Skip to main content

Zero Touch Provisioning

Each platform that wants its phones to discover their provisioning URL automatically (no on-site touch, no DHCP option, no manual phone configuration) needs ZTP credentials wired to a vendor's redirection service. The ZTP card on a platform's detail page is where super-admins drive that wiring.

The card lists every supported vendor with its current status. For day one only Snom (SRAPS) is registered.

Onboard

Use Onboard the first time a platform needs ZTP for a vendor.

  1. Open the platform's detail page in the admin portal.
  2. In the Zero Touch Provisioning card, find the vendor row showing Not configured.
  3. Click Onboard and confirm.

The action creates the vendor-side child company for this platform, generates per-platform credentials, and stores them encrypted. The card flips to Configured and shows the company identifier and last-set timestamp.

Onboard is idempotent. Running it on an already-onboarded platform reports "Already onboarded" and does not create a duplicate vendor entity.

Rotate

Use Rotate when credentials may have been exposed or as a routine refresh.

  1. In the vendor row showing Configured, click Rotate and confirm.

The action generates new vendor-side credentials and replaces the encrypted blob in one atomic step. Existing endpoint registrations continue to function — there is no need to restart the API and no on-device action is required.

Disable

Use Disable to turn ZTP off for one vendor on a platform without affecting other vendors.

  1. In the vendor row showing Configured, click Disable and confirm.

The action revokes vendor-side access and clears the credentials for that vendor on this platform. Other vendors on the same platform are untouched. Phones that were already pointed at our provisioning URL keep working until the next factory reset; from that point on they will fall back to whatever discovery method is available locally.

Acting on errors

If an action fails, the card renders the underlying error inline. Common cases:

  • "Reseller credentials not configured in this environment" — the environment is missing the SSM-stored vendor reseller credentials. Seed them and try again.
  • "Account has no provisioning token" (or similar) — the platform is missing a runtime prerequisite the orchestrator can't fix on its own. Resolve the prerequisite (typically by setting up the platform's first account) and retry.

Buttons stay disabled while a request is in flight, so a double click cannot fire two SRAPS round-trips.