Vai al contenuto principale

TL;DR / Key Takeaways

  • Secure staff WiFi is an identity lifecycle, not a single feature: access is granted, scoped, and revoked automatically as employees join, move, and leave.
  • Onboarding is passwordless - a certificate (EAP-TLS) or a unique per-device credential, never a shared password - issued through your MDM or the Purple app in about 60 seconds.
  • SCIM provisioning against Entra ID, Okta, or Google Workspace ties WiFi access to directory membership, so a leaver loses WiFi the moment they lose email.
  • The whole lifecycle runs on cloud RADIUS over your existing access points - no on-premise RADIUS server and no hardware to ship per site.

The staff WiFi lifecycle, stage by stage

Six stages, one identity. Each stage is automatic - the employee never sees a password, and IT never rotates one.

  1. An employee joins, and their account provisions automatically

    When HR adds a new starter to Microsoft Entra ID, Okta, or Google Workspace, SCIM provisioning pushes that identity to Purple automatically - no separate WiFi ticket. Their group membership (department, role, site) syncs at the same time and decides which network segment they will land on.

  2. Their device gets a certificate

    On a managed laptop, an EAP-TLS certificate is issued silently through your MDM - Intune, Jamf, Kandji, or Hexnode. On a personal phone or tablet, the employee opens the Purple app, signs in once with their corporate identity, and a unique WiFi credential installs in about 60 seconds. No shared password is ever shown or typed.

  3. The device connects with 802.1X

    The device associates to the WPA2 or WPA3-Enterprise SSID. The access point forwards the 802.1X request to Purple’s cloud RADIUS, which validates the certificate against your identity provider and returns the right VLAN and policy. The employee is online, on the correct segment, with a unique session key - in tens of milliseconds.

  4. Access follows the person across every site

    The same identity works in every building. Walk into another office, a branch, or a multi-site venue running Purple and the device connects automatically - no new password, no reconfiguration. Conditional Access policies from Entra ID are honored on each join, so a device that fails a compliance check is not admitted.

  5. Policy and activity stay visible

    Every authentication is logged with the user, device, access point, SSID, and outcome, and streamed to your SIEM (Microsoft Sentinel, Splunk, Elastic, or Datadog). IT can see who is connected across all sites and disable a single user or device instantly, without disrupting anyone else.

  6. The employee leaves, and access is revoked automatically

    When the employee is offboarded in your identity provider, SCIM deprovisioning removes their WiFi access at the same moment their email is revoked. There is no company-wide password rotation, no orphaned credential, and no manual step - the certificate or key simply stops authenticating on the next attempt.

Why the lifecycle is the proof

This is the difference between staff WiFi and guest WiFi with a security page bolted on. Guest WiFi optimizes for low-friction sign-up; staff WiFi optimizes for identity. Because every connection is tied to a verified person or device for the whole employee lifecycle - granted on day one, scoped to their role, revoked on their last day - you get per-user accountability, instant revocation, and a clean audit trail without a single shared password on the network. That is identity-based networking, and it is the foundation for zero trust network access.

Frequently asked questions

How is staff WiFi access revoked when an employee leaves?

Automatically, through your identity provider. Because each employee authenticates with their own certificate or credential, offboarding them in Entra ID, Okta, or Google Workspace removes their WiFi access via SCIM at the same moment their email is revoked. There is no company-wide password to rotate and no orphaned credential left behind - their certificate or key stops authenticating on the next attempt.

What is SCIM provisioning for WiFi?

SCIM (System for Cross-domain Identity Management) is the standard your identity provider uses to push user and group changes to other systems. With Purple, SCIM keeps WiFi access in sync with your directory automatically: when someone joins, their access is provisioned and their group membership sets their VLAN; when they leave, access is deprovisioned - no manual WiFi administration.

How long does staff WiFi onboarding take for a new employee?

About 60 seconds for a personal device: the employee opens the Purple app, signs in once with their corporate identity, and a unique WiFi credential installs. Managed laptops are silent - the EAP-TLS certificate is pushed through your MDM (Intune, Jamf, Kandji, or Hexnode) before the user ever connects.

Does the staff WiFi lifecycle work across multiple sites?

Yes. Because authentication runs in Purple’s cloud RADIUS rather than per-site hardware, the same identity connects automatically at every building, branch, or venue on the network - no new password and no reconfiguration. It is a strong fit for multi-site estates such as councils, hospitality and retail chains, and multi-academy trusts.

Do I need a RADIUS server or new hardware for any of this?

No. Purple operates the RADIUS server as a cloud service and runs on the enterprise access points you already own (Cisco, Aruba, Ruckus, Juniper Mist, Meraki, Ubiquiti, and more). You point your access points at Purple - there is no on-premise RADIUS server to install, patch, or keep highly available.

Last reviewed: