Pelion Device Management Provision

During manufacturing, you can use Device Management Provision to configure millions of devices with unique cryptographic identities and the correct server parameters. Device Management Provision is a flexible and extensible SDK that helps to configure this information on devices in multiple manufacturing workflows. The SDK enables you to create, inject and securely store the keys and certificates necessary to connect to the Device Management service, such as the:

• Private keys.
• Certificates.
• Server URL.
• Server certificate.
• Connection parameters.
• Firmware update keys.

To connect to the Device Management service, you must provision each IoT device so that it:

1. Has a unique cryptographic credential, that the Device Management service can use to:
   • Authenticate the device.
   • Generate session encryption keys.
   • Authorize the device to use the Device Management system services.
2. Is configured with information describing the device to the server, keys for verifying software updates, and the correct server and connection parameters to identify, connect to and authenticate the Device Management server.

Device Management Provisioning supports industry-standard X.509 device certificates. These certificates are used to authenticate the device and establish encrypted DTLS sessions with the Device Management server.

The device's cryptographic credential must be kept safe on the device, as it protects:

• Data sent between the device and the server.
• The device management service itself from unauthorized access.

Provisioning SDK

The Provisioning SDK reduces the development time to prepare the manufacturing processes for mass production of devices. It comprises the following software components:

• Key and Configuration Manager (KCM) is part of the Device Management Client software running on the device. It securely stores sensitive information in the device's nonvolatile memory.
• Factory Configurator Client (FCC) is part of the Device Management Client software running on the device. It ingests, validates and saves the identity certificate to the device.
• (Optional) Factory Configurator Utility (FCU) can be integrated into manufacturing testing and provisioning equipment running on the factory floor, to generate and package the device identity certificate.

You can use the Mbed Provision SDK in the following ways:

• (Recommended) Use Factory Configurator Utility (FCU) and Factory Configurator Client (FCC) to implement provisioning in your factory flow. The FCU and FCC work together to inject, validate and securely store device credentials and configuration in protected storage on the device, saving you the need to develop this functionality. For information and access to FCU, please contact us.
• Work with Key and Configuration Manager (KCM) directly, and optionally use FCC, to validate the provisioned information. In this case you are responsible for generating all the provisioning information and storing it in KCM.

Factory workflow

The Provisioning SDK saves you having to develop manufacturing line software to implement provisioning. A typical factory provisioning workflow includes the following steps:

1. Installing the firmware image on the device. The image must include the Key and Configuration Manager module (KCM) and the Factory Configurator Client (FCC).
2. Generating unique device keys, signing them and creating a device certificate.
3. Injecting a configuration bundle into the device. The configuration bundle includes information unique to the device (such as the device keys and endpoint name), as well as information shared by groups of devices (such as the model number, server certificate and firmware validation keys).
4. Accepting the device response to verify all the information is configured correctly.

See the Provisioning Guide for more details on what provisioning information needs to be stored in the device and how to use KCM and FCC to provision devices.