Abstract: An IoT hub comprising one or more servers and databases is configured to automatically assign Internet of Things (IoT) enabled devices to IoT solutions based on a subnet to which the IoT devices are connected. A user interface is configured to enable a user to define subnets within the customer's network environment and assign each subnet to an IoT solution. Upon the user setting up an IoT device's network connection to a network device, such as a router, the IoT device transmits its network information to the IoT hub. The IoT hub can then automatically assign the IoT device to a specific IoT solution without further user input or predict which IoT solution to utilize for that IoT device based on known parameters.

Abstract: Managing devices in an IoT environment. A method includes, as a result of a device being provisioned by a special-purpose solution, storing at a central unified registry a correlation of the device and the given special purpose solution. The method further includes correlating the device to a different special-purpose solution at the unified registry. As a result, the method further includes causing subsequent configuration of the device to be performed by the different special-purpose solution.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: Described herein is a device (e.g., IoT device) having bootstrap code that communicates with a secure global registry (e.g., private distributed shared blockchain database). The bootstrap code of the device uses a globally unique device identifier of the device to the secure global registry. The bootstrap code receives information from the secure global registry which the bootstrap code uses to obtain information to connect to a cloud-based endpoint. The bootstrap code can download an appropriate software development kit (SDK) associated with the particular cloud based, at least in part, upon the received information. The device can be registered in the secure global registry by creating a globally unique identifier for the device. An initial entry can be created in the secure global registry comprising the globally unique identifier, with the secure global registry stores current cloud-based endpoint information, if any, for the device.

Abstract: An existing Simple Authentication and Security Layer (SASL) framework is modified to overcome message size limitations by implementing a control byte that enables segmentation of SASL messages. In implementations in which client computing devices utilize a trusted platform module (TPM) for enhanced security, the client computing device can transmit multiple public keys and other information to a provisioning service during an attestation process. This information can be segmented across multiple messages while leveraging the SASL framework. A control byte may be utilized in each message and define attributes about the respective messages, such as whether a current message is an interim or final message segment. Likewise, the provisioning service can divide a challenge key into multiple segments and include a control byte for each segment. The control byte within segmented messages enables utilization of the TPM public keys and thereby can leverage the heightened security provided by the TPM.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: Transferring control over a device. A method includes, receiving a first indication, including a first verifiable token, from a first entity that at least a portion of control of a device should be relinquished by the first entity. A second indication is received from the second entity, including a second verifiable token, that the at least a portion of control should be transferred to the second entity. The first token and the second token are verified. As a result of verifying the first token and the second token, the at least a portion of control of the device is transferred from the first entity to the second entity. Transferring the at least a portion of control of the device from the first entity to the second entity includes updating the device with configuration applicable to the second entity.

Abstract: Provisioning an on-premise device within an on-premise communications network includes connecting, via a network connection, an on-premise gateway system in the on-premise communications network with an off-premise device provisioning service system in an off-premise communications network. The network connection is disconnected between the on-premise communications network and the off-premise communications network. A discovery request response is received from the on-premise device via the on-premise communications network, while the network connection is disconnected. A provisioning request from the on-premise device is received at the on-premise device provisioning service of the on-premise gateway system via the on-premise communications network, while the network connection is disconnected. An on-premise device provisioning service of the on-premise gateway system provisions the on-premise device based on provisioning records, while the network connection is disconnected.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: Examples are disclosed that relate to using a multiplexed transmission to register a telemetry device with a telemetry system and report telemetry data to the telemetry system on behalf of a telemetry device. One disclosed example provides a method comprising receiving a multiplexed transmission from a telemetry device, the multiplexed transmission comprising a registration message and telemetry data, demultiplexing the multiplexed transmission to obtain the registration message and the telemetry data, registering the telemetry device with a telemetry system based upon the registration message, sending the telemetry data to the telemetry system, and sending a registration response to the telemetry device, the registration response confirming registration of the telemetry device with the telemetry system.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: Examples are disclosed that relate to using a multiplexed transmission to register a telemetry device with a telemetry system and report telemetry data to the telemetry system on behalf of a telemetry device. One disclosed example provides a method comprising receiving a multiplexed transmission from a telemetry device, the multiplexed transmission comprising a registration message and telemetry data, demultiplexing the multiplexed transmission to obtain the registration message and the telemetry data, registering the telemetry device with a telemetry system based upon the registration message, sending the telemetry data to the telemetry system, and sending a registration response to the telemetry device, the registration response confirming registration of the telemetry device with the telemetry system.

Abstract: Described herein is a device (e.g., IoT device) having bootstrap code that communicates with a secure global registry (e.g., private distributed shared blockchain database). The bootstrap code of the device uses a globally unique device identifier of the device to the secure global registry. The bootstrap code receives information from the secure global registry which the bootstrap code uses to obtain information to connect to a cloud-based endpoint. The bootstrap code can download an appropriate software development kit (SDK) associated with the particular cloud based, at least in part, upon the received information. The device can be registered in the secure global registry by creating a globally unique identifier for the device. An initial entry can be created in the secure global registry comprising the globally unique identifier, with the secure global registry stores current cloud-based endpoint information, if any, for the device.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: An existing Simple Authentication and Security Layer (SASL) framework is modified to overcome message size limitations by implementing a control byte that enables segmentation of SASL messages. In implementations in which client computing devices utilize a trusted platform module (TPM) for enhanced security, the client computing device can transmit multiple public keys and other information to a provisioning service during an attestation process. This information can be segmented across multiple messages while leveraging the SASL framework. A control byte may be utilized in each message and define attributes about the respective messages, such as whether a current message is an interim or final message segment. Likewise, the provisioning service can divide a challenge key into multiple segments and include a control byte for each segment. The control byte within segmented messages enables utilization of the TPM public keys and thereby can leverage the heightened security provided by the TPM.

Abstract: An IoT hub comprising one or more servers and databases is configured to automatically assign Internet of Things (IoT) enabled devices to IoT solutions based on a subnet to which the IoT devices are connected. A user interface is configured to enable a user to define subnets within the customer's network environment and assign each subnet to an IoT solution. Upon the user setting up an IoT device's network connection to a network device, such as a router, the IoT device transmits its network information to the IoT hub. The IoT hub can then automatically assign the IoT device to a specific IoT solution without further user input or predict which IoT solution to utilize for that IoT device based on known parameters.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: Managing devices in an IoT environment. A method includes, as a result of a device being provisioned by a special-purpose solution, storing at a central unified registry a correlation of the device and the given special purpose solution. The method further includes correlating the device to a different special-purpose solution at the unified registry. As a result, the method further includes causing subsequent configuration of the device to be performed by the different special-purpose solution.

Abstract: Transferring control over a device. A method includes, receiving a first indication, including a first verifiable token, from a first entity that at least a portion of control of a device should be relinquished by the first entity. A second indication is received from the second entity, including a second verifiable token, that the at least a portion of control should be transferred to the second entity. The first token and the second token are verified. As a result of verifying the first token and the second token, the at least a portion of control of the device is transferred from the first entity to the second entity. Transferring the at least a portion of control of the device from the first entity to the second entity includes updating the device with configuration applicable to the second entity.