Hello.
It’s possible to do automatic authentication for mOS to mDash without one by one copy token and assign to mos.yml.
because I have alot of device and it might be very difficult for manual config.
Is this can be done my Enterprise License. So no longer need Device Token
Yes, this is possible. We have automatic device registration for our fleet and it works well. We are on a paid plan.
You’ll want to engage with Cesanta directly on this topic so they can discuss the implementation details with you.
-AD
Really can you tell me how ? this is very painful to build & flash 1 by 1 if we have software update local.
What I do know is it will work for OTA only.
Can anyone elaborate on this a little more?
Is there a standard pattern being used here or is it a custom roll your own per use case?
I understand the specifics might need to be discussed with Cesanta but it would be great to get an idea of the requirements/complexity before diving in.
As noted earlier, mDash does support an “auto-registration” feature. We’ve been using in on our fleet for well over a year now and it works very well.
A special key is provisioned in flash at the time of manufacturer which triggers an auto-registration sequence when the device first connects to mDash.
All of the hard work is done on the backend, so as the fleet owner it’s very easy to implement for high-volume manufacturing. I will need to defer to Cesanta on the implementation specifics.
-AD
Wow that sounds great. I’ve often wondered how we would manage keys with offshore manufacture.
If I’m understanding correctly a single firmware is built that includes this special provision key, and on first connection mDash with the special provision key mDash backend automatically adds another entry to my device list.
Can someone from Cesanta please tell me:
@Autodog I’d really appreciate any feedback you had on doing this securely.
I’m imagining some kind of key rotation or max number of devices provisioned with one key or something. I’d think that this could be dangerous otherwise, anyone with a copy of the firmware could provision themselves more devices.
@klimbot - Yes, your understanding of the procedure is correct. Once a new device connects the special provisioning key is replaced with a key unique to the device.
As for security, yes you need to protect your special manufacturing image - but I will defer to Cesanta on the finer points here.
-AD
@Autodog can you tell me at which part of the process the public key gets pushed to the device? Is it during flashing, or does the magic mDash provisioning process take care of it?
Based on our conversations on other threads it sounds like the device already has it’s unique public key before the provisioning starts.
I imagine you could probably generate the public key on the device itself on boot using some deterministic process to avoid duplicate registrations, but then
As noted above, if you use the magic auto-registration method you must first flash your device with a special provision key that is unique to you (the fleet owner) but is not unique per device. In fact, it is identical (by design) on all of your devices after they come off the factory line.
Once you have WiFi credentials configured and the device can connect to to web, then a POST to the mDash /customer endpoint must be made with this special provision key.
Once this happens, then mDash automagically replaces this special key with a unique pub key on the device and in your customer object. This pub key will be associated with your device from that point forward.
I may not have this 100% accurate (as it’s not publicly documented) but you should get the jist.
Hope this helps,
-AD