BYOD Enrollment — Generate a one-time enrollment token, then distribute it to end users.
Each token is single-use and time-limited. Supports Windows, macOS, iOS, and Android.
Windows
macOS
iOS
Android
Linux / 802.1X
Windows BYOD Enrollment
Step 1: Download and install the Root CA certificate
certutil -addstore Root "https://orc.wearealliance.org/api/pki/ca/root"
# Or via Group Policy: Computer Config > Windows Settings > Security Settings > Public Key Policies
Step 2: Request your device certificate using your enrollment token
$token = "YOUR_TOKEN_HERE"
$deviceId = $env:COMPUTERNAME
$body = @{ token = $token; device_id = $deviceId } | ConvertTo-Json
$resp = Invoke-RestMethod -Method POST -Uri "https://orc.wearealliance.org/api/pki/byod/enroll" `
-Body $body -ContentType "application/json"
$resp.certificate | Out-File "device_cert.pem"
# Import PKCS12 bundle directly
$pfxBytes = [Convert]::FromBase64String($resp.pkcs12_b64)
[System.IO.File]::WriteAllBytes("device.pfx", $pfxBytes)
Import-PfxCertificate -FilePath "device.pfx" -CertStoreLocation "Cert:\LocalMachine\My"
Step 3: Configure 802.1X Wi-Fi / VPN
netsh wlan add profile filename="wifi-profile.xml"
# Wi-Fi SSID: WeAreAlliance-Corp
# Auth: WPA2-Enterprise / EAP-TLS
# Certificate: device.pfx (CN = %COMPUTERNAME%)
macOS BYOD Enrollment
Step 1: Trust the Root CA
curl -o RootCA.pem https://orc.wearealliance.org/api/pki/ca/root
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain RootCA.pem
Step 2: Enroll device certificate
TOKEN="YOUR_TOKEN_HERE"
DEVICE_ID=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $NF}')
curl -s -X POST https://orc.wearealliance.org/api/pki/byod/enroll \
-H "Content-Type: application/json" \
-d "{"token":"$TOKEN","device_id":"$DEVICE_ID"}" | python3 -c \
"import sys,json,base64; d=json.load(sys.stdin);
open('device.pem','w').write(d['certificate']);
open('device.p12','wb').write(base64.b64decode(d['pkcs12_b64']))"
security import device.p12 -k ~/Library/Keychains/login.keychain-db
Step 3: Configure Network (System Prefs → Network → Wi-Fi → 802.1X)
SSID: WeAreAlliance-Corp
Security: WPA2 Enterprise · EAP-TLS · Certificate: [device cert]
iOS / iPadOS Enrollment
Step 1: Install Root CA via MDM or manual profile
# Send user to Safari (not Chrome) on device:
https://orc.wearealliance.org/api/pki/ca/root
# iOS will prompt to install the certificate profile
# Settings → General → VPN & Device Management → Trust Certificate
Step 2: Enrollment via Shortcuts or MDM payload
POST https://orc.wearealliance.org/api/pki/byod/enroll
Content-Type: application/json
{ "token": "YOUR_TOKEN", "device_id": "iPhone-UDID" }
# Response .pkcs12_b64 → install via PKCS12 profile payload in MDM
# Wi-Fi profile with EAP-TLS auto-installs cert for WeAreAlliance-Corp
For MDM bulk enrollment, use an MDM system (Jamf/Mosyle/Intune) to push the enrollment token and Wi-Fi profile automatically.
Android Enrollment
Step 1: Install Root CA
# Settings → Security → Install from storage
# OR via ADB:
adb push RootCA.pem /sdcard/
# Navigate to Settings → Security → Install Certificate → CA Certificate
Step 2: Request device cert (Android 11+)
curl -X POST https://orc.wearealliance.org/api/pki/byod/enroll \
-H "Content-Type: application/json" \
-d '{"token":"YOUR_TOKEN","device_id":"android-device-id"}'
# Install PKCS12 via Settings → Security → Install Certificate → PKCS12
Step 3: Configure Wi-Fi EAP-TLS
SSID: WeAreAlliance-Corp
Security: 802.1x EAP · EAP Method: TLS
CA Certificate: [installed root] · Client Certificate: [device.p12]
Identity: device-id@wearealliance.org
Linux / 802.1X Wired & Wi-Fi
Step 1: Trust Root CA system-wide
curl -o /usr/local/share/ca-certificates/AllianceRootCA.crt \
https://orc.wearealliance.org/api/pki/ca/root
update-ca-certificates
Step 2: Enroll + convert to NetworkManager format
TOKEN="YOUR_TOKEN"
DEVICE=$(hostname)
curl -s -X POST https://orc.wearealliance.org/api/pki/byod/enroll \
-H "Content-Type: application/json" -d "{"token":"$TOKEN","device_id":"$DEVICE"}" > enroll.json
python3 -c "import json,base64; d=json.load(open('enroll.json'));
open('device.pem','w').write(d['certificate']);
open('device.p12','wb').write(base64.b64decode(d['pkcs12_b64']))"
openssl pkcs12 -in device.p12 -nocerts -nodes -out device_key.pem -passin pass:
# Configure wpa_supplicant or NetworkManager with EAP-TLS
wpa_supplicant.conf snippet
network={
ssid="WeAreAlliance-Corp"
key_mgmt=WPA-EAP
eap=TLS
identity="device@wearealliance.org"
ca_cert="/etc/ssl/certs/AllianceRootCA.pem"
client_cert="/etc/ssl/private/device.pem"
private_key="/etc/ssl/private/device_key.pem"
}
Active Enrollment Tokens
| Token ID | Role | CN | Expires | Used |
|---|---|---|---|---|
| Loading... | ||||