In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

A provisioning device may be shipped to a client and used to automatically provision an IoT device to join a local network to communicate with a remote service provider. In response to a trigger input, the provisioning device creates a wireless hotspot that is recognizable by an IoT device as a provisioning hotspot. The provisioning device receives a signal from the IoT device indicating that the IoT device is available to be provisioned. The provisioning device obtains provisioning data and transmits the provisioning data to the IoT device. The IoT device uses the provisioning data to connect to a local wireless network and to establish a connection to the remote service provider. The IoT device may then use one or more IoT services of the service provider.

Methods, apparatuses, and computer program products are described that support transmission and receipt of onboarding support and/or authentication requirement information to a UE for registration with a network, such as a PLMN and/or SNPN, and/or network slice, via a RAN and/or the like. The onboarding support and/or authentication requirement information may be specifically configured for one or more networks, and/or network slices thereof, that utilize a shared RAN in communication with the UE. The UE selects a cell and network and/or network slice based on the onboarding support and/or authentication requirement information. The UE may camp on the shared RAN. The one or more networks comprise at least a RAN and respective AMF that provide the onboarding support and/or authentication requirement information to the UE before, or when, the UE contacts the AMF associated with the network and/or network slice.

Techniques for facilitating onboarding to a non-public network is provided. Provisioning parameters may be provided to User Equipment (UE) from a Default Credential Server (DCS) via a secure communication tunnel. Additionally or alternatively, provisioning parameter container(s) including readable provisioning parameters for an Onboarding Network (ONN), and secure provisioning parameters for the UE, may be transmitted to the UE via the ONN. The disclosed methods and apparatuses enable the UE to onboard to a non-public network using the provisioning parameters, and to verify the integrity of the provisioning parameters and ensure the provisioning parameters are not modified by an unauthorized device.

Provided is a method for establishing a bidirectional communication channel between a server and a secure element cooperating with a terminal in a cellular telecommunication network for exchanging data and commands. Provided also is an improved SM-DS+ comprising comprising a SM-OS server that provisions the HSS of a MNO with a temporary IMSI transmitted to said secure element, along with an ephemeral key contained also in said secure element. Other embodiments disclosed.

Implementations of the subject technology provide for storing a temporary certificate on a mobile device for accessing services in association with a primary number. A device determines that a first subscriber identity module (SIM) card, previously used by the device, is not available for use by the device. The device determines that a second SIM card is available for use by the first device within a predetermined time period after the first SIM card is determined to be not available for use by the device. The device confirms that a communication identifier of the first SIM card is strongly tied to a user account associated with the device. The device stores a temporary certificate that attests to continued ownership of the communication identifier by the device and allows the device to access at least one service in association with the communication identifier.

A method is performed at a server that manages embedded subscriber identity module (eSIM) profiles. The method includes, when a user equipment that belongs to a global enterprise network relocates from a first locale to a second locale in which a first private network and a second private network of the global enterprise network are located, wherein the user equipment includes a locale-specific first eSIM profile that includes a first non-public network identifier of the first private network, receiving, from the user equipment over a network in the second locale, information that indicates the user equipment is in the second locale. The method further includes identifying the second private network based on the information, and generating a locale-specific second eSIM profile that includes a second non-public network identifier for the second private network. The method includes configuring the user equipment with the locale-specific second eSIM profile.

This application describes a phased approach to provision eSIM profiles to a wireless device. Credentials are preloaded to an eUICC during manufacture of the eUICC and used subsequently to load eSIM profiles to the eUICC without requiring an active, real-time connection to an MNO provisioning server. Multiple bound profile packages (BPPs) can be pre-generated and encrypted by MNO provisioning servers for an eUICC and transferred to a BPP aggregator server before assembly of the eUICC in a respective wireless device. A local provisioning server in a manufacturing facility mutually authenticates and connects to the BPP aggregator server to download and store one or more of the encrypted BPPs for later installation on the eUICC. The local provisioning server subsequently mutually authenticates and connects to the eUICC to load at least one of the one or more pre-generated, encrypted BPPs to the eUICC during assembly and/or testing of the wireless device.

In some examples, a wireless device includes a communication interface to communicate with a wireless network, and at least one processor configured to, receive, from an access point (AP), information including a network address policy of the wireless network. The at least one processor is configured to further, in response to the information including the network address policy, use an address of the wireless device according to the network address policy.

Methods, systems, and devices for wireless communications are described. A method may include identifying an absence of a subscriber identity module (SIM) profile (e.g., in response to powering on a communication component). The method may further include determining a provider-specific configuration for communications with a wireless network and generating a set of SIM configuration parameters for a registration procedure with the wireless network based on identifying the absence of the SIM profile and the provider-specific configuration. The method may further include performing a registration procedure with the wireless network using the set of SIM configuration parameters.