diff --git a/scripts/remote-provision.sh b/scripts/remote-provision.sh
new file mode 100644
index 00000000..f0c5cac2
--- /dev/null
+++ b/scripts/remote-provision.sh
@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+
+set -o errexit   # abort on nonzero exit status
+set -o errtrace  # pass ERR trap down to functions, substitutions, etc
+set -o nounset   # abort on unbound variable
+set -o pipefail  # don’t hide errors within pipes
+
+[[ "${BASH_VERSINFO:-0}" -ge 4 ]] || { echo "Bash version 4 or higher is required."; exit 1; }
+
+usage() {
+    echo "Usage $0 [OPTIONS] <teleport-tunnel|ipv4>
+
+    Options:
+        -r, --reprovision   Re-provisioning the device and skips fetching of attestation certificate
+        -t, --plug-trust    Path for plug_and_trust.tar.gz on the host (required for prod images)
+        -p, --passphrase    Expected to be used with IPv4 (required for dev images with ssh access)"
+}
+
+setup_plug_and_trust() {
+    local remote="${1}"
+    local plug_trust="${2}"
+    local ssh_prefix="${3}"
+
+    if ${ssh_prefix} ssh "worldcoin@${remote}" '! [[ -d /service_mode ]]'; then
+        # NOTE: The following case, should only be met in production images, where tsh
+        # is the only available option for remote access. SOON will be deprecated
+        if [[ -n "${plug_trust}" ]]; then
+            ${ssh_prefix} scp "${plug_trust}" "root@${remote}:/tmp/plug_and_trust.tar.gz"
+            ${ssh_prefix} ssh "root@${remote}" <<EOF
+                set -euo
+                tar -xzf /tmp/plug_and_trust.tar.gz -C /tmp/plug_and_trust
+                mount --bind /tmp/plug_and_trust /service_mode
+EOF
+        else
+            echo "Error: --plug-trust option is required"
+            usage; exit 1
+        fi
+    fi
+}
+
+provision_device() {
+    local remote="${1}"
+    local short="${2}"
+    local ssh_prefix="${3}"
+
+    local user="worldcoin"
+    local prov_dir="/usr/persistent/se"
+    if [[ "${ssh_prefix}" == "tsh" ]]; then
+        user="root"
+    fi
+
+    # If /se/keystore is not present, provisioning process was never executed, or the folder was deleted by the user
+    # In this case, reprovisioniong (--short flag) is not allowed for fear of wiping the attestation certificate
+    if [[ ${short} ]]; then
+        ${ssh_prefix} ssh "worldcoin@${remote}" << EOF
+        set -euo
+        mkdir -p ${prov_dir}
+        cd -- ${prov_dir}
+        /service_mode/provision.sh
+EOF
+    else
+        ${ssh_prefix} ssh "${user}@${remote}" <<EOF
+            set -euo
+            sudo su || true
+            [[ -d ${prov_dir}/keystore ]] || echo "${prov_dir}/keystore: does not exist, re-provisioning not allowed" && exit 1
+            mount -o remount,exec /tmp
+            systemctl stop nv-tee-supplicant.service
+            cp /usr/persistent/se/keystore/f0000013.cert /usr/persistent/ || true
+            rm -rf /usr/persistent/tee/ /usr/persistent/se/keystore
+            systemctl start nv-tee-supplicant.service
+            /service_mode/delete-all.sh
+            su worldcoin -c "cd -- ${prov_dir}; /service_mode/provision.sh --short"
+            cp /usr/persistent/f0000013.cert /usr/persistent/se/keystore/ || true
+EOF
+    fi
+}
+
+main() {
+    local arg
+    local remote
+    local plug_trust=""
+    local short=false
+    local passphrase=""
+    local ssh_prefix="tsh"
+    local positional_args=()
+
+    while [[ $# -gt 0 ]]; do
+        arg="${1}"; shift
+        case ${arg} in
+            -h | --help)
+                usage; exit 0 ;;
+            -r | --reprovision)
+                short=true ;;
+            -p | --passphrase)
+                passphrase="${1}"; shift ;;
+            -t | --plug-trust)
+                plug_trust="${1}"; shift ;;
+            -*)
+                echo "Invalid argument: ${arg}"
+                usage; exit 1 ;;
+            *)
+                positional_args+=( "${arg}" ) ;;
+        esac
+    done
+    set -- "${positional_args[@]}"
+
+    if [[ "$#" -ne 1 ]]; then
+        echo "Error: teleport-tunnel or IPv4 is required"
+        usage; exit 1
+    fi
+
+    remote="${1}"
+    if [[ "${remote}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        if [[ -z "${passphrase}" ]]; then
+            echo "Error: Passphrase is missing for IPv4 connection"
+            usage; exit 1
+        fi
+        ssh_prefix="sshpass -p "${passphrase}" ssh"
+    fi
+
+    setup_plug_and_trust "${remote}" "${plug_trust}" "${ssh_prefix}"
+    provision_device "${remote}" "${short}" "${ssh_prefix}"
+}
+
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main "$@"
+fi