Logo

Product

Industries

Solutions

Resources

Support + FAQs

Talk to us Request a free IoT SIM trial
Resources Blogs

Remote SIM Provisioning: How SGP.32 Works in Practice

Remote SIM Provisioning with GSMA SGP.32: How It Works in Real IoT Deployments

Remote SIM provisioning, the process of downloading and activating mobile network operator profiles over the air without physical device access, sounds conceptually simple.

In practice, implementing GSMA SGP.32 remote provisioning for IoT deployments at scale requires understanding profile architecture, SM-DP+ and SM-SR infrastructure, security mechanisms, failure modes, and operational procedures.

This guide explains how SGP.32 remote provisioning works, what happens during profile downloads, how to troubleshoot failures, and the operational practices that matter in production IoT deployments.

What Is GSMA SGP.32?

SGP.32 is the GSMA specification for remote SIM provisioning in IoT and M2M deployments. It defines how network operator profiles are created, securely transmitted to devices, installed on eUICC chips, and managed throughout the device lifecycle.

Key Distinction from SGP.22

SGP.22 (Consumer eSIM)

  • Designed for smartphones, tablets, and smartwatches
  • End users control profile management
  • Users scan QR codes or use device settings to download profiles
  • Designed for relatively frequent profile switching

SGP.32 (IoT and M2M eSIM)

  • Designed for industrial IoT, telematics, smart metres, and embedded systems
  • Enterprises control profile management centrally
  • Backend platforms initiate profile downloads through APIs
  • Designed for controlled, infrequent profile changes

SGP.32 gives enterprises operational control over how connectivity profiles are provisioned and managed across device fleets.

SGP.32 Architecture Components

1. eUICC (Embedded Universal Integrated Circuit Card)

Function: Secure element inside the device that stores network operator profiles.

Typical Capabilities

  • Stores multiple operator profiles simultaneously, typically 2 to 5 profiles
  • Only one profile can be active at a time
  • Receives provisioning commands from the SM-SR
  • Authenticates trusted profile sources
  • Supports remote profile download, enablement, disablement, and deletion

Security Features

  • Tamper-resistant secure hardware
  • Cryptographic key storage
  • Certificate-based authentication
  • Secure profile decryption and validation

2. SM-DP+ (Subscription Manager Data Preparation)

Function: Creates, encrypts, and distributes operator profiles.

Responsibilities

  • Generates operator-specific profiles containing IMSI and authentication credentials
  • Encrypts profile packages for secure delivery
  • Stores downloadable profiles
  • Authenticates eUICCs requesting downloads

Common Hosting Models

  • Mobile network operators
  • Connectivity providers
  • eSIM infrastructure platforms

The SM-DP+ is a trusted infrastructure component because it handles sensitive subscriber credentials.

3. SM-SR (Subscription Manager Secure Routing)

Function: Manages profile operations on the eUICC.

Responsibilities

  • Sends profile management commands to devices
  • Routes profile packages from SM-DP+ to the correct eUICC
  • Monitors provisioning status
  • Authenticates and manages eUICC communication

Communication Model

The SM-SR communicates with the eUICC over the device’s existing cellular connection using the currently active profile.

4. Enterprise Management Platform

Function: Operational interface used by enterprises to manage connectivity provisioning.

Typical Features

  • Web portal and API access
  • Fleet-level profile management
  • Device grouping and targeting
  • Provisioning monitoring and reporting
  • Real-time provisioning visibility

Security Controls

  • Role-based access control
  • Multi-factor authentication
  • Audit logging and operational traceability

How Remote Provisioning Works

Phase 1: Profile Creation

Step 1: Operator Supplies Credentials

The mobile operator provides:

  • IMSI ranges
  • Authentication keys
  • APN and network configuration
  • Operator identifiers and provisioning parameters

Step 2: SM-DP+ Generates Profile

The SM-DP+ creates an encrypted profile package containing:

  • IMSI
  • Authentication credentials
  • Network configuration
  • Access policies

Step 3: Profile Registration

The profile is stored within the SM-DP+ environment and made available for download.

