Logo Teldat
boton
Contact us

• Cybersecurity Glossary

What is Zero Touch Provisioning (ZTP)?

Zero Touch Provisioning (ZTP) is a network automation method that lets a device (a router, switch, firewall, access point or gateway) configure itself automatically the moment it is powered on and connected, with no engineer on site and no manual configuration. The device is shipped to the location, someone plugs in the cables, and it contacts a central provisioning system over any available transport, authenticates, downloads its software image and full configuration, and joins the network in minutes. ZTP turns the deployment of tens, hundreds or thousands of sites from a field engineering project into a logistics exercise. It is one of the defining capabilities of modern SD-WAN platforms, and a key differentiator of the Teldat CNM SD-WAN Suite, where automatic router deployment over any transport, including cellular, is built into the platform.

1Zero Touch Provisioning definition2How ZTP works, step by step3Manual provisioning vs ZTP4What ZTP is used for5What to look for in a ZTP system6ZTP security considerations7ZTP in the Teldat CNM SD-WAN Suite8Frequently asked questions – FAQ’s

Zero Touch Provisioning (ZTP) definition

Zero Touch Provisioning is the automation of everything that happens between powering on a new network device and that device being fully operational with its production configuration. In a ZTP workflow, the device leaves the factory or warehouse in a generic state. Its identity (serial number, certificate) is registered in advance in a central provisioning system. When the device boots at the destination site, it obtains basic connectivity, reaches out to the provisioning system, proves who it is, and receives its assigned firmware version and configuration. No console cable, no laptop, no command line, no engineer.

The “zero touch” refers to technical touches, not physical ones. Someone still has to unbox the device, connect power and plug in the WAN cable or antennas. The point is that this someone can be anyone: a store manager, a courier, an electrician. Every task that previously required networking knowledge has been moved from the site to the central system, where it is done once, in a template, for all sites.

ZTP matters because device deployment is where branch network projects historically stall. Sending a qualified engineer to every site is expensive and slow; preconfiguring devices in a staging depot creates its own logistics and version control problems. ZTP removes both: devices ship directly from the factory or distributor to the site, and the configuration lives centrally until the moment it is needed.

How ZTP works, step by step

A ZTP workflow has a standard anatomy regardless of vendor or device type. The six steps below describe the sequence as it runs in a modern SD-WAN deployment, from the moment the device is registered to the moment the site carries production traffic.

1
Device registration before shipping
Each device has a unique identity, typically its serial number bound to a factory installed certificate. Before deployment, the administrator registers that identity in the central provisioning system and associates it with a site, a template and a software version. This binding is what later allows the system to recognize the device and hand it the right configuration, and nothing else.
2
Power on and basic connectivity
At the site, the device boots its factory image and obtains basic IP connectivity over whatever transport is available: DHCP on a broadband line, a preinstalled SIM on 4G/5G, or a connected Ethernet uplink. Cellular ZTP is especially powerful because it requires nothing from the site at all; the device arrives with its own path to the provisioning system.
3
Discovery of the provisioning system
The device locates its provisioning service through one of several standard mechanisms: a factory burned URL, DHCP options pointing to the server, or a vendor redirect service that maps the serial number to the right customer instance. From this point on, every exchange runs over an encrypted channel.
4
Mutual authentication
The device proves its identity with its certificate, and the provisioning system proves its own, so a stolen or counterfeit device cannot pull a configuration and a rogue server cannot push one. This mutual authentication step is what separates production grade ZTP from a convenience script; it is the security boundary of the entire workflow.
5
Software and configuration download
The system delivers the assigned firmware version first (upgrading or downgrading as needed), then the full configuration generated from the site template: interfaces, routing, overlay tunnels, security policy, QoS, Wi Fi. Templates with per site variables mean a thousand branches can share one definition with only the values that differ (addresses, names, SIM details) maintained per site.
6
Validation and handover to operations
After applying its configuration, the device establishes its overlay tunnels, registers with the management platform and starts reporting telemetry. The NOC sees the site come online with its health indicators in the same console as every other site. From first power on to production traffic, the typical elapsed time is minutes.

