Knowledgebase › Yealink autoprovisioning — DHCP option 66, AutoP URL, encrypted configs

Yealink autoprovisioning — DHCP option 66, AutoP URL, encrypted configs

Yealink's "AutoP" provisioning is similar in shape to Polycom's but with a couple of important differences: the config file format, the encryption mechanism, and the phone's DHCP discovery behaviour. This article covers the end-to-end setup for a typical deployment.

The two files

Yealink phones look for two config files:

  1. y000000000000.cfg — common configuration for all phones of this model. Note the model-specific "y" filename varies by phone family (y000000000099.cfg for T46, etc. — check the admin guide for your model).
  2. <MAC>.cfg — per-phone overrides. MAC in lowercase with no separators.

Per-phone config wins over common config, same as Polycom.

Config file format

Yealink uses plain key=value, not XML. Easier to script and version-control:

y000000000099.cfg (common):

# Server
account.1.sip_server.1.address = pbx.example.com
account.1.sip_server.1.port = 5060
account.1.sip_server.1.transport_type = 0
account.1.outbound_proxy_enable = 1

# Dial plan
dialplan.area_code.code = 1
dialplan.replace.prefix.1 = "x911"
dialplan.replace.replace.1 = "1911"

# NAT keepalive
account.1.nat.nat_traversal = 1
account.1.nat.keep_alive_interval = 30

805e0c012345.cfg (per-phone):

account.1.enable = 1
account.1.label = Front Desk
account.1.display_name = Front Desk
account.1.auth_name = 1001
account.1.user_name = 1001
account.1.password = strong-secret-here

DHCP option 66

Yealink reads DHCP option 66 by default and uses it as the provisioning URL. Hand out the URL to the config directory (not to a specific file):

# dnsmasq
dhcp-option=66,"https://provision.example.com/yealink/"

The phone fetches y000000000099.cfg first, then <MAC>.cfg from the same directory.

If DHCP option 66 isn't usable

Set the AutoP URL manually:

  • Phone web UI → Settings → Auto Provision.
  • Set Server URL to the provisioning directory.
  • Save and reboot the phone.

Yealink also offers RPS (Redirection Provisioning Service) for zero-touch provisioning. You register the phone's MAC with Yealink and they redirect the phone to your provisioning URL on first boot, regardless of DHCP. Worth setting up if you ship phones direct to customer sites.

HTTPS provisioning

Yealink phones support HTTPS for provisioning. Self-signed certs require uploading the CA cert to the phone manually; use a publicly-trusted cert (Let's Encrypt) to avoid that step.

Configure the provisioning URL with https:// and the phone validates the cert. If you must use self-signed:

# In the common config
static.security.trust_certificates = 1
static.security.cn_validation = 0
static.security.ca_cert = "your-ca.pem"

Better: just use a real cert.

Config file encryption

Yealink supports AES encryption of config files using per-MAC keys. The flow:

  1. Generate a 16-byte AES key (random).
  2. Encrypt <MAC>.cfg with that key.
  3. Serve the encrypted file. The phone fetches it, decrypts with the key it already has, applies the config.

The phone learns the key one of two ways:

  • Pre-loaded at the factory via Yealink's provisioning portal if you bought from a Yealink partner program.
  • Initial unencrypted bootstrap over HTTPS that sets the key, then subsequent provisioning uses the key.

For most deployments, HTTPS-only provisioning without file encryption is sufficient. Encryption matters mainly if you're serving configs over an untrusted CDN or you have compliance requirements.

Per-model differences

The common-config filename and the supported keys differ by model family:

  • T-series desk phones: y000000000099.cfg for T46/T48, y000000000088.cfg for T29, etc.
  • W-series DECT (W60B/W70B): different provisioning model — config the base station, the handsets pull from it.
  • CP conference phones: similar to T-series but more limited feature set.

Yealink publishes per-model "configuration template" files that show all available keys. Download one for your model and use it as a reference when writing your common config.

Verifying provisioning

Boot a phone with a known-bad SIP password in the MAC.cfg, watch the boot logs:

  • Phone web UI → Status → Information shows the provisioning server URL fetched.
  • Phone web UI → Status → System Log shows the HTTP/HTTPS fetch attempts and results.
  • The PBX log shows a REGISTER attempt with the configured extension and rejected credentials.

Then fix the password and trigger re-provisioning from the phone UI (Settings → Auto Provision → Auto Provision Now).

Polling for changes

Default polling interval is once a week. Lower it for active deployments:

# In y000000000099.cfg
static.auto_provision.mode = 1  # Repeatedly check
static.auto_provision.schedule.periodic_minute = 1440  # daily

Or push a change by rebooting the phone. For an emergency config push to a specific phone without rebooting, use the SIP NOTIFY check-sync mechanism if your PBX supports it.

Also Read

FreePBX upgrade failed — recovery, rollback, and how to avoid it next time (Views: 5)
A2P 10DLC for SMS — brand/campaign registration and why your texts vanish without it (Views: 4)
Why your SIP trunk drops every 30 minutes — registration TTL, NAT pinholes, OPTIONS keepalives (Views: 4)
Connecting FreePBX to VoIP.ms — SIP trunk setup walkthrough (Views: 6)
FusionPBX initial setup — domains, tenants, gateways, first dialplan (Views: 5)

« « Back

Powered by WHMCompleteSolution