Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero touch device registration with Azure IoT

Published byTheresa Carr Modified over 7 years ago

Similar presentations

Presentation on theme: "Zero touch device registration with Azure IoT"— Presentation transcript:

1 Zero touch device registration with Azure IoT
6/19/ :33 AM BRK4026 Zero touch device registration with Azure IoT Nicole Berdy Senior Program Manager Azure IoT @nberdy | #azureiotdps © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 IoT Device Lifecycle Retire Plan Register Monitor Configure
6/19/ :33 AM Plan Register Configure Monitor Retire Group devices and control access according to your organization's needs Replace or decommission devices after failure, upgrade cycle or service lifetime Monitor device inventory, health & security while providing proactive remediation of issues Securely authenticate devices, on-board for management and provision for service Provide updates, configuration & applications to assign the purpose of each device © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 IoT Device Lifecycle Retire Plan Register Monitor Configure
6/19/ :33 AM Plan Register Configure Monitor Retire Group devices and control access according to your organization's needs Replace or decommission devices after failure, upgrade cycle or service lifetime Monitor device inventory, health & security while providing proactive remediation of issues Securely authenticate devices, on-board for management and provision for service Provide updates, configuration & applications to assign the purpose of each device © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Back end systems and processes
Quick orientation Provisioning happens here Power BI Back end systems and processes Devices Web/ Mobile App Storage blobs DocumentDB IoT Hub Stream Analytics Event Hub Web Jobs Logic Apps * Azure ML

5 What is provisioning? Registration Configuration Provisioning

6 Why provisioning is hard today
6/19/ :33 AM Why provisioning is hard today Solutions must have per-device revocable access Provisioning is a manual process Initial configuration can become irrelevant between manufacturing and deployment Mergers, acquisitions, and bankruptcies can orphan devices Device supply chains are complex © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Let’s talk supply chain
Building devices is complicated Most common supply chain: OEM  ODM  SI  customer Updating manufacturing process is hard if not impossible Supply chain problems Producing certificates, injecting certificates, re-flashing devices, data ownership changes, etc. Example: cars

8 Azure IoT Hub Device Provisioning Service
6/19/ :33 AM Azure IoT Hub Device Provisioning Service Simplify with zero touch provisioning Supports multiple locations Easiest way to mass-provision devices URL stability Enhanced security through HSM For any device compatible with IoT Hub Remove human error Minimize manual connection requirements Multitenancy support DPS IoT Hub US IoT Hub Japan IoT Hub India DPS knows exactly which IoT Hub to connect and provision © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Goals for device provisioning with Azure IoT
6/19/ :33 AM Goals for device provisioning with Azure IoT Securely automate the provisioning process Devices are automatically and securely connected to the IoT Hub service and provisioned with an initial configuration Multitenancy support A single DPS can provide service for multiple IoT hubs (in multiple regions) Flexible device assignment Customers provide rules and logic to assure the right device is attached to the right IoT solution (and associated IoT Hub) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 A selection of scenarios
6/19/ :33 AM A selection of scenarios Initial connection Load balancing Ownership based Location based Re-provisioning Zero-touch provisioning to a single IoT solution Across multiple hubs Connecting devices to their owner’s IoT solution based on sales transaction data Connecting a device to the IoT hub with the lowest latency Based on a change in the device, e.g. change of ownership © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 An IoT device’s relationship to DPS
6/19/ :33 AM An IoT device’s relationship to DPS Initial setup Retrieving a key Rolling a key Hard reset Getting the device ready for the first time For devices with limited or no key storage capabilities Applicable only for devices which connect via a SAS token When the device needs to be treated as new in-box © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 How it works

13 Setup Devices know how to phone home
6/19/ :33 AM Setup Devices know how to phone home Enrollment list has been populated IoT hubs have bene linked to DPS Device allocation policy has been set © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 6/19/ :33 AM Enrollment list One-stop shop for everything needed to provision a device Attestation information Initial configuration Additional device info Support for Individual enrollments – good for devices with individual configuration needs Enrollment groups – good for lots of devices with the same initial configuration Updatable throughout the supply chain © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 6/19/ :33 AM Linked IoT hubs Linking an IoT hub to DPS gives DPS permissions to register devices to the hub Links can be cross-region or cross-subscription © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Allocation policies Determines how DPS assigns devices to linked hubs
6/19/ :33 AM Allocation policies Determines how DPS assigns devices to linked hubs Evenly weighted distribution Lowest latency Static configuration via the enrollment list The allocation policy can be overridden per enrollment entry © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Let’s see it in action (demo)

