Pelion Device Management: August 2020 Release
During the summer of 2020, despite the challenges of adapting to a new world of working remotely, the Pelion Device Management engineering teams have been steadily building a number of features that enhance our products.
In general, these features have been focused on handling particular real-world challenges – including device production, network connectivity, robustness and end to end security – which some of our customers face when they take their IoT deployments from the whiteboard, and start to deploy them into the field.
These real-world challenges run throughout the IoT lifecycle, and what we find is that each customer has a unique environment, a unique challenge, and a unique solution that they require. As a result, we have built a number of features that span the full lifecycle and can be used to fit their unique needs.
Key features in each of those areas are highlighted below, but for more in-depth descriptions and additional features that have been delivered, please see the Release Notes.
At the Factory: Production and Deployment
Features that enable our customers to manage the production of devices at subcontractor factories include:
The Pelion Edge Provisioning Tool is designed to help automate the customer's factory flow. It enables certificates to be injected into the device from the gateway, rather than from the Factory Configuration Utility. It also enables the enrolment IDs of all the dispatched gateways to be collated and saved into a log file, which can then be used later on to complete the first-to-claim process.
Factory Production Audit Service is part of the Secure Provisioning Workstation feature (available to selected customers). The service captures statistics on how many devices are provisioned, and the provisioning time for each device in the production line. A Factory production manager can then use the Pelion Device Management Portal to fetch the statistics, display them in a table for a specific time period, and match them with those from the device manufacturer’s production report.
Over the Air: Constrained Networks
Features that unlock the potential of managing devices and gateways over constrained networks in different use cases, addressing specific issues with limited bandwidth and high latency mesh networks include:
Wi-SUN Synchronized Multicast Firmware Update enables a firmware image to be broadcast to all devices, such that one copy of the data is passed across the nodes of the network in turn, enabling improved performance in a constrained mesh network. Once the firmware has been received and passed on by each node in the mesh, the entire network can be rebooted in a synchronized manner, reducing network downtime which would otherwise be prolonged by multiple reboots.
Wi-SUN FAN protocol stacks support up to 5000 routers, and the reliability and recovery of devices within the network has been enhanced. The reconnection timer seed can now be configured to match network characteristics, and Client recovery behavior can be optimized based on expected network performance (this feature will be available in the next release of Pelion Device Management Client).
Optimized data usage of the kubelet/KaaS control plane enables data usage to be measured and optimized, helping to limit cellular data costs when connecting to gateways using Pelion Device Management Edge. This also means that deployments can tolerate device down-time with less impact to the overall service.
In the Field: Updates
A number of additions to the capabilities of firmware updates will prove to be extremely useful in environments with unreliable power and many Edge gateways, including:
Component Update enables an IT operator to independently update not only the main component of the device (main MCU) but also any additional modules on the same device. Firmware update campaigns can be configured in order to ensure that a sequence of updates is performed to the relevant components in a class of devices in the correct order, respecting dependencies between the firmware images on each component.
Resume Firmware Update allows constrained devices to resume a firmware update operation in the case where the download is interrupted for some reason, such as a failure in connectivity or a loss of power. This feature is critical for example in the case of consumer device IoT deployments where power may be disconnected by the user at any time, ensuring that each device can complete the process.
Defer Firmware Update enables the firmware installation to be deferred to a later time. The device firmware application must respond to the firmware update initiation in order to in invoke the defer API when required. The firmware update campaign will retry the update at a later time, providing convenience and control to devices end users, or enabling the device to wait until it has sufficient battery power to complete the update.
Managed Updates for Edge Gateways are supported by Pelion Device Management Edge running on Ubuntu Core, which provides additional information and controls to enable the Snap installation process to be managed using firmware update campaigns. Channels for each package will be established to make a number of versions of a given package available. Pelion Edge reports the software inventory version number to the service as an attribute to ensure that the correct update is applied based on the current version of the installation. This feature is available to selected customers.
Under the Hood: Robustness and Security
A number of new features take core products such as Pelion Device Management Edge gateways and enable them to address specific requirements around robustness and security, including:
TPM based Security for Edge Gateways has been enabled through support for PARSEC (Platform AbstRaction for SECurity), an open-source project which provides a common API for hardware security and cryptographic services (access to the Trusted Platform Module) in a platform-agnostic way. By enabling support for the PARSEC API, the availability of drivers through third party providers will be significantly increased. Arbitration by the microservice enables multiple applications to use the security capabilities of the device, while ensuring that the secrets for each application are isolated.
Application Access Keys have been enabled for Pelion Device Management REST APIs, replacing the previous Bearer token (referred to as an “API Key”) approach. Developers can now create separate “application” objects using the Portal interface, which correspond to their middleware applications. Each of these applications can be configured with a number of separate access keys, each with their own expiry times.
Cypress PSoC 64 chipset will be supported by the next release of Pelion Device Management Client, enabling end to end Arm Platform Security Architecture (PSA) support with a PSA-capable MCU, Mbed OS and Pelion Device Management Client. The platform is a dual Core MCU with Arm Cortex M4 and Arm Cortex M0+ cores, and the solution enables a high level of security by utilizing the Trusted Firmware Module (TF-M).
For more information, and a complete list of features, please see the Release Notes.