Abstract: An IoT hub comprising one or more servers and databases is configured to automatically assign Internet of Things (IoT) enabled devices to IoT solutions based on a subnet to which the IoT devices are connected. A user interface is configured to enable a user to define subnets within the customer's network environment and assign each subnet to an IoT solution. Upon the user setting up an IoT device's network connection to a network device, such as a router, the IoT device transmits its network information to the IoT hub. The IoT hub can then automatically assign the IoT device to a specific IoT solution without further user input or predict which IoT solution to utilize for that IoT device based on known parameters.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: A method for an escrow computing service comprises maintaining ownership information for a network-configurable device having a unique digital device identifier, the ownership information indicating ownership of the device by a first online identity of a first owner, the ownership information granting access permission for the network-configurable device. The escrow computing service receives a request to transfer ownership of the network-configurable device to a second online identity of a second owner. The ownership information is updated to indicate ownership of the network-configurable device by the second online identity of the second owner. The escrow computing service receives an indication of a network-accessible device management platform to be used to manage the network-configurable device.

Abstract: Provisioning an on-premise device within an on-premise communications network includes connecting, via a network connection, an on-premise gateway system in the on-premise communications network with an off-premise device provisioning service system in an off-premise communications network. The network connection is disconnected between the on-premise communications network and the off-premise communications network. A discovery request response is received from the on-premise device via the on-premise communications network, while the network connection is disconnected. A provisioning request from the on-premise device is received at the on-premise device provisioning service of the on-premise gateway system via the on-premise communications network, while the network connection is disconnected. An on-premise device provisioning service of the on-premise gateway system provisions the on-premise device based on provisioning records, while the network connection is disconnected.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: A method for uniquely authenticating a device provides for receiving a scoping request, allocating a scope ID responsive to the request, and storing one or more device identification credentials in a database. Each device identification credential stored in the database includes the allocated scope ID and a device ID provided within the scoping request. The method further provides for receiving a registration request specifying a device identification credential and authenticating the specified device identification credential by confirming a match between the specified device identification credential and one of the device identification credentials stored in the database. The method further provides for provisioning the device with initial configuration information responsive to the authentication.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: An IoT hub comprising one or more servers and databases is configured to automatically assign Internet of Things (IoT) enabled devices to IoT solutions based on a subnet to which the IoT devices are connected. A user interface is configured to enable a user to define subnets within the customer's network environment and assign each subnet to an IoT solution. Upon the user setting up an IoT device's network connection to a network device, such as a router, the IoT device transmits its network information to the IoT hub. The IoT hub can then automatically assign the IoT device to a specific IoT solution without further user input or predict which IoT solution to utilize for that IoT device based on known parameters.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: A method for uniquely authenticating a device provides for receiving a scoping request, allocating a scope ID responsive to the request, and storing one or more device identification credentials in a database. Each device identification credential stored in the database includes the allocated scope ID and a device ID provided within the scoping request. The method further provides for receiving a registration request specifying a device identification credential and authenticating the specified device identification credential by confirming a match between the specified device identification credential and one of the device identification credentials stored in the database. The method further provides for provisioning the device with initial configuration information responsive to the authentication.