Back to case studies

Enterprise Device Authorization & Network Access Control

RoleCybersecurity Project Manager
OrganizationLarge-Scale Enterprise
StatusCompleted
50K+
Active Devices
60+
Buildings
100%
Enforcement
14mo
Duration

Challenge

This case study documents the design, rollout, and enforcement of a device authorization framework for network access across more than 60 buildings in a high-security, large-scale enterprise. The goal was to ensure that only approved, registered devices could connect to the network without causing operational disruption in an environment that regularly hosts over 50,000 active devices.

Strategic Planning and Architecture Design

The project began by defining the long-term vision: an enterprise-wide device authorization system that would remain effective for multiple years and scale with future security requirements. The first architectural decision was to stand up a centralized authentication database that the networking infrastructure could query in real-time to validate device access requests.

The database captured key identifiers such as:

  • Security Plan (to ensure they were managed systems)
  • MAC Address (to tie access directly to registered hardware)
  • Device Certificates (for stronger, cryptographic validation)

The system was designed with dual compatibility supporting both MAC-based and certificate-based authentication, so that different systems could adopt the level of security appropriate for their operational needs.

This architectural foundation was paired with a comprehensive device registration campaign. Over three months, all departments were tasked with ensuring that their authorized devices were registered. This required identifying device owners, tracking responsible IT teams, and mapping each group to its most effective communication channels. Stakeholders were briefed early, with clear expectations, deadlines, and the risks of non-compliance.

Infrastructure Audit and Data-Driven Readiness Assessment

Before any enforcement could occur, the network's physical and logical infrastructure needed to be fully understood. The project team conducted a campus-wide audit of all network switches, recording:

  • Switch location by building and accessibility of hardware
  • Readiness for NAC (Network Access Control) integration
  • Firmware or configuration gaps that could delay deployment

A NAC solution was deployed in monitoring mode, passively scanning the network for all connected MAC addresses. Any device not found in the registration database was flagged as unknown.

Daily automated reports were generated and sent to:

  • System administrators for direct remediation
  • Departments for localized follow-up
  • Building managers for tracking the burn-down rate

This reporting loop gave stakeholders a clear, data-backed picture of progress and allowed the team to identify any high-risk network that had a large amount of unknown devices.

Change Management and Multi-Channel Communications

Given the scale of the environment, the communication plan was as critical as the technical rollout. The team built a multi-layered change management strategy designed to over-communicate without creating noise fatigue.

Channels included:

  • Organization-wide announcements on Teams, Slack, and email
  • Targeted direct messages to high-impact users and department heads
  • Stakeholder governance board presentations to secure leadership buy-in
  • FAQs, registration instructions, and troubleshooting guides hosted on the intranet
  • Office hours and live Q&A sessions for departments with large device counts

By using overlapping communication mediums, the team ensured no user could claim they were unaware of the initiative.

Phased Enforcement with Risk Mitigation

Enforcement was deliberately staged to prevent a sudden loss of productivity. Buildings were grouped by operational criticality and entered the rollout in the following order:

  1. Non-critical buildings — Served as the pilot group to validate enforcement workflows.
  2. Low-to-moderate criticality buildings — Brought online in batches, one per week.
  3. High-criticality buildings — Added in the mid-to-late stages, after all process refinements were applied.

Each phase began with an advance warning, direct outreach to key contacts, and pre-positioned support staff to address access issues in real time. The NAC system switched from monitoring mode to enforcement mode for each building group as they were brought into compliance.

Results and Lessons Learned

By project completion, every device on the network had been registered, and unauthorized devices were systematically blocked from connecting. Business continuity was maintained throughout the rollout, with minimal disruption to day-to-day operations.

Key lessons included:

  • A long registration window is critical for preventing last-minute operational impacts.
  • Automated reporting accelerates remediation and provides objective compliance metrics.
  • Phased rollouts reduce risk and allow lessons learned from early stages to inform later ones.
  • Consistent, multi-channel communication is non-negotiable for initiatives of this scale.

The success of this initiative not only strengthened the organization's security posture but also provided a reusable blueprint for future enterprise-wide access control projects.