Phase 2: Provisioning Initiation

Step 4: Enterprise Starts Provisioning

An enterprise administrator selects:

  • Target devices or deployment groups
  • Desired operator profile
  • Provisioning workflow or rollout plan

Step 5: Platform Instructs SM-SR

The management platform sends provisioning instructions to the SM-SR, identifying:

  • Which eUICCs should receive profiles
  • Which profile package should be delivered

Step 6: SM-SR Prepares Provisioning Session

The SM-SR:

  • Authenticates the provisioning request
  • Retrieves profile metadata from the SM-DP+
  • Queues commands for target devices

Phase 3: Profile Download and Installation

Step 7: SM-SR Contacts eUICC

The SM-SR sends a provisioning command to the device over its active mobile connection.

Important operational detail:

The device must already have working connectivity through its currently active profile. If the device is offline, the command remains queued until connectivity is restored.

Step 8: eUICC Authenticates the SM-DP+

The eUICC:

  • Connects to the SM-DP+
  • Exchanges certificates
  • Verifies the SM-DP+ is trusted and authorised

This prevents unauthorised infrastructure from injecting malicious profiles.

Step 9: Profile Download

The encrypted profile package is downloaded to the eUICC.

Typical profile size:

  • Approximately 100 KB to 200 KB

Typical download duration:

  • 30 seconds to 5 minutes depending on signal quality and network conditions

Step 10: Profile Installation

The eUICC:

  • Decrypts the profile
  • Validates integrity
  • Installs the profile securely
  • Stores it initially in an inactive state

Phase 4: Profile Activation

Step 11: SM-SR Sends Activation Command

The SM-SR instructs the eUICC to:

  • Enable the new profile
  • Disable the previous active profile

Step 12: eUICC Switches Profiles

The eUICC:

  • Disables the previous operator profile
  • Enables the new profile
  • Forces network re-registration

Step 13: Device Registers on New Network

The device:

  • Scans for the new operator network
  • Authenticates using the new credentials
  • Establishes a data connection
  • Resumes normal operation

Step 14: Confirmation and Reporting

The device reports activation success back to the SM-SR, and the enterprise platform updates device status.

Typical Provisioning Duration

Provisioning can take minutes or several hours depending on:

  • Signal quality
  • Device power state
  • Network congestion
  • Provisioning volume

Security Mechanisms in SGP.32

Certificate-Based Authentication

The SM-DP+, SM-SR, and eUICC all use certificates issued by trusted Certificate Authorities.

Provisioning only proceeds when:

  • The eUICC trusts the SM-DP+
  • The SM-DP+ trusts the eUICC
  • The SM-SR validates the enterprise request

This helps prevent:

  • Rogue profile injection
  • Man-in-the-middle attacks
  • Unauthorised provisioning activity

End-to-End Profile Encryption

Profiles are encrypted specifically for the target eUICC.

Even if intercepted during transmission, profile packages cannot be decrypted by unauthorised parties.

Enterprise Access Control

Provisioning platforms should support:

  • User authentication
  • Role-based permissions
  • Audit logging
  • Operational traceability

These controls reduce the risk of accidental or unauthorised provisioning events.

eUICC-Specific Profile Binding

Profiles are bound to specific EIDs.

A profile intended for one eUICC cannot typically be installed on another device.

Common Failure Modes and Troubleshooting

Failure 1: Device Cannot Receive Provisioning Command

Symptoms

  • Provisioning request sent
  • Device never responds

Common Causes

  • Device offline
  • Existing profile suspended
  • Device in deep sleep or PSM mode
  • Poor signal conditions

Troubleshooting

  • Confirm device connectivity
  • Verify device wake intervals
  • Check signal strength
  • Validate active profile status

Failure 2: Profile Download Interrupted

Symptoms

  • Download starts but never completes

Common Causes

  • Signal loss during download
  • Device power interruption
  • Network timeout or congestion

Troubleshooting

  • Review signal conditions
  • Check power stability
  • Retry provisioning during lower traffic periods

Failure 3: Profile Installed but Activation Fails

Symptoms

  • Profile present on eUICC
  • Device remains on old profile

Common Causes

  • Unsupported network bands
  • Operator coverage unavailable
  • Corrupted profile package

Troubleshooting

  • Confirm operator coverage
  • Validate modem compatibility
  • Review provisioning logs for integrity errors

Failure 4: Device Cannot Register on New Network

Symptoms

  • Profile activation succeeds
  • Device fails network attachment

Common Causes

  • IMSI not provisioned in HLR or HSS
  • Authentication credential mismatch
  • IMEI blocked
  • Operator outage

Troubleshooting

  • Validate IMSI provisioning with operator
  • Review authentication logs
  • Check operator network status

Failure 5: Mass Provisioning Overload

Symptoms

  • High provisioning failure rate during large rollouts
  • Slow profile downloads
  • Infrastructure congestion

Common Causes

  • SM-SR session overload
  • SM-DP+ bandwidth constraints
  • Cellular network congestion

Resolution

  • Use staged rollout batches
  • Schedule provisioning during lower network usage periods
  • Scale provisioning infrastructure where possible

Best Practices for Production SGP.32 Deployments

1. Pilot Before Full Rollout

Always validate provisioning workflows with smaller deployment groups before scaling.

