Arm Pelion Device Management Release

Enhanced flexibility, security and spectrum of supported device types

Our Pelion IoT Platform is a flexible, secure, and efficient foundation spanning connectivity, device, and data management. It accelerates the time to value of your IoT deployments by helping you easily connect trusted IoT devices on global networks, invisibly administer them, and extract real-time data from them to drive competitive advantage.

Pelion Device Management (formerly Mbed Cloud) is an integral part of the Pelion IoT Platform enabling secure and reliable onboarding, connection, updates, and lifecycle management of different types of connected devices deployed on premises or over cloud.

We are constantly updating and improving Pelion Device Management software putting security and customer feedback at the center of our development efforts.

In the latest version of Pelion Device Management, we are introducing several new features with continued focus on security and support for a wide range of devices, together with numerous enhancements of existing capabilities. This includes:

  • Pelion On Premises, allowing customers to deploy Pelion Device Managements in a customer data center or on private cloud infrastructure
  • Pelion Client Lite, enabling customers to manage constrained devices with limited memory and processing capabilities.
  • Enhanced Device Security, ensuring secure IoT deployments through the ability to generate keys in devices, renew device certificates and attest devices using multi-layer certificate chains.

Unprecedented flexibility and scalability in deployment options - Pelion On Premises

The modern cloud offerings have helped many companies to deploy their products faster, reduce data center costs, move CapEx to OpEx, and provide scalability around the different use cases. However, in a world of data breaches, strict regulations, security and data policies, we are seeing an increasing number of companies requiring the full control of their device management system and processes, in an isolated environment. Pelion On Premises is designed to satisfy these needs.

Pelion On Prem

Pelion On Premises provides identical features and capabilities to Pelion Device Management on a public cloud. This brings significant value to control the overall usage of devices, data, security aspects, and customization of the environment, with the customer-ready integration aspects. The use of commonly used cloud-based technologies, such as Kubernetes, load balancers, firewalls, root certificates/CAs and many others, running physical HW on top of OpenStack is a modern way to deploy software on-premises.

Pelion On Premises provides versatile integration and extension interfaces for external applications, vendors, platforms and solutions. For example, customer’s proprietary software, billing/payment solutions, additional dashboards, portals and administrative consoles can be easily integrated via REST API to Pelion On Premises services.

Pelion On Premises is deployable on physical HW, customer-operated datacenters, independent IaaS services or your main-stream public clouds, such as AWS, Azure or Google Cloud.

In this version Pelion On Premises is released as Limited Availability level and provided as managed services by Arm.

Widening the spectrum of supported devices - Pelion Client Lite

The IoT landscape spans a wide range of connected devices, from very constrained low-cost sensors to more expensive and complex devices.

Pelion IoT Platform provides powerful device management capabilities to handle this diverse landscape by supporting multiple Pelion Client profiles addressing requirements and constraints of a wide range of connected devices.

Customers can now use the Pelion Client Lite profile for ultra constrained devices - specifically, for cost-sensitive devices with limited memory and processing capabilities.

Although constrained, these devices can still communicate using IP protocol. To support the hardware constraints of these devices, Pelion Client Lite employs protocol stacks specifically designed for constrained nodes (such as CoAP over UDP/DTLS).

To minimize requirements for RAM and processing power, Pelion Client Lite profile establishes channel security over UDP using DTLS. To reduce memory footprint even further our Pelion Client Lite utilizes Pre-shared-key (PSK) instead of using public key cryptography.

Pelion Client Lite maintains many of the same benefits as our full Pelion Client, namely support for CoAP over UDP with compact encoding to reduce message size, and remote secure firmware update.

Pelion Client Lite is released at General Availability level and is available to all Pelion Device Management customers.

Enhanced device security

Device-generated keys

Pelion Device Management uses unique pairs of asymmetric keys to authenticate connected devices. There are 2 sets of keys: Bootstrap keys and LwM2M keys. Bootstrap keys are configured at the factory and are used to verify device identity and authenticity when a device first connects to the bootstrap server. LwM2M keys are configured during bootstrap process and are used for device authentication during normal operation.

Pelion Device Management now supports generation of keys in the device resulting in a much higher level of security. When enabled, the device is instructed to generate a new key pair of private and public keys. The public key is exported from the device and is signed by a certificate authority which creates a device certificate. Private keys never leave the device making it much more difficult for an attacker to get access to the key.

Customers can benefit from increased levels of security both when configuring keys at the time of manufacturing using factory provisioning tools, and when connecting devices using Pelion bootstrap service.

This feature is released at General Availability level available to all commercial customers.

Device Certificate Renewal

During normal operation devices are identified by means of LwM2M device certificate issued by Pelion bootstrap server. The certificate can be signed either by Pelion Device Management server or 3rd party certificate authority, such as GlobalSign.

Customers can now instruct Pelion Device Management service to renew device keys and certificate without resetting the device. When a customer application uses device management API to initiate this action, the server initiates certificate renewal handshake with the specified device. The device generates a new pair of asymmetric keys and uses Enrollment over Secure Transport (EST) protocol to deliver its new public key to the server. The server signs the keys engaging external certificate authority if configured to do so and creates a new device certificate that will be used in normal operation of the device.

The same procedure can be used to renew any custom certificates that can be configured in the device.

This feature is released at General Availability level available to all commercial customers.

Certificate chains in device identity

Pelion Device Management identifies and authenticates devices using bootstrap and LwM2M certificates. The certificate is signed by external or internal certificate authority attesting that device is authentic.

Pelion Device Management now supports attesting of devices using chains of certificates. In this case the device certificate is signed by an intermediate certificate authority, who’s certificate is signed by a higher order CA. There can be several levels in the chain with multiple intermediate CA.

Certificate chains are supported for both bootstrap certificates configured in the factory and LwM2M certificates configured during bootstrap process.

This feature is released at General Availability level available to all commercial customers.

Device enrollment enhancements

Assigning the device to the Pelion Device Management owner account is a key capability of IoT device management. Pelion Device Management now allows pre-assigning in advance during the production stage or a First-to-Claim by enrollment assigning the device at later stage. Additionally, in this release our First-to-Claim by enrollment is now enhanced with the ability to enroll devices in bulk.

Please feel free to ask any questions or provide feedback about this release on the forum or contact us at

Important Information for this Arm website

This site uses cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our Cookie Policy to learn how they can be disabled. By disabling cookies, some features of the site will not work.