We are working on deploying onboarding for one of our departments. BYOD is not going to be supported. Rather, select help desk staff are going to pre-auth with their accounts to initiate the onboarding process. (We're going to capture the end user's username on the same web form, but unrelated to this question.)
If helpdeskagent1 uses their account and onboards a device, that device is now using EAP-TLS with username=helpdeskagent1. What happens when helpdeskagent1 account is expired/deleted/etc bc that person is no longer employed? Will all devices onboarded by helpdeskagent1 then fail authentication? How does this work?