By default, provisioning profiles are openly available by http if you know the specific MAC ID of a phone. For added protection, it is also possible for a Reseller to lock down device provisioning files with a username and password. These credentials must be configured in the NDP per device.
While the practice of allowing provisioning files to be reachable unauthenticated may seem to be a security risk, we have taken precautions to thwart abuse by malicious users. Specifically, we monitor all IP addresses that scan the provisioning server, and automatically block any endpoint that makes fraudulent attempts to reach provisioning files. We have found that this practice achieves the optimal balance of protection and ease of provisioning.
To secure device provisioning profiles with a username and password, follow these steps:
A. Locate the device to be configured in NDP.
B. Enter a username and password for the device.
C. Configure the SIP phone to use HTTPS with the username and password that you created.
If the password field is not set, then requests will not be authenticated. If the password field is set, then the SIP device will not be able to retrieve a provisioning file if the username and password do not match what has been entered in the NDP.