Abstract: An IoT hub comprising one or more servers and databases is configured to automatically assign Internet of Things (IoT) enabled devices to IoT solutions based on a subnet to which the IoT devices are connected. A user interface is configured to enable a user to define subnets within the customer's network environment and assign each subnet to an IoT solution. Upon the user setting up an IoT device's network connection to a network device, such as a router, the IoT device transmits its network information to the IoT hub. The IoT hub can then automatically assign the IoT device to a specific IoT solution without further user input or predict which IoT solution to utilize for that IoT device based on known parameters.

Abstract: Managing devices in an IoT environment. A method includes, as a result of a device being provisioned by a special-purpose solution, storing at a central unified registry a correlation of the device and the given special purpose solution. The method further includes correlating the device to a different special-purpose solution at the unified registry. As a result, the method further includes causing subsequent configuration of the device to be performed by the different special-purpose solution.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: Transferring control over a device. A method includes, receiving a first indication, including a first verifiable token, from a first entity that at least a portion of control of a device should be relinquished by the first entity. A second indication is received from the second entity, including a second verifiable token, that the at least a portion of control should be transferred to the second entity. The first token and the second token are verified. As a result of verifying the first token and the second token, the at least a portion of control of the device is transferred from the first entity to the second entity. Transferring the at least a portion of control of the device from the first entity to the second entity includes updating the device with configuration applicable to the second entity.

Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.

Abstract: Examples are disclosed that relate to using a multiplexed transmission to register a telemetry device with a telemetry system and report telemetry data to the telemetry system on behalf of a telemetry device. One disclosed example provides a method comprising receiving a multiplexed transmission from a telemetry device, the multiplexed transmission comprising a registration message and telemetry data, demultiplexing the multiplexed transmission to obtain the registration message and the telemetry data, registering the telemetry device with a telemetry system based upon the registration message, sending the telemetry data to the telemetry system, and sending a registration response to the telemetry device, the registration response confirming registration of the telemetry device with the telemetry system.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: Examples are disclosed that relate to using a multiplexed transmission to register a telemetry device with a telemetry system and report telemetry data to the telemetry system on behalf of a telemetry device. One disclosed example provides a method comprising receiving a multiplexed transmission from a telemetry device, the multiplexed transmission comprising a registration message and telemetry data, demultiplexing the multiplexed transmission to obtain the registration message and the telemetry data, registering the telemetry device with a telemetry system based upon the registration message, sending the telemetry data to the telemetry system, and sending a registration response to the telemetry device, the registration response confirming registration of the telemetry device with the telemetry system.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: An IoT hub comprising one or more servers and databases is configured to automatically assign Internet of Things (IoT) enabled devices to IoT solutions based on a subnet to which the IoT devices are connected. A user interface is configured to enable a user to define subnets within the customer's network environment and assign each subnet to an IoT solution. Upon the user setting up an IoT device's network connection to a network device, such as a router, the IoT device transmits its network information to the IoT hub. The IoT hub can then automatically assign the IoT device to a specific IoT solution without further user input or predict which IoT solution to utilize for that IoT device based on known parameters.

Abstract: Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

Abstract: Transferring control over a device. A method includes, receiving a first indication, including a first verifiable token, from a first entity that at least a portion of control of a device should be relinquished by the first entity. A second indication is received from the second entity, including a second verifiable token, that the at least a portion of control should be transferred to the second entity. The first token and the second token are verified. As a result of verifying the first token and the second token, the at least a portion of control of the device is transferred from the first entity to the second entity. Transferring the at least a portion of control of the device from the first entity to the second entity includes updating the device with configuration applicable to the second entity.

Abstract: Managing devices in an IoT environment. A method includes, as a result of a device being provisioned by a special-purpose solution, storing at a central unified registry a correlation of the device and the given special purpose solution. The method further includes correlating the device to a different special-purpose solution at the unified registry. As a result, the method further includes causing subsequent configuration of the device to be performed by the different special-purpose solution.