18 High level provisioning
1. Asks for hub 2. Creates ID device DPS IoT hub 4. Returns hub 3. Returns ID 5. Connects

19 Provisioning with DPS Business logic IoT Hub
Device enrollment info IoT Hub Device Provisioning Service Register new device, populate initial config Registered device info Business logic IoT Hub Device telemetry Registered device info Identity attestation “where’s my home?” Establish connection Device telemetry …etc Device Initial configuration Insights

20 Using a global device endpoint
Device A IoT Hub 1 IoT Hub Device Provisioning Service Device A Information Device B Information Device B IoT Hub 2

21 Using a global device endpoint
DPS DPS ID scope: xyz Name: contosoDPS Global.azure-devices-provisioning.net DPS name: contosoDPS DPS name: relecloudDPS device1 Mapping DB ID scope: xyz RegistrationID: rai212 Secret: <X.509 cert> ID scope + RegID  DPS name ID scope: abc RegistrationID: fkb674 ID scope: xyz RegistrationID: rai212 ID scope: abc RegistrationID: fkb674 Secret: <X.509 cert> device2 DPS ID scope: abc Name: relecloudDPS

22 SDK support in public preview
6/19/ :33 AM SDK support in public preview DPS device SDK composes easily with the IoT Hub device SDK C HTTPS …with full language/protocol support to come in GA Service SDK for easy management of the service C# HTTPS …with full language support to come in GA The goal is for the same device support that IoT Hub offers © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Details on the security flow

24 Verifying a device’s identity
6/19/ :33 AM Verifying a device’s identity Two types of device attestation supported Four ways to store keys X.509: following the standard X.509 authentication flow Trusted Platform Module: following the TPM standard for verifying possession of the TPM’s private endorsement key HSM using X.509 certificates Trusted Platform Module (a type of HSM) Emulated X.509 certificates Emulated TPM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Provisioning process There are two distinct steps with security flows
The manufacture step in which the enrollment information is harvested and placed in the enrollment list The registration step in which the device phones home to the DPS

26 Manufacture flow for TPM
Device Factory DPS DPS ID lookup Factory Provisioning Get EKPublic Harvest TPM for RegistrationId + EKPublic RegistrationId + EKPublic Call DPS to enroll device with RegId + EK Push enrollment to storage

27 Registration flow for TPM
Device Factory Device Registration Service DPS ID lookup IoT hub Device opens TLS connection to DPS (device trust to server using standard SSL cert trust) Device Authenticates with DPS Get EKPublic + SRKPublic Request sends RegId and EK + StorageRootKey (SRKPublic) Send 401 with session key (encrypted with EK + SRK) Decrypt and store key to slot 0 Decrypt to TPM Sign SAS token using key in slot 0 Create SAS token by signing key in TPM Remake request with SAS auth Validate SAS Validate device in enrollment list Hub registration Respond with operationId for long running registration operation Register device in IoT hub Push initial twin state Poll with operationId until registration completion Decrypt and store key to slot 1 Respond with hub info (device ID + hub URL + encrypted key) Device to IoT hub (day to day comms) Generate SAS token using key in Slot 1 Connect to IoT hub using SAS token Twin desired properties Telemetry

28 Manufacture flow for X.509 Secure Module Device Factory DPS
DPS ID lookup IoT hub Send factory signing cert public key DPS validates factory signing certificate Nonce for validation Sign signing certificate with nonce and send to validate Validate Signing Certificate Enrollment group creation for factory Call DPS to create enrollment group with factory signed certificate Push enrollment group to storage Factory provisioning Create device cert Sign device cert with factory signing certificate

29 Registration flow for X.509
Device Factory DPS DPS ID lookup IoT hub Device authenticates with DPS Get enrollment group of the signing cert Request sends factory signed leaf cert Validate device cert with enrollment group Respond with operationId for long running operation Hub registration Register device in IoT hub Push initial twin state Poll with operationId until registration completion Respond with hub info (device ID + hub URL) Device to IoT hub (day to day comms) Connect to IoT hub using X.509 certificate Receive twin desired properties Send device telemetry

30 Device Identifier Composition Engine – DICE
Secure By Design Use silicon gates to create hardware-based device identities Security built into the DNA of the device Scalable security framework with minimal hardware requirements for device identification and attestation Trust anchor upon which various security solutions for authentication, secure boot, remote attestation, and more can be built aka.ms/iotdice