Manual provisioning vs ZTP

The case for ZTP becomes obvious when the two deployment models are placed side by side. The table below compares traditional manual provisioning (engineer on site or staging depot) with ZTP across the dimensions that determine project cost and speed at branch scale.

Dimension Manual provisioning Zero Touch Provisioning
Who configures the device Network engineer, on site or in a staging depot Central system; on site, anyone who can plug in cables
Time per site Hours per device, plus travel or shipping through staging Minutes from power on to production
Skills required at site CLI and platform knowledge None; unbox, connect, power on
Cost per deployment Engineer time and travel, or depot logistics, per site Marginal; cost is concentrated in templates built once
Human error exposure Per device manual typing and version selection Eliminated at site; errors fixed once in the template
Configuration consistency Drifts across sites and engineers over time Identical by construction; one template, many sites
Firmware version control Whatever shipped or was staged; manual upgrades later Enforced at provisioning; every site lands on the assigned version
Scaling to hundreds of sites Linear cost and calendar growth Waves of dozens of sites per week with the same team
Replacement of failed hardware Engineer visit or preconfigured spare logistics Ship a generic spare; it self provisions on arrival

The economics compound with scale. For five sites, manual provisioning is an inconvenience. For five hundred, it is the dominant cost and the critical path of the entire rollout. ZTP inverts the equation: the effort moves into building good templates once, and each additional site costs nearly nothing to bring online. This is also why hardware replacement under ZTP transforms field operations: a failed router is swapped by a courier delivered generic spare that provisions itself, instead of an engineer visit with a preconfigured unit.

What ZTP is used for?

ZTP covers much more than the first installation. In Teldat deployments, the same provisioning machinery handles the full operational lifecycle of the device fleet. The six activities below are where ZTP delivers measurable value in production networks.

1
Mass site rollouts
The headline use case: deploying new branches, stores or offices at wave scale. Devices ship directly to sites, local staff plug them in, and waves of dozens of sites per week come online with a small central team. SD-WAN migrations and MPLS replacements run on exactly this pattern.
2
Single new site activation
Even one site benefits. A new office or pop up location gets its router shipped overnight and is on the corporate network the next morning, without waiting for an engineer visit to be scheduled. Combined with 5G FWA as the transport, a site can be operational before any fixed line is installed.
3
Mass firmware and OS upgrades
Every router, switch, firewall or access point runs software that needs updating for features, fixes and vulnerabilities. The same central machinery that provisions devices pushes coordinated firmware campaigns across the fleet, by waves and maintenance windows, without touching any site.
4
Mass and per site reconfiguration
Business changes translate into configuration changes: a new application policy, a segmentation rule, a QoS adjustment. With template based provisioning, the change is made once and propagated to every affected site, or applied ad hoc to a single site, with the same audited workflow.
5
Hardware replacement (RMA) without engineers
When a device fails, a generic replacement ships to the site. The moment it powers on, it is recognized by its identity, inherits the site’s configuration and restores service. Field repair stops depending on engineer availability and preconfigured spare stock.
6
Fleet expansion as the business grows
Growth means more devices: more branches, more access points, more industrial gateways. ZTP makes the network scale at the pace of the business rather than at the pace of the IT calendar, which is precisely the property fast growing retail, logistics and services organizations need from their network platform.

What to look for in a ZTP system?

Not all ZTP implementations are equal. These are the factors that separate a production grade ZTP system from a basic boot script, and the ones worth examining closely before committing a large deployment to any platform.

