Secure staff WiFi without the passwords
Staff log in once with their existing corporate credentials. Their devices connect automatically from then on. When they leave the company, access stops. Secure and simple, using Purple's Identity-Based Networks.
Trusted by venues globally
The authenticator app for WiFi
Most staff WiFi networks run on a shared password. Written on whiteboards, shared in Slack channels, and never changed when people leave.
Purple gives you proper enterprise security without the hassle. Staff log in to our Purple authenticator app with their existing Microsoft, Google, or Okta credentials, and get online automatically. Done.
- WPA2/3-Enterprise encryption
- Works with Entra ID, Google Workspace, Okta
- Access is revoked automatically when staff leave
- Any network hardware (Cisco, Aruba, Meraki, Ruckus, Ubiquiti)
Proper security, not security theater🔒
Each user gets their own encryption keys. Even on the same access point, users can't sniff each other's traffic. When someone's removed from your directory, their WiFi access stops within minutes. No tickets to raise, no passwords to change.
Every connection is logged: who connected, when, from which device, at which location. When the auditors ask, you'll have answers.
- Unique session keys per user
- Automatic revocation via SCIM
- Full audit trail
- ISO 27001 certified
60 seconds to connected ⏰
Staff download the Purple app, tap "sign in with Microsoft" (or Google, or Okta), and tap to install their WiFi pass. That's it. Works on Windows, macOS, Linux, iOS, Android.
No more walking people through WiFi settings over the phone. No more password resets. IT teams using Purple typically see support tickets for WiFi issues drop by 80%.
- SSO login (no new credentials)
- One-tap profile installation
- Automatic connection (no repeated logins)
- Works across all your locations
Runs 80,000+ venues. Yours won't break it.
Purple's authentication infrastructure has been running for over a decade. Airports, banks, retailers, universities. 440 million logins last year. No on-prem servers for you to maintain. Just point your access points at our RADIUS and you're done.
- 80,000+ venues live
- 440M logins in 2024
- 99.999% uptime
See who's actually in the office
See who's actually in the office WiFi data tells you which days are busy, which floors are empty, and whether your hybrid working policy is actually working. Export the data to your facilities team or plug it into your existing dashboards.
- Occupancy by day/hour/department
- Hybrid work pattern analysis
- Building utilisation reports
- Exportable data
Headquarters
Your main office needs the tightest security. Staff authenticate via SSO and get assigned to the right VLAN based on their role. Contractors get time-limited access that expires automatically.
- Role-based VLAN assignment
- Contractor access management
- Full audit trail
Branch Offices
Roll out consistent security across every location without shipping hardware. Staff profiles work everywhere. When someone visits a different office, they connect automatically.
- Centralized policy management
- No on-site RADIUS servers
- Consistent experience everywhere
Hybrid Workers
When staff work from client sites or coworking spaces that use Purple, their device connects automatically. No hunting for passwords. No filling in captive portal forms.
- OpenRoaming support
- Automatic connection at partner sites
- Same security everywhere
Staff Engagement
The Purple App transforms your staff WiFi network from simple connectivity into a powerful two-way communication platform. Engage employees directly by leveraging their established connection point.
- Capture feedback using surveys for real-time sentiment and anonymous responses
- Deliver custom content based on role, location, or time
- Direct employees instantly to specific internal resources or training portals
Everything you need for enterprise staff WiFi
Want to see it working?
We'll walk you through how it connects to your identity provider, what the staff experience looks like, and what's involved in deployment.
Staff WiFi for your industry
See how staff wifi works in venues like yours, and how Purple compares to alternatives.
Explore the authentication stack
RADIUS-as-a-Service
Cloud RADIUS for WPA2/3-Enterprise — EAP-TLS, PEAP, iPSK. No on-prem server, multi-region failover.
WPA2 & WPA3-Enterprise
Secure WiFi with 802.1X on your existing access points. Identity-provider integration, managed certificates.
Passwordless WiFi
EAP-TLS, iPSK, Passpoint, and SAML/SSO. Replace shared passwords with identity-based credentials.
Frequently asked
What is staff WiFi and how is it different from guest WiFi?
Staff WiFi is an employee-only wireless network authenticated per-user, isolated from the guest and payment networks. Where guest WiFi optimises for low-friction sign-up, staff WiFi optimises for identity — each employee authenticates with their own credential (certificate, password, or iPSK) via 802.1X against a RADIUS server, and their access can be revoked the moment they leave the company without touching anyone else on the network.
What authentication does Purple staff WiFi use?
WPA2-Enterprise or WPA3-Enterprise with 802.1X. The standard options are EAP-TLS (certificate-based, the gold standard for managed laptops), PEAP (username + password for legacy devices), and iPSK (unique per-device pre-shared key for BYOD and IoT). Authentication runs against your identity provider — Microsoft Entra ID, Okta, Google Workspace, or any SAML 2.0 IdP.
Do I need my own RADIUS server?
No. Purple operates the RADIUS server as a cloud service — RADIUS-as-a-Service — with multi-region failover and a 99.9% uptime SLA. Your access points point at Purple, Purple validates credentials against your identity provider, and no one in your team operates RADIUS infrastructure. If you already run FreeRADIUS, NPS, or Cisco ISE, migration is a weekend exercise.
How does Purple staff WiFi integrate with Entra ID, Okta, or Google Workspace?
Directly via SAML and SCIM. When an employee is added to the IdP, their WiFi access is provisioned automatically; when they leave, access is revoked at the same moment their email is revoked. Group membership in the IdP drives VLAN policy — marketing, engineering, and contractors can each land on their own network segment without manual configuration.
Does Purple support employee WiFi for BYOD and IoT devices?
Yes. BYOD onboarding uses certificate enrolment via an MDM (Intune, Jamf, Kandji, Hexnode) for managed devices, or a self-service portal for unmanaged phones and tablets. IoT devices — printers, access controllers, smart lighting — typically use iPSK (Identity PSK) on a dedicated SSID so each device has a unique key you can revoke without affecting others.
Can I revoke one employee's WiFi access without disrupting others?
Yes, instantly. Because staff WiFi is per-user, disabling the employee in your identity provider revokes their WiFi access at the next authentication attempt. Compare this to a shared WiFi password, where one departing employee forces a company-wide password rotation. This is the single biggest operational reason to move from WPA-Personal to WPA-Enterprise.
Does Purple staff WiFi work with my existing access points?
Yes. Purple runs on any enterprise-grade access point that speaks RADIUS — Cisco Meraki, Cisco Catalyst, Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, Fortinet FortiAP, and more. You do not replace hardware; you reconfigure SSIDs to authenticate via Purple.
How does staff WiFi handle Conditional Access and Zero Trust?
Purple respects Conditional Access policies from Entra ID — a device that fails compliance checks is not admitted to the network. For broader Zero Trust postures, Purple emits every authentication event to SIEM (Microsoft Sentinel, Splunk, Elastic, Datadog) via webhook or syslog, so network access becomes a signal in your broader security analytics.
