Mobile device management in the new era of 5G LAN

The emergence and innovation of enterprise-specific cellular networks, so-called 5G LANs, presents a significant opportunity for enterprises to deliver new levels of deterministic wireless services that have not been feasible until now. These private mobile networks are typically deployed, operated, and managed by enterprise IT departments or internal network staff.

Still, one of the biggest challenges IT may face when introducing 5G LANs is how to handle the large number of different client devices accessing and authenticating to this new type of enterprise mobile network. For enterprise IT, cellular networks are inherently more secure than traditional wireless LANs (WLANs), and with the right approach, both users and IT can more easily connect to cellular networks.

However, understanding the complexities and nuances of mobile device management (MDM) and the operation of MDM over private LTE and 5G cellular networks is critical to successfully deploying enterprise 5G LANs.

[[419751]]

When deploying a private cellular infrastructure, enterprise IT departments must first determine the user device preferences based on their business model and the employee engagement aspects involved. It is likely that an enterprise will want to use different types of devices depending on the user groups that must be managed within the enterprise. These typically include three main types:

• Company-owned business-specific equipment: purchased, configured, secured, and monitored at all times by the company, as well as maintained and managed by the enterprise.
• Corporate-owned, personally used devices: Owned by the enterprise, pre-configured to maintain data security requirements, and regulated for specific types of access.
• Pre-approved mobile devices that users can choose from. Depending on corporate policy, and configured with security protocols and business applications, it is the joint responsibility of the company and the user.

Weighing the pros and cons

Enterprises need to make appropriate choices by weighing the pros and cons. The trade-offs between the enterprise's security needs and the costs incurred and employee satisfaction, flexibility of device control, and productivity should always be considered. Some compromises may need to be made depending on the employees and enterprise types involved.

To connect the enterprise campus to the new private cellular network, IT departments need to plan for the devices to support and manage their access and security posture. These choices will determine the degree of control that enterprise IT has over the devices, as well as the cost of supporting them.

To ensure seamless integration with existing IT infrastructure, the installation and management of these new dedicated mobile networks should ideally mimic the ease of deployment of Wi-Fi, while retaining the functionality and operation of cellular 3GPP networks. But this is easier said than done.

Difference from cellular networks

Compared to traditional WLAN, the device access and authentication functions of cellular networks are different. In the cellular network world, strong security is built into the network, and media access is arranged and fully controlled by the infrastructure. Users do not need to do anything, just like using your personal mobile phone. This is very attractive to the enterprise IT team.

In cellular networks, it is the device, not the user, that authenticates to the network. This brings new benefits and challenges to enterprise IT staff who must manage the various different types of user equipment (UE) accessing the network.

Username and password credentials and certificates are often used to access and authenticate an enterprise's wireless LAN. But in cellular networks, these methods are actually replaced by a physical or electronic subscriber identity module (SIM).

In a device connected to a cellular network, the SIM contains the credentials or subscription required to access specific mobile network services. The credentials can be defined in the SIM or embedded SIM (eSIM) configured in the UE.

SIM and eSIM need to be formatted specifically as separate profiles, even though they contain the same information. The credentials themselves can be placed into a physical SIM card (removable) or an embedded SIM card (non-removable). Each physical SIM and eSIM module can support one or more subscriptions.

A SIM lock, also known as a network, operator or subsidy lock, is a technical restriction built into many mobile devices. These are primarily used by service providers to restrict the use of the phone to specific countries or networks. Mobile phones can be locked to only accept SIM cards with certain International Mobile Subscriber Identity (IMSI) which may be restricted.

Get Unlocked

A mobile phone that is not locked is called a SIM-free or unlocked phone and does not impose any SIM card restrictions. An unlocked phone is a device that is not tied to a specific carrier. Once the user's contract with the carrier expires, the user can ask the carrier to unlock the phone. Unlocked smart devices can also be purchased without being locked.

Unlocked devices offer a lot of flexibility as they allow one or more enterprise credentials to be added to the device. When using such a device to roam with an enterprise network, dual SIM configurations are supported, one for the mobile network operator (MNO) and the other for the enterprise network.

If the device needs to support enterprise credentials, it must be unlocked even if the device supports MNO credentials.

As with any cellular 3GPP network, mobile devices require specific identifiers to find, associate to and authenticate to the enterprise network. Since enterprise deployments are often physically limited or local in nature, common identifiers are used and the address space of the identifiers is shared between different entities.

Each physical SIM card and embedded SIM card module can support one or more credentials. According to the GSMA specification, in order to support dual-SIM operation, one of the SIM card credentials must be in the physical SIM card slot and the other is the embedded SIM card. Basically, both credentials cannot come from the physical SIM card or the embedded SIM card. However, each physical or embedded SIM card can carry multiple credentials, with at most one credential being active at a time.

From a UE device capability perspective, additional credentials can be added to the embedded SIM card. The physical SIM card cannot be updated to add updated credentials. The UE can support switching between credentials already provided in the physical SIM card.

Given that the UE needs to potentially support multiple enterprise credentials on the device and support adding them dynamically, hosting the enterprise credentials as an embedded SIM card seems best suited for devices like handheld mobile devices. If static provisioning is sufficient, a physical SIM with enterprise credentials can be supported, such as security cameras deployed on campus.

Cellular network subscriptions and access are managed by the enterprise IT department. Mobile devices operating on a private enterprise 5G LAN

Mobile devices operating on private enterprise 5G LANs are typically identified, configured, and issued to users.

Automation is key

The biggest challenge for most businesses will be how to effectively streamline or automate this onboarding or customer onboarding process. Obviously, deploying hundreds or thousands of physical SIM cards is a daunting task for IT staff. But it doesn’t have to be. In fact, this can be turned into a huge positive for IT staff.

One way to solve this dilemma is to use QR (Quick Response) codes that can be easily distributed to users to scan. The QR code contains specific eSIM credentials that pull the eSIM profile onto the device. The QR code can be distributed to users, who can scan the code and install the required profile for their device themselves.

The second method is to send the UE to a specific SIM provisioning platform, which pushes pre-defined credentials onto the device. In this MDM mode, the device is provided with the SM-DP+ (Subscription Manager Data Preparation) server address to reach. The eSIM credentials assigned to the UE are paired with the device's EID (Electronic Identification) in this server.

The SIM provisioning platform then pushes the credentials pre-assigned to the device when the device accesses the server.

The UE can be set up to reach directly to the Subscription Manager Data Provisioning Platform (SM-DP+). This is an eSIM management server where the device can securely download the necessary eSIM profiles it has stored on the eUICC.

With simple technology like this, enterprise IT can finally more easily automate the onboarding of mobile devices. By effectively eliminating any manual user intervention, IT can smoothly transition to new 5G LANs to support use cases and devices that traditional enterprise wireless networks cannot support - while radically improving the security and experience of network users.