue it everywhere
Build a branded pass template for your organisation, then every employee gets a unique, unshareable, certificate-based pass on their device. Revoke any one of them without rotating a shared password.
One pass in every pocket
The Purple app is the authenticator. Staff get a unique, unshareable WiFi pass that connects them automatically until their access is revoked.
A profile that verifies access, with each user on their own encryption keys.
Disable someone in your IdP and their network access ends immediately.
Native on Windows, macOS, Linux, iOS, and Android. Printers and sensors use iPSK.
See Purple Staff WiFi in action
A short walkthrough, from an employee signing in to access dropping the moment they leave.
Add Shield to cut bandwidth and distractions
Staff WiFi keeps your people connected. Shield keeps the connection clean. It filters at the DNS layer, so there is no extra hardware to buy and no firewall to change, and it rolls out across your whole estate in minutes.
Reclaim your bandwidth
Shield strips ads, trackers, and bloatware before they load, and can throttle high-bandwidth streaming during busy periods. Pages pull up to 44% less data and fire 62% fewer DNS queries, leaving headroom for the traffic that runs your business.
Remove the distractions
Ad and tracker blocking means staff pages load up to 53% faster and arrive clean. Set policies by site, department, or time of day to keep people focused and keep content you do not want off a work network.
Enterprise security without enterprise overhead
Identity-based networking is what Purple has built since 2012, now powering 440 million logins a year across more than 90 countries.
Built on standards, not lock-in
An identity-based platform that delivers Zero Trust control and operational efficiency, on the hardware you already run.
Zero Trust by default
Every session is uniquely authenticated. VLAN, ACL, and bandwidth policies apply dynamically from real-time identity-provider attributes.
WPA2/3-Enterprise, 802.1X
EAP-TLS (certificate-based) or PEAP (credential-based), so each user gets their own encryption keys instead of one shared password.
Cloud RADIUS
A global, high-availability RADIUS service with a 99.999% uptime SLA. No on-prem FreeRADIUS or Windows NPS, and no single point of failure.
Vendor-agnostic
Runs on any access point that speaks RADIUS, so you keep the hardware you already own and avoid lock-in.
Guest on the same SSID
Visitors install the Purple app, sign in, and land on a guest VLAN - one pane of glass, no second system to run.
Multi-tenant ready
Give each team, building, or tenant its own private network bubble, managed from the same console.
Talk to a staff WiFi specialist
Tell us about your estate and identity provider, and we will map a path from shared passwords to identity-based access. Migration from FreeRADIUS, NPS, or Cisco ISE is usually a weekend exercise.
Staff WiFi for your industry
See how staff wifi works in venues like yours, and how Purple compares to alternatives.
Used in these industries
Compare alternatives
One platform, three networks
Explore the authentication stack
Enterprise WiFi security
The pillar guide behind staff WiFi: WPA2/3-Enterprise, 802.1X, EAP-TLS, cloud RADIUS, and identity-provider integration, plus the full cluster of deep-dive guides.
RADIUS-as-a-Service
Cloud RADIUS for WPA2/3-Enterprise: EAP-TLS, PEAP, and iPSK. No on-prem server, multi-region failover.
WPA2 & WPA3-Enterprise
Secure WiFi with 802.1X on your existing access points. Identity-provider integration and managed certificates.
Passwordless WiFi
EAP-TLS, iPSK, Passpoint, and SAML/SSO. Replace shared passwords with identity-based credentials.
Frequently Asked Questions
What is staff WiFi and how is it different from guest WiFi?
Staff WiFi is an employee-only wireless network authenticated per-user, isolated from the guest and payment networks. Where guest WiFi optimises for low-friction sign-up, staff WiFi optimises for identity - each employee authenticates with their own credential (certificate, password, or iPSK) via 802.1X against a RADIUS server, and their access can be revoked the moment they leave the company without touching anyone else on the network.
What authentication does Purple staff WiFi use?
WPA2-Enterprise or WPA3-Enterprise with 802.1X. The standard options are EAP-TLS (certificate-based, the gold standard for managed laptops), PEAP (username + password for legacy devices), and iPSK (unique per-device pre-shared key for BYOD and IoT). Authentication runs against your identity provider - Microsoft Entra ID, Okta, Google Workspace, or any SAML 2.0 IdP.
Do I need my own RADIUS server?
No. Purple operates the RADIUS server as a cloud service - RADIUS-as-a-Service - with multi-region failover and a 99.999% uptime SLA. Your access points point at Purple, Purple validates credentials against your identity provider, and no one in your team operates RADIUS infrastructure. If you already run FreeRADIUS, NPS, or Cisco ISE, migration is a weekend exercise.
How does Purple staff WiFi integrate with Entra ID, Okta, or Google Workspace?
Directly via SAML and SCIM. When an employee is added to the IdP, their WiFi access is provisioned automatically; when they leave, access is revoked at the same moment their email is revoked. Group membership in the IdP drives VLAN policy - marketing, engineering, and contractors can each land on their own network segment without manual configuration.
Does Purple support employee WiFi for BYOD and IoT devices?
Yes. BYOD onboarding uses certificate enrolment via an MDM (Intune, Jamf, Kandji, Hexnode) for managed devices, or a self-service portal for unmanaged phones and tablets. IoT devices - printers, access controllers, smart lighting - typically use iPSK (Identity PSK) on a dedicated SSID so each device has a unique key you can revoke without affecting others.
Can I revoke one employee's WiFi access without disrupting others?
Yes, instantly. Because staff WiFi is per-user, disabling the employee in your identity provider revokes their WiFi access at the next authentication attempt. Compare this to a shared WiFi password, where one departing employee forces a company-wide password rotation. This is the single biggest operational reason to move from WPA-Personal to WPA-Enterprise.
Does Purple staff WiFi work with my existing access points?
Yes. Purple runs on any enterprise-grade access point that speaks RADIUS - Cisco Meraki, Cisco Catalyst, Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, Fortinet FortiAP, and more. You do not replace hardware; you reconfigure SSIDs to authenticate via Purple.
How does staff WiFi handle Conditional Access and Zero Trust?
Purple respects Conditional Access policies from Entra ID - a device that fails compliance checks is not admitted to the network. For broader Zero Trust postures, Purple emits every authentication event to SIEM (Microsoft Sentinel, Splunk, Elastic, Datadog) via webhook or syslog, so network access becomes a signal in your broader security analytics.
Ready to make your staff WiFi passwordless?
Turn your staff network into a low-maintenance, Zero Trust asset driven by continuous identity verification.