Skip to main contentSkip to page footer
 

 |  Blog

Back

How provisioning works in practice

The most popular provisioning methods in practice include zero-touch provisioning, provisioning via mobile app and with the help of engineering tools.

Zero-touch provisioning

Zero-touch provisioning is the holy grail of provisioning methods: Plug in the device and everything happens automatically. To make this possible, the device is preconfigured as far as possible. However, zero-touch provisioning is only possible if certain conditions are met:

1. Automatic network configuration

Automatic network configuration is required so that the device can establish an upstream connection immediately after installation. If a device is connected directly via LAN, this is easily possible with DHCP, for example. If wireless protocols are used, user interaction is usually required for security reasons so that the device can join the network. This poses a particular challenge if the device has no direct display and input options. Zero-touch provisioning is therefore often not possible here. Scenarios in which the target environment is clearly defined and the network keys can be pre-provisioned are an exception.

2. Pre-provisioned device identity

In order to register with the upstream, the device must prove its identity. For zero-touch provisioning, the device identity must therefore be pre-provisioned by the manufacturer or solution provider. To prevent supply chain attacks such as device cloning, this proof of identity should ideally be carried out using a hardware security module.
The lack of a pre-provisioned device identity is a common problem, especially with legacy hardware, which is why zero-touch provisioning cannot be carried out.

3. Presence of necessary context information

Not all contextual information is relevant for provisioning; much of it can be added even after the device has been registered. Nevertheless, the implementation of zero-touch provisioning often fails due to a few missing pieces of information. 
A typical problem with upstream cloud systems is that there is no reliable information about the final whereabouts of the devices. Which customer bought the device? To which client or user account should it be assigned? If these questions are not clarified, zero-touch provisioning is not possible. 
With edge systems as upstream, on the other hand, it often fails because the upstream endpoint is not known and must first be selected by the user.

However, if one of the above conditions is not met or zero-touch provisioning is not possible for other reasons, this does not mean that user-friendly device configuration has to be dispensed with.

Provisioning via mobile app

A user-friendly alternative is usually provisioning via a mobile app. An app is usually particularly user-friendly, as a lot of information about the identity and intention of the user is already implicitly available. With client systems, for example, it is already clear which client the device to be provisioned is assigned to and which is the appropriate communication endpoint for this client when the user logs into the app. Another advantage is that smartphones usually support a range of communication protocols such as Wi-Fi, Bluetooth or NFC, which can be used for local communication with the device even before successful provisioning. It is also practical to be able to transfer data to the smartphone using QR codes.

A typical procedure for provisioning a device via mobile app could look like this:

Example procedure for provisioning a device without a pre-provisioned device identity via mobile app
  1. A user sets the device to provisioning mode at the touch of a button. In this mode, the device offers a provisioning service via Bluetooth.
  2. A user scans for devices in their app, finds the device to be provisioned and can start the provisioning process.
  3. The device automatically creates a new device identity with the corresponding login data.
  4. The device transmits the newly created device identity to the app.
  5. The app registers this device identity in the cloud. Here, the device is added to the user's account and the device is granted access to the communication endpoint.
  6. The app sends the device the connection details for the communication endpoint via Bluetooth and transmits the Wi-Fi login data via Wi-Fi Easy Connect.
  7. The device can now automatically log into the Wi-Fi and establish communication with the cloud. Provisioning is successfully completed.

Most of the steps take place in the background. The user performs just three simple actions: He puts the device into provisioning mode, then scans it and carries out the provisioning with a single click.

 

Provisioning through engineering tools

Especially in an industrial context, the use of mobile apps is not yet as widespread as in the consumer sector. Instead of provisioning via a mobile app, it makes more sense to integrate the provisioning process into an engineering tool or separate project planning software, depending on the scenario. Here too, it is possible to scan the network for devices to be provisioned and offer the user a corresponding list for selection.

We can help you select a suitable provisioning process and also support you during implementation. Just contact us.

About the author

 

Daniel Wiese is a technical computer scientist and Linux enthusiast. As part of the Competence Center IoT & Edge, he deals with the development and setup of industrial IoT systems. As an expert in cybersecurity, he supports our customers and project teams. 

Created by
Back