Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- ms.topic: include ms.date: 06/10/2024 author: sethmanheim ms.author: sethm ms.service: azure-iot-edge services: iot-edge --- ## Create a DPS enrollment Create an enrollment to provision one or more devices through DPS. If you are looking to provision a single IoT Edge device, create an **individual enrollment**. If you need multiple devices provisioned, follow the steps for creating a DPS **group enrollment**. When you create an enrollment in DPS, you have the opportunity to declare an **initial device twin state**. In the device twin, you can set tags to group devices by any metric you need in your solution, like region, environment, location, or device type. These tags are used to create [automatic deployments](../how-to-deploy-at-scale.md). For more information about enrollments in the device provisioning service, see [How to manage device enrollments](../../iot-dps/how-to-manage-enrollments.md). # [Individual enrollment](#tab/individual-enrollment) ### Create a DPS individual enrollment > [!TIP] > The steps in this article are for the Azure portal, but you can also create individual enrollments using the Azure CLI. For more information, see [az iot dps enrollment](/cli/azure/iot/dps/enrollment). As part of the CLI command, use the **edge-enabled** flag to specify that the enrollment is for an IoT Edge device. 1. In the [Azure portal](https://portal.azure.com), navigate to your instance of IoT Hub device provisioning service. 1. Under **Settings**, select **Manage enrollments**. 1. Select **Add individual enrollment** then complete the following steps to configure the enrollment: 1. For **Mechanism**, select **Symmetric Key**. 1. Provide a unique **Registration ID** for your device. 1. Optionally, provide an **IoT Hub Device ID** for your device. You can use device IDs to target an individual device for module deployment. If you don't provide a device ID, the registration ID is used. 1. Select **True** to declare that the enrollment is for an IoT Edge device. 1. Optionally, add a tag value to the **Initial Device Twin State**. You can use tags to target groups of devices for module deployment. For example: ```json { "tags": { "environment": "test" }, "properties": { "desired": {} } } ``` 1. Select **Save**. 1. Copy the individual enrollment's **Primary Key** value to use when installing the IoT Edge runtime. Now that an enrollment exists for this device, the IoT Edge runtime can automatically provision the device during installation. # [Group enrollment](#tab/group-enrollment) ### Create a DPS group enrollment > [!TIP] > The steps in this article are for the Azure portal, but you can also create group enrollments using the Azure CLI. For more information, see [az iot dps enrollment-group](/cli/azure/iot/dps/enrollment-group). As part of the CLI command, use the **edge-enabled** flag to specify that the enrollment is for IoT Edge devices. For a group enrollment, all devices must be IoT Edge devices or none of them can be. 1. In the [Azure portal](https://portal.azure.com), navigate to your instance of IoT Hub device provisioning service. 1. Under **Settings**, select **Manage enrollments**. 1. Select **Add individual enrollment** then complete the following steps to configure the enrollment: 1. Provide a **Group name**. 1. Select **Symmetric Key** as the attestation type. 1. Select **True** to declare that the enrollment is for an IoT Edge device. For a group enrollment, all devices must be IoT Edge devices or none of them can be. 1. Optionally, add a tag value to the **Initial Device Twin State**. You can use tags to target groups of devices for module deployment. For example: ```json { "tags": { "environment": "test" }, "properties": { "desired": {} } } ``` 1. Select **Save**. 1. Copy your enrollment group's **Primary Key** value to use when creating device keys for use with a group enrollment. Now that an enrollment group exists, the IoT Edge runtime can automatically provision devices during installation. #### Derive a device key Each device that is provisioned as part of a group enrollment needs a derived device key to perform symmetric key attestation with the enrollment during provisioning. To generate a device key, use the key that you copied from your DPS enrollment group to compute an [HMAC-SHA256](https://wikipedia.org/wiki/HMAC) of the unique registration ID for the device and convert the result into Base64 format. > [!IMPORTANT] > Do not include your enrollment's primary or secondary key in your device code. On Windows, you can use PowerShell to generate your derived device key as shown in the following example. Replace the value of **KEY** with the **Primary Key** you noted earlier. Replace the value of **REG_ID** with your device's registration ID. ```powershell $KEY='PASTE_YOUR_ENROLLMENT_KEY_HERE' $REG_ID='PASTE_YOUR_REGISTRATION_ID_HERE' $hmacsha256 = New-Object System.Security.Cryptography.HMACSHA256 $hmacsha256.key = [Convert]::FromBase64String($KEY) $sig = $hmacsha256.ComputeHash([Text.Encoding]::ASCII.GetBytes($REG_ID)) $derivedkey = [Convert]::ToBase64String($sig) echo "`n$derivedkey`n" ``` Below is a sample output of a derived device key: ```powershell Jsm0lyGpjaVYVP2g3FnmnmG9dI/9qU24wNoykUmermc= ``` ---