Skip to content

Provisioning Service

The Provisioning Service allows you to provision your Nordic Semiconductor devices in a secure way to nRF Cloud, your own cloud, or another service.

Using the Provisioning Service, you can claim a device as your own. Once you have claimed this device, only authorized members of your team can change its configuration or securely provision it.

Note

The Provisioning Service is in beta and under continuing development.

Secure provisioning

Secure provisioning allows you to claim a device as your own and do some parts of the provisioning process remotely. It allows you to define a device's provisioning configuration, control who within your team can provision the device, and block or unclaim the device.

Note

Secure provisioning is separate from cloud provisioning, which onboards the device to nRF Cloud services. The Secure Provisioning service can be used to onboard a device to any cloud service, including nRF Cloud.

Process

The follow diagram shows the identity and secure provisioning process:

Identity and provisioning process overview

The process to claim devices and configure them for provisioning is as follows:

  1. (Optional) Create a provisioning group if you want to organize your claimed devices.
  2. Claim your device or devices as a single or bulk operation.
  3. Add a provisioning configuration for each claimed device.
  4. Monitor the device's progress during secure provisioning and address any errors.

Requirements

To use the Provisioning Service, you need the following:

  • An nRF Cloud account.
  • nRF9161 device v0.10.0 or later. Contact Support to ask about compatibility with the nRF9160.
  • Modem firmware v2.0.0 or later.

Claimed devices

To claim a device, you must provide a claim token. You can get a claim token by fetching an identity attestation token through the Identity Service.

Claiming a device means that only you and select users on your team can define the device's provisioning configuration, and later securely provision it.

Access

Access

The Provisioning Service is available to Editor, Admin, and Owner roles.

All users on a team may claim devices. Admins and owners can view and edit configurations for devices claimed by editors.

Devices claimed by an admin or owner are not visible to editors.

Provisioning groups

Provisioning groups work the same as other device groups, but are specific to the Provisioning Service. You can use them to organize your claimed devices for secure provisioning. When you claim your devices, you can optionally include a provisioning group.

Provisioning groups are separate from other device groups in nRF Cloud.

Provisioning configuration

A claimed device can have a provisioning configuration, which is a sequence of commands to execute upon provisioning. These commands define which types of tokens and other authorization mechanisms the device generates and uses to connect to the service.

With a provisioning configuration in place, the device executes the commands when it attempts to connect to the Provisioning Service. The device executes commands according to its configuration until there is an error or all commands are executed. If the device encounters an error, you must decide whether to attempt the command again, ignore the error, or change the provisioning configuration.

You can define the provisioning configuration through the nRF Cloud portal or APIs.

Blocking and unblocking devices

You can block or unblock a claimed device. This does not delete the device or forfeit your device claim, but prevents the device from receiving additional commands in its provisioning configuration.

If the device is running commands in its configuration at the time of blocking, it will report the results of those commands when they finish executing. Commands already received by the device will continue to run.

Unblocking a claimed device allows it to process commands in its provisioning configuration again. Any pending commands in the configuration run the next time the device connects to the service.

See next

See more on how to securely provision Nordic Semiconductor devices: