diff --git a/src/adaptations/device-layer/ESP32/BLEManagerImpl.cpp b/src/adaptations/device-layer/ESP32/BLEManagerImpl.cpp
index 9107270c1e..8a0b1d181e 100644
--- a/src/adaptations/device-layer/ESP32/BLEManagerImpl.cpp
+++ b/src/adaptations/device-layer/ESP32/BLEManagerImpl.cpp
@@ -1,5 +1,6 @@
 /*
  *
+ *    Copyright (c) 2020 Google LLC.
  *    Copyright (c) 2018 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -245,6 +246,7 @@ void BLEManagerImpl::_OnPlatformEvent(const WeaveDeviceEvent * event)
     case DeviceEventType::kFabricMembershipChange:
     case DeviceEventType::kServiceProvisioningChange:
     case DeviceEventType::kAccountPairingChange:
+    case DeviceEventType::kOpDeviceCredentialsChange:
 
         // If WOBLE_DISABLE_ADVERTISING_WHEN_PROVISIONED is enabled, and there is a change to the
         // device's provisioning state, then automatically disable WoBLE advertising if the device
@@ -1302,4 +1304,3 @@ void BLEManagerImpl::DriveBLEState(intptr_t arg)
 } // namespace nl
 
 #endif // WEAVE_DEVICE_CONFIG_ENABLE_WOBLE
-
diff --git a/src/adaptations/device-layer/ESP32/ConnectivityManagerImpl.cpp b/src/adaptations/device-layer/ESP32/ConnectivityManagerImpl.cpp
index 93e26bda40..12fb016d42 100644
--- a/src/adaptations/device-layer/ESP32/ConnectivityManagerImpl.cpp
+++ b/src/adaptations/device-layer/ESP32/ConnectivityManagerImpl.cpp
@@ -1,5 +1,6 @@
 /*
  *
+ *    Copyright (c) 2020 Google LLC.
  *    Copyright (c) 2018 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -525,18 +526,19 @@ void ConnectivityManagerImpl::_OnPlatformEvent(const WeaveDeviceEvent * event)
         DriveServiceTunnelState();
     }
 
-#if !WEAVE_DEVICE_CONFIG_DISABLE_ACCOUNT_PAIRING
+#if !WEAVE_DEVICE_CONFIG_DISABLE_ACCOUNT_PAIRING || WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
 
-    // Handle account pairing changes.
-    else if (event->Type == DeviceEventType::kAccountPairingChange)
-    {
-        // When account pairing successfully completes, if the tunnel to the
-        // service is subject to routing restrictions (imposed because at the time
-        // the tunnel was established the device was not paired to an account)
+    // Handle account pairing and device credentials changes.
+    else if (((event->Type == DeviceEventType::kAccountPairingChange) && event->AccountPairingChange.IsPairedToAccount) ||
+             ((event->Type == DeviceEventType::kOpDeviceCredentialsChange) && event->OpDeviceCredentialsChange.AreCredentialsProvisioned))
+        {
+        // When account pairing successfully completes or new device credentials
+        // provisioned, if the tunnel to the service is subject to routing restrictions
+        // (imposed because at the time the tunnel was established the device was
+        // not paired to an account or the device only had initial self-signed certificate)
         // then force the tunnel to close.  This will result in the tunnel being
         // re-established, which should lift the service-side restrictions.
-        if (event->AccountPairingChange.IsPairedToAccount &&
-            GetFlag(mFlags, kFlag_ServiceTunnelStarted) &&
+        if (GetFlag(mFlags, kFlag_ServiceTunnelStarted) &&
             ServiceTunnelAgent.IsTunnelRoutingRestricted())
         {
             WeaveLogProgress(DeviceLayer, "Restarting service tunnel to lift routing restrictions");
@@ -546,7 +548,7 @@ void ConnectivityManagerImpl::_OnPlatformEvent(const WeaveDeviceEvent * event)
         }
     }
 
-#endif // !WEAVE_DEVICE_CONFIG_DISABLE_ACCOUNT_PAIRING
+#endif // !WEAVE_DEVICE_CONFIG_DISABLE_ACCOUNT_PAIRING || WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
 }
 
 void ConnectivityManagerImpl::_OnWiFiScanDone()
diff --git a/src/adaptations/device-layer/include/Weave/DeviceLayer/WeaveDeviceEvent.h b/src/adaptations/device-layer/include/Weave/DeviceLayer/WeaveDeviceEvent.h
index 194204c6e7..0f8d515e83 100644
--- a/src/adaptations/device-layer/include/Weave/DeviceLayer/WeaveDeviceEvent.h
+++ b/src/adaptations/device-layer/include/Weave/DeviceLayer/WeaveDeviceEvent.h
@@ -1,5 +1,6 @@
 /*
  *
+ *    Copyright (c) 2020 Google LLC.
  *    Copyright (c) 2018 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -196,6 +197,13 @@ enum PublicEventTypes
      * Signals that the state of WoBLE advertising has changed.
      */
     kWoBLEAdvertisingChange,
+
+    /**
+     * Operational Device Credentials Change
+     *
+     * Signals that the operational device's credentials have changed.
+     */
+    kOpDeviceCredentialsChange,
 };
 
 /**
@@ -397,6 +405,10 @@ struct WeaveDeviceEvent final
         {
             ActivityChange Result;
         } WoBLEAdvertisingChange;
+        struct
+        {
+            bool AreCredentialsProvisioned;
+        } OpDeviceCredentialsChange;
     };
 
     void Clear() { memset(this, 0, sizeof(*this)); }
diff --git a/src/adaptations/device-layer/nRF5/BLEManagerImpl.cpp b/src/adaptations/device-layer/nRF5/BLEManagerImpl.cpp
index 2ed18c680e..88525b9a4b 100644
--- a/src/adaptations/device-layer/nRF5/BLEManagerImpl.cpp
+++ b/src/adaptations/device-layer/nRF5/BLEManagerImpl.cpp
@@ -1,5 +1,6 @@
 /*
  *
+ *    Copyright (c) 2020 Google LLC.
  *    Copyright (c) 2018 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -282,6 +283,7 @@ void BLEManagerImpl::_OnPlatformEvent(const WeaveDeviceEvent * event)
     case DeviceEventType::kFabricMembershipChange:
     case DeviceEventType::kServiceProvisioningChange:
     case DeviceEventType::kAccountPairingChange:
+    case DeviceEventType::kOpDeviceCredentialsChange:
 
         // If WOBLE_DISABLE_ADVERTISING_WHEN_PROVISIONED is enabled, and there is a change to the
         // device's provisioning state, then automatically disable WoBLE advertising if the device