A method and apparatus for distributing authorization to provision devices on a wireless network are described. A primary trusted provisioning domain (TPD) operating within a trusted environment established by the wireless carrier's firewall can provision the mobile devices. The primary TPD may distribute the authorization to provision one or more of the mobile devices to one or more secondary TPDs operating outside the trusted environment. Digital signatures may be used to authenticate provisioning requests from TPDs.