MRA Device Onboarding using Activation Codes
This release extends the on-premise Activation Code Device Onboarding feature to also work for Mobile and Remote Access endpoints that are connecting remotely. This update provides a secure way to onboard MRA endpoints that are onboarding remotely. It also simplifies the user experience by removing the requirement that MRA users be within the enterprise network when they onboard their endpoints for the first time.
When remote MRA users connect their phone for the first time, the phone communicates with the Cloud/Hybrid Service in order to obtain the activation code requirement. The MRA users can pick up the activation code from the Self-Care Portal and then enter the code on the phone in order to complete the initial registration. This process works even if the phone cannot reach the cluster TFTP server.
As a part of this feature, OAuth Refresh Logins are introduced for Cisco IP Phones that are onboarded over MRA using device activation codes.
Configuration
For more information, see the "Device Onboarding via Activation Codes" section of the System Configuration Guide for Cisco Unified Communications Manager, Release 12.5(1)SU1.
Phone Support
This feature is supported for the following Cisco IP Phones:
7811, 7821, 7832, 7841, 7861, 8811, 8841, 8845, 8851, 8851NR, 8861, 8865, 8865NR, 8832, 8832NR
User Interface Updates
The following configuration windows are added or updated:
-
Cisco Cloud Onboarding—This page is updated with a new section, Activation Code Onboarding Settings that contains the following fields:
-
Enable Activation Code Onboarding with Cisco Cloud
-
MRA Activation Domain
-
Trusted CA Certificates--Used by devices to secure communication with your Expressway(s)' is added.
-
This page is also updated with helpful status information for viewing the status of activation code registrations for MRA endpoints.
-
-
MRA Service Domain Configuration—This new page is added to the Advanced Features menu. The page lets you enter the SRV record and device pool for an MRA Service Domain. It contains the following fields:
-
Name
-
Domain
-
Default
-
Dependency Records
-
-
Device Pool Configuration—A new MRA Service Domain drop-down is added.
-
Device Defaults—The Onboarding method column is renamed to On-Premise Onboarding Method. This field applies to on-premise onboarding only and does not apply to onboarding for MRA devices using activation codes.
-
Phone Configuration—The new Allow Activation Code Onboarding via MRA check box is added.
-
Enterprise Parameters Configuration—A new parameter, Physical Phone OAuth Refresh Token Expiry Timer, is added with a default value of 60 days.
Serviceability Updates
The following new alarms are added for activation code onboarding:
-
DevActAccessTokenInvalid—The access token used by the Cisco Device Activation Service to communicate with the Cisco Cloud was not able to be renewed and has expired.
-
DevActCloudSyncFailure—An automatic attempt to synchronize configuration changes with Cisco Cloud related to Device Activation Coe-based onboarding has failed.
-
Dev ActSSOSPServerRemoved—An SSOSP service is not responding properly during an activation code device onboarding event and has been removed from the list of servers leveraged to provide refresh tokens to the onboarding phone.
Certificate Updates
A new certificate trust store (PhoneEdge-trust) is added to Cisco Unified OS Administration. If you want to use your own certificates, you can upload your own custom certificates that MRA endpoints will use to connect to Expressway.
The certificate must first be uploaded to the Expressway servers and then uploaded to this new trust store on Cisco Unified Communications Manager, following which the certificate gets transmitted to the cloud. When the phone is onboarded over MRA using activation codes, the phone downloads the certificate from the cloud and uses it to establish trust with Expressway.