Cisco Support Community
Community Member

Device Security Profile - CUCM 8.6

I am using CUCM 8.6 and would like to implement Secure Signalling for 6941 and CUPC endpoints.

The cluster is already live and requires to be made secure for signalling initially.

I am aware somewhat of the process involved.

We will be configuring signalling authenticaion initially and we have 6941's and CUPC client for users, 6941's have a MIC installed as default. I will be using Device Security Mode of Authenticated, the authentication mode will be based on MIC.

Is there anyway to bypass the use of CTL client and the request of a new CTL file and USB tokens?

I read contradictory information somewhere that the CTL files and token are not essential.

If there is no way to implement Device Security Mode of Authentication without CTL files and USB token then please advise as I wlll need to get the token ordered.


Device Security Profile - CUCM 8.6


If you are not using CTL Files and therefore USB Keys, then with CUCM 8.0 or greater you can leverage Security by Default (SBD). However SBD does not provide the ability to authenticate or encrypt calls, it's primary purpose is to validate the configuration file of the phone as well as provide HTTPS based conttectivey to/from the device.

Myself and Akhil Behl (author of "Securing Cisco IP Telephony Networks") recently hosted a series of webinars that covers this topic in detail. I recommend you watch the following videos:

UnifiedFX Educational seminars on The Essentials of Endpoint Security & Compliance
• Session 1: The Impact of Security by Default (Recording:
• Session 2: Understanding and Managing ITL & CTL Files (Recording:

• Session 3: Leading Practices for Endpoint Security & Compliance (Recording:

Kind Regards.

Stephen Welsh



CreatePlease to create content