Automatic provisioning of IoT devices

Dec 2, 2021 | Blog

OpenRemote offers device manufacturers a smooth and secure method to create a digital twin of their products.

As a device manufacturer or an original equipment manufacturer (OEM) you require a secure and automated way to connect your devices to your IoT data platform. Once online, you want your (end) users to get access to these devices. This gives you the opportunity to collect data for R&D, monitor your devices to lower maintenance cost, and offer new services to your customers and end users. That’s what OpenRemote offers you as of today.

Prepare your IoT devices in the factory

When manufacturing your devices you want to prepare them in such a way that they automatically connect to your platform and present a certificate when powered on at the customer side. The certificate will be checked in OpenRemote when the device tries to register. This way only authorised devices can connect.

This secure auto provisioning flow (using X.509 or HMAC) allows the device to create and connect to a new asset in OpenRemote. You can define the asset type and roles, such that OpenRemote will reflect it as the correct type and enable secure two-way communication, over MQTT, with the respective attributes.  Most renown microcontroller brands, a.o. TI (MSP430), Espressif (ESP32 and ESP8266) and Nordic (nRF9160) support this auto provisioning flow.

Installers and users connect to their IoT device

Now that your devices automatically create their asset counterpart in the IoT platform, you also want to give your users access to the devices relevant to them. Typically we see four user levels here:

  • Admin: a user access to all assets in the system, with the ability to modify them
  • Installer/distributor/project manager: a user that is responsible for several devices in the field. They will want to monitor and maintain those devices and need write access to the attributes of the asset.
  • End user: a user that owns one or more devices and can read or write to (some) of its attributes. Either to control them for daily use or to view its live data.
  • Device: a service user created so that the device can securely communicate with its asset in the OpenRemote system.

To manage all four user levels, we have added the option of ‘restricted access’ to users. The Admin user can use this option to give Installer users and End users access to a limited number of assets. In addition roles can be added such that e.g. installers can write attributes while End users can only see and read a limited set of attributes. 

Installer users or End users can use the OpenRemote manager as they will only see their own device assets and, depending on their role, read or write to (some) asset attributes.


Don’t take our word for it

Try it for yourself, have a look at our wiki on ‘Auto provisioning devices’. But don’t take our word for it. Try it for yourself.

Header image created with vectors by pch.vector –