/mcpBefore you begin From Release 14SU1 onwards, when Proxy TFTP is enabled, you should copy the root CA certificate for the off-cluster Tomcat certificate to the proxy phone edge trust. Procedure Step 1 On the Unified Communications Manager publisher node, log in to the Command Line Interface. Step 2 Run the utils sipOAuth-mode enable CLI command. From Release 14 onwards, the system updates the read-only Cluster SIPOAuth Mode enterprise parameter to Enabled. Restart Cisco CallManager Service After enabling SIP OAuth through CLI, restart the Cisco CallManager service on all nodes where endpoints register through SIP OAuth. Procedure Step 1 From Cisco Unified Serviceability, choose Tools > Control Center > Feature Services. Step 2 From the Server drop-down list, select the server. Step 3 Check the Cisco CallManager service and click Restart. Configure Device Security Mode in Phone Security Profile Use this procedure to configure the device security mode in the phone security profile and is required only if you have set the Device Security Mode within that phone’s Phone Security Profile to Encrypted. Procedure Step 1 From Cisco Unified CM Administration, choose System > Security > Phone Security Profile. Step 2 Perform either of the following: • Search for an existing phone security profile • Click Add New Step 3 In the Phone Security Profile Information section, from the Device Security Mode drop-down list, choose Encrypted. Step 4 From the Transport Type drop-down list, choose TLS. Step 5 Check the Enable OAuth Authentication check box. Step 6 Click Save. Step 7 Associate the Phone Security Profile to the phone. For more information on how to apply the phone security phones, see "Apply Security Profiles to Phone" section in Security Guide for Cisco Unified Communications Manager. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 101 Basic System Security Restart Cisco CallManager Service