1
Security of the provisioning channel
Communications between the ZTP system and the device are a critical attack surface: whoever controls that channel controls the device configuration. Mutual certificate authentication, encrypted transport and signed firmware images are mandatory, not optional. Examine this first.
2
Out of band management plane
A well designed system separates the management plane from the data plane. If the connection to the provisioning service drops, or the service itself is briefly unavailable, the device keeps forwarding traffic normally. Sites must never depend on the management cloud to stay online.
3
Multi tenant architecture
For service providers and large organizations, the ZTP system should manage the topologies of multiple customers or business units from one platform, with strict isolation between tenants. This is what enables partner operated and co managed models on shared infrastructure.
4
Provisioning anywhere, over any transport
A remote ZTP system should provision, update and configure devices anywhere in the world over any connectivity, including cellular. ZTP over 4G/5G removes the last dependency on site infrastructure: the device arrives with its own management path in the SIM.
5
GUI with a configuration generation engine
Templates with variables, guided graphical workflows and configuration generation reduce the skill threshold for operating the fleet and shrink the room for error. The test: can a competent administrator who is not a CLI expert define and deploy a new site type without vendor assistance?
6
Integration with the SD-WAN overlay
In branch networking, ZTP is most valuable as part of a larger system: the same platform that provisions the device should manage its overlay tunnels, application policies, security and telemetry afterwards. Provisioning as an isolated tool leaves the harder half of operations unsolved.

ZTP security considerations

ZTP automates the most security sensitive moment in a device’s life: the moment it receives its identity, software and policy. Done well, ZTP is more secure than manual provisioning, because it removes per site improvisation. The six points below are what “done well” means.

1
Device identity anchored in hardware
Production grade ZTP binds each device to a unique factory installed certificate or secure element, not just a serial number printed on a label. Identity that can be cloned or guessed undermines the entire chain: registration, authentication and configuration delivery all hang from it.
2
Mutual authentication, both directions
The device must verify the provisioning server as rigorously as the server verifies the device. One directional checks leave the door open to rogue server attacks, where a device on a compromised network is fed a malicious configuration during its most trusting moment: first boot.
3
Signed and verified software images
Firmware delivered during provisioning must be cryptographically signed and verified by the device before installation. This closes the supply chain attack path where a tampered image is injected between the management platform and the site.
4
Least privilege configuration delivery
A device should be able to retrieve exactly its own configuration and nothing else. Compromising one site’s device must not expose templates, credentials or topology details of other sites. Scoped delivery per device identity is the control that contains the blast radius.
5
Audited, role based provisioning operations
Every registration, template change and deployment should be attributable to a person and a role. In co managed and partner operated models, role based access control determines who can provision what, which is also the basis for clean responsibility splits between teams.
6
Immediate security posture from first boot
The configuration delivered through ZTP should include the full security stack from minute one: embedded NGFW policy, segmentation, encrypted overlay membership. A site must never pass through a window where it is online but unprotected while waiting for a second configuration pass.

ZTP in the Teldat CNM SD-WAN Suite

Automatic router deployment is one of Teldat’s key differentiators, built into the CNM SD-WAN Suite rather than added on top. ZTP in the Teldat platform covers branch routers, industrial gateways, 5G FWA devices and access points, over any transport, and is the same machinery that later runs upgrades, reconfigurations and hardware replacement for the whole fleet.

1
ZTP built into the CNM SD-WAN Suite
The CNM SD-WAN Suite includes ZTP as a native function of its provisioning layer, alongside device inventory, mass configuration templates, user access control and the rest of the SD-WAN service definition. Provisioning, overlay, security and telemetry are one platform, not a chain of separate tools.
2
Provisioning over any transport, including cellular
Teldat devices self provision over broadband, fiber, Ethernet or 4G/5G. With a SIM installed, a router arrives at the site carrying its own management path, requiring literally nothing from local infrastructure. This is the foundation of same day site activation with 5G FWA as primary or interim transport.
3
Templates and guided configuration generation
CNM provides graphical, guided workflows with a configuration generation engine: site types are defined once as templates with per site variables, and new sites are instantiated by filling in the values. The skill threshold drops from CLI expert to trained administrator, which is exactly what operating hundreds of sites requires.
4
Out of band management plane
Teldat separates the management plane from the data plane. If connectivity to the CNM platform is lost, sites keep forwarding traffic with their last applied configuration. The management cloud is needed to change the network, never to keep it running.
5
Multi tenant for partners and large organizations
The CNM SD-WAN Suite operates in multi tenant mode with per customer isolation and role based access, supporting partner operated managed services and co managed models. The same ZTP machinery serves a single enterprise or a service provider running dozens of customer networks.
6
Proven at European scale
Teldat ZTP is the deployment engine behind the largest SD-WAN and XDR deployment in Europe, at the Junta de Andalucia with 2,700 sites, and behind retail rollouts where flagship stores activate with 5G connectivity and ZTP from day one. Wave based deployment at this scale is standard operating procedure on the platform.

