This is kind of a general questions since i have not found it anywhere online. We use the endpoint manager inside our office. We have phones that leave the office and are able to connect to the system through a NAT’ed IP. Is it also safe to open the tftp port and allow them to download config files? Or is that not safe?
It is not very safe. The cfg files are unencrypted and contain all the credentials to make connection to the server.
The one bit of good news is that a TFTP server doesn’t have a directory listing command (at least it never used to)… so someone would have to know the filename which is made up of the MAC address of the phone to grab the credentials. But - with proxies and firewalls or wireshark that filename could be discovered I would bet.
Gzz I never even thought of that that those passwords are right out there.
So is there any good way to do provisioning for WAN devices?
Most devices support. FTP provisioning. This would provide reasonable security.
I really don’t know - I am just the paranoid type - I can only come up with bad things that happen when putting info on the internet 
Ideal solution would be to require the external clients to access through a VPN.