Recommended approach:

  1. Test with 10 devices
  2. Expand to 100 devices
  3. Expand to 1,000 devices
  4. Review failures and edge cases
  5. Refine processes before fleet-wide rollout

2. Use Staged Rollouts

Avoid provisioning entire fleets simultaneously.

Example staged rollout for 50,000 devices:

  • Day 1: 500 devices
  • Day 2: 2,000 devices
  • Day 3 onwards: Controlled daily rollout batches

This limits operational exposure if problems emerge.

3. Retain Previous Profiles Temporarily

Do not immediately delete the old profile after activation.

Recommended workflow:

  1. Download new profile
  2. Activate new profile
  3. Validate connectivity
  4. Retain previous profile for fallback during validation period
  5. Remove previous profile only after successful verification

4. Monitor Provisioning Continuously

Provisioning should be monitored in real time.

Important metrics include:

  • Download success rate
  • Activation success rate
  • Failure codes
  • Post-activation connectivity
  • Provisioning duration

5. Maintain Device-Level Visibility

Provisioning platforms should expose:

  • Device identifiers
  • EID
  • Active profile
  • Provisioning status
  • Error codes
  • Signal quality metrics

Operational visibility becomes essential when managing large fleets.

6. Define Rollback Procedures

Provisioning workflows should always include rollback plans.

Example rollback triggers:

  • Coverage gaps
  • Authentication failures
  • Performance degradation
  • Operator-side provisioning issues

7. Coordinate with Operators

Provisioning is not purely device-side.

Operators must:

  • Provision IMSIs correctly
  • Configure HLR and HSS systems
  • Validate backend readiness before deployment

Failure to coordinate backend provisioning can leave entire fleets offline.

Measuring SGP.32 Provisioning Performance

Key Metrics

Provisioning Success Rate

Target:

  • Greater than 98%

Median Provisioning Duration

Target:

  • Less than 30 minutes

95th Percentile Provisioning Duration

Target:

  • Less than 2 hours

Post-Activation Connectivity

Target:

  • Greater than 99%

Failure Recovery Time

Target:

  • Less than 24 hours

Typical Production Benchmarks

Well-Executed Deployments

  • Success rate: 98 to 99%
  • Median provisioning duration: 15 to 20 minutes
  • 95th percentile duration: 1 to 2 hours
  • Post-activation connectivity: 99%+
  • Failure recovery: 4 to 12 hours

Indicators of Operational Problems

  • Success rate below 95%
  • Provisioning durations above 45 minutes
  • Large activation failure clusters
  • Delayed failure recovery workflows

OV SGP.32 Remote Provisioning

OV supports GSMA SGP.32-compliant remote provisioning infrastructure designed for enterprise IoT deployments.

OV Capabilities

  • Standards-based eUICC and SGP.32 readiness
  • Global IoT connectivity across 180+ countries and 600+ networks
  • OV ONE Connectivity Management Platform built in-house by OV engineers
  • API-first provisioning and orchestration workflows
  • Bulk SIM lifecycle management and monitoring
  • Real-time provisioning visibility through OV ONE
  • Support for eUICC-based remote profile provisioning

OV ONE provides a single pane of glass for provisioning, monitoring, and SIM lifecycle operations across global IoT deployments.

For organisations evaluating remote SIM provisioning strategies, pilot deployments remain one of the most effective ways to validate operational workflows before scaling production fleets.

Contact OV to discuss SGP.32 remote provisioning for your deployment: connectivity@worldov.com

related posts

related posts

Blogs

eSIM vs Physical SIM for IoT: Cost, Complexity, and Trade-offs

Read Now
Blogs

IoT eSIM Explained: Architecture, Benefits, and Deployment

Read Now
Blogs

Why Fleet Connectivity Fails And What Fleet Operators Can Do About It

Read Now