Why ZTP is a platform property, not a feature: the value of ZTP is not the first boot, it is everything that reuses the same machinery afterwards: firmware campaigns, policy changes, hardware swaps, fleet growth. Because Teldat builds ZTP into the provisioning layer of the CNM SD-WAN Suite, a device provisioned in minutes on day one is upgraded, reconfigured and, if needed, replaced through the same audited, template driven workflow for its entire life. Day zero automation that does not extend to day two operations solves the easy half of the problem.

FAQ’s about Zero Touch Provisioning

❯ What is Zero Touch Provisioning in simple terms?

Zero Touch Provisioning (ZTP) is a way to deploy network devices without sending an engineer to the site. The device ships in a generic state; when someone plugs it in and powers it on, it automatically contacts a central system, authenticates, downloads its assigned software and configuration, and joins the network. All the technical work happens centrally, once, in templates; at the site, anyone who can connect cables can deploy a router.

❯ How does ZTP work?

The device’s identity (serial number plus a factory installed certificate) is registered in a central provisioning system and linked to a site template before shipping. On first boot, the device obtains basic connectivity (DHCP on broadband or a preinstalled SIM on 4G/5G), discovers the provisioning service, and the two authenticate each other mutually. The device then receives its assigned firmware and full configuration, establishes its overlay tunnels and starts reporting telemetry. The typical elapsed time from power on to production is minutes.

❯ Is ZTP secure?

A production grade ZTP implementation is more secure than manual provisioning, because it removes per site improvisation and enforces a uniform, audited workflow. The requirements: device identity anchored in a hardware certificate, mutual authentication between device and server, encrypted transport, cryptographically signed firmware images, and scoped configuration delivery so each device can retrieve only its own configuration. The channel between the ZTP system and the device is a critical attack surface and must be evaluated first when selecting a platform.

❯ What is the difference between ZTP and manual provisioning?

Manual provisioning requires a network engineer to configure each device, either on site or in a staging depot, taking hours per device with travel or extra logistics, and introducing per device opportunities for human error. ZTP moves all configuration work to a central template built once; at the site, the device provisions itself in minutes after power on. At branch scale, ZTP typically turns deployment from the critical path of a rollout into a logistics task, and enables hardware replacement by courier instead of engineer visit.

❯ What is ZTP used for besides initial deployment?

The same provisioning machinery handles the full device lifecycle: mass firmware and operating system upgrade campaigns, mass or per site configuration changes, hardware replacement (a generic spare self provisions with the failed unit’s site configuration), and fleet expansion as the business grows. Day zero provisioning that also runs day two operations is what distinguishes a platform capability from a deployment script.

❯ How does Teldat implement Zero Touch Provisioning?

Teldat builds ZTP natively into the CNM SD-WAN Suite, covering branch routers, industrial gateways, 5G FWA devices and access points. Devices self provision over any transport including 4G/5G cellular, configuration is generated from graphical templates with per site variables, the management plane is separated from the data plane so sites never depend on the cloud to keep running, and multi tenant operation supports partner managed and co managed models. This automatic router deployment is the engine behind Teldat’s largest deployments, including 2,700 sites at the Junta de Andalucia.

Deploy your network with zero touch, with Teldat

The CNM SD-WAN Suite provisions routers, gateways and access points automatically over any transport, including 5G, with template driven configuration, embedded security from first boot and the same machinery running upgrades and replacements for the life of the fleet. Proven at 2,700 sites.