Skip to content

Device onboarding to nRF Cloud

This page explains the different methods of device onboarding, meaning connecting a device to nRF Cloud and registering its device certificate. This allows the device to use the nRF Cloud MQTT APIs through the IoT broker, or to connect to nRF Cloud through CoAP. As such, onboarding applies only to IP devices.

Note

The process of connecting a device to nRF Cloud is referred to here as onboarding to separate it from secure provisioning through nRF Cloud Security Services. The APIs, portal, and some scripts may refer to the entire process as provisioning.

For nRF91x1 devices, you can auto-onboard a device when you claim it. For other devices, including the nRF9160, you can onboard to nRF Cloud using one of two provisioning methods, preconnect and Just-in-Time provisioning (JITP).

Auto-onboarding

For nRF91x1 devices that are compatible with nRF Cloud Security Services, you can choose to auto-onboard individual devices during the claiming process. This means that the necessary credentials are provisioned to the device remotely, and you do not need to manually onboard each device to nRF Cloud as a separate step.

Auto-onboarding uses the secure identity of a device and the Provisioning Service to create a separate cloud access key on the device. Auto-onboarding during device claiming is currently supported for individual claimed devices in the nRF Cloud portal.

To claim and onboard multiple devices, you can create a provisioning rule first that includes a cloudAccessKeyGeneration command, then bulk claim devices either through the nRF Cloud portal or APIs. Add these devices to a provisioning group targeted by the provisioning rule.

See the guide to claiming devices.

Preconnect provisioning

One way to onboard devices on nRF Cloud is using the ProvisionDevices endpoint. This onboards your devices in bulk and adds them to your account before they connect for the first time.

Device certificates are created using your own CA certificate. See Securely generating credentials for nRF91 Series devices for more information on creating and injecting device certificates.

Just-in-Time provisioning

Using JITP, a device is onboarded when it first tries to connect to the IoT broker and presents its device certificate. Before the first communication, the device is not known to the broker and is not stored in the fleet registry.

The JITP process requires that device certificates are created using a Nordic Semiconductor CA certificate managed in the cloud. You can obtain a JITP device certificate using the CreateDeviceCertificate endpoint.

nRF91 Series devices are onboarded through JITP if you use the preprogrammed certificate on the device as shipped. You can also generate and inject new device certificates. See Securely generating credentials for nRF91 Series devices for more information.

The disadvantage of JITP is that it can be resource intensive and time consuming, taking up to thirty seconds after it makes its first connection. You must also explicitly add a JITP device to your account after onboarding, proving ownership (the right to claim) with a hardware ID or PIN. For Nordic Semiconductor products, this is provided on the product label. When using a JITP certificate for a custom device, you must choose and provide an ownership code.