31 Available: Azure IoT Hub Device Provisioning Service
6/19/ :33 AM Available: Azure IoT Hub Device Provisioning Service Azure IoT Hub Device Provisioning Service Simplify with “plug and play” provisioning Minimize manual connection requirements Enhanced security through HSM Removes manual errors Global availability Available in preview now © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Your homework from this session
Read more about the IoT Hub Device Provisioning Service Try the quickstarts and tutorials HSM simulator is provided with the SDK Check out the other Azure IoT sessions Security, IoT Edge, and more

33 IoT Sessions @ Ignite Introduction to Windows IoT
6/19/ :33 AM Day Session Speaker Time Mon 25th Introduction to Windows IoT Adi Hariharan 2:15 – 3:30 PM Overview of how Azure can help with your IoT solution Sam George 4 - 5:15 PM Tues 26th Microsoft IoT: When you connect your business with IoT, the opportunities are endless 9:- 10:15 AM Cool Devices in Windows IoT 10: :10 AM Zero touch device registration with Azure IoT Nicole Berdy 11:30- 12:15 PM Building Reliable IoT Solutions in the Cloud, Fast Cory Newton-Smith 12:30 - 1:45 PM The future of IoT analytics: The Edge complementing the cloud Santosh Balasubramanian Weds 27th Enable Edge Computing with Azure IoT Edge Olivier Bloch  9- 10:15 AM Towards a trustworthy internet of things Arjmand Samuel Put your time series data to work for your business OP Ravi Jason Killeleagh 3:15 - 4:00 PM Thurs 28th Enable IoT Scenarios with Edge Computing Get started developing with Azure IoT Olivier Bloch Tips and tricks to help your IoT solution scale 2 - 2:45 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Please evaluate this session
Tech Ready 15 6/19/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Thanks for attending! Continue the conversation on Twitter: @nberdy
6/19/ :33 AM Thanks for attending! Continue the conversation on Twitter: @nberdy #azureiotdps © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Zero touch device registration with Azure IoT"

Similar presentations

1/25/2018 9:55 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

1/25/2018 9:55 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
5/13/2018 1:53 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

5/13/2018 1:53 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Leverage the O365 Task Ecosystem with Microsoft To-Do and Planner

Leverage the O365 Task Ecosystem with Microsoft To-Do and Planner
Secure Hyperconnectivity with TeamViewer and Windows technologies

Secure Hyperconnectivity with TeamViewer and Windows technologies
Enterprise Security in Practice

Enterprise Security in Practice
From IT Pros to IT Heroes - with Azure DevTest Labs

From IT Pros to IT Heroes - with Azure DevTest Labs
5/22/2018 1:39 AM BRK2156 Power BI Report Server: Self-service BI and enterprise reporting on-premises Christopher Finlan Senior Program Manager © Microsoft.

5/22/2018 1:39 AM BRK2156 Power BI Report Server: Self-service BI and enterprise reporting on-premises Christopher Finlan Senior Program Manager © Microsoft.
Azure Machine Learning Deploying and Managing Models in production

Azure Machine Learning Deploying and Managing Models in production
The story of an IoT solution

The story of an IoT solution
Azure on Steroids: Full Automation with PowerShell

Azure on Steroids: Full Automation with PowerShell
Azure File Sync Setup, configuration and management

Azure File Sync Setup, configuration and management
How To Deliver Apps Faster And Secure Them The Microsoft Way

How To Deliver Apps Faster And Secure Them The Microsoft Way
Mobile App Trends: lifecycle, functions, and cognitive

Mobile App Trends: lifecycle, functions, and cognitive
Use any Amazon S3 application with Azure Blob Storage

Use any Amazon S3 application with Azure Blob Storage
Azure Cloud Shell Magic of Modern Command-line Management

Azure Cloud Shell Magic of Modern Command-line Management
What has Azure to offer to IoT Developers?

What has Azure to offer to IoT Developers?
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
6/17/2018 10:27 AM BRK3341 Unlock extensibility by connecting your service to PowerApps and Microsoft Flow Theresa (Tessa) Palmer–Sr. Program Manager Sunay.

6/17/ :27 AM BRK3341 Unlock extensibility by connecting your service to PowerApps and Microsoft Flow Theresa (Tessa) Palmer–Sr. Program Manager Sunay.
How to expand your Azure Stack marketplace

How to expand your Azure Stack marketplace
IoT at the Edge Technical guidance deck.

IoT at the Edge Technical guidance deck.

Similar presentations

Ads by Google