Managing Device Access to the ENF


Zero Touch Provisioning allows the ENF to automatically and securely provision new devices. This guide describes how to manage and provision devices that use Xaptum’s zero-touch provisioning protocol, XTT.



A TPM (Trusted Platform Module) is a secure cryptography microprocessor that contains unique, secure credentials. The secure nature of the TPM allows the authentication of what would otherwise be an untrusted device.

In order to connect to the ENF, each device must contain a TPM. The IoT device may be designed and manufactured with an onboard TPM or it may make use of an expansion card such as an access card or router card that contains a TPM chip.


Devices are provisioned in batches of various sizes depending on individual need. These groups can be managed as a block.

Provisioning can be done in two ways:

  • By ordering router/access cards from Xaptum, who does the provisioning. Xaptum can provision cards in any group size required by the customer.
  • By the customer, who would provision their own, built-in TPMs.


Direct Anonymous Attestation (DAA) is the method by which the ENF remotely authenticates a device as a trusted computer.

DAA is made possible by the TPM, which supports and stores the secure DAA credentials.

Device Provisioning Overview

When a new group of devices/TPMs is created (either in the router cards, access cards, or pre-integrated into the devices), they are provisioned with DAA credentials that prove membership in the group. On first boot, the devices will use those credentials to prove validity to the ENF, and the ENF will assign an identity (IPv6 address) to the device. For the ENF to know the address ranges to assign, the network administrator must tell the ENF which /64 network to use for that group of devices.


  • enfcli needs to be installed. For help, see the Getting Started Tutorial.
  • User has a DOMAIN_ADMIN account.
  • Commands are issued from enfcli
    > enfcli --host <client-domain> --user <admin@account>

Create a Network

When devices are provisioned, they are assigned to a /64 network. If needed, create a new /64 network following the instructions in the How To Create a New Network article for guidance.

Assign a Default Network

The default network is the network to which a device will be assigned during the initial handshake. Once the device is assigned an IPv6 address, its identity and network cannot change.

The group ID can be entered directly into the enfcli command, or, with the aid of a barcode reader, can be scanned from the label provided when the router cards were shipped.

  1. List Current Groups
    > iam list-groups
    | DAA Group | Base Name | Provisioned | Onboarded | Default Network | Domain |
    0 rows in set
  2. List Available Networks
    > network list-networks
    | Name     | Cidr                  | Description             | Status |
    | scranton | fd00:8f80:81c0::/64   | Scranton, PA office     | ACTIVE |
    | akron    | fd00:8f80:81c0:1::/64 | Akron, OH branch office | ACTIVE |
  3. Assign Default Network
    This can be accomplished by either:

    1. Using Group ID
      > iam set-group-default-network --network=fd00:8f80:81c0::/64 --gid=8D5131E49A2BE9CA639035E3A2B9BACBDC003A328D0E3BBFB300D605E975BCFB
      Set fd00:8f80:81c0::/64 as default network for group 8D5131E49A2BE9CA639035E3A2B9BACBDC003A328D0E3BBFB300D605E975BCFB
    2. Scanning the barcode:
      > iam set-group-default-network --network=fd00:8f80:81c0:1::/64
      Scan DAA group information:

      Scan the barcode.

      Set fd00:8f80:81c0:1::/64 as default network for group 8D5131E49A2BE9CA639035E3A2B9BACBDC003A328D0E3BBFB300D605E975BCFB
  4. List the groups to check for the new group.
    > iam list-groups
    | DAA Group                                                        | Base Name                        | Provisioned | Onboarded | Default Network     | Domain              |
    | 8D5131E49A2BE9CA639035E3A2B9BACBDC003A328D0E3BBFB300D605E975BCFB | 58415054554D424153454E414D453031 | 50          | 0         | fd00:8f80:81c0::/64 | fd00:8f80:81c0::/48 |
    1 rows in set

Changing the Default Network

At any time, a domain administrator may change the default network by following the steps outlined above and selecting a different network. This will have the following effect:

  • Devices that have already been onboarded will not be affected - they will keep their existing network and identity.
  • Any devices that have not yet been onboarded, will be assigned to the new network upon their first boot.

Example Use Case

Acme Widget company manufactures 1000 IoT-Widgets in a single group. They initially deploy 700 IoT-Widgets to the scranton network and leave 300 on the warehouse shelves. The Acme Domain administrator takes the following steps:

  1. Sets the default network to the scranton network.
  2. Enables the 700 devices.

The selected 700 devices (which were chosen at random) will boot up, perform an XTT handshake with the ENF, and receive their identities (IPv6 addresses) from the ENF.

A few months later, Acme Widget wants to deploy the remaining IoT-Widgets in the akron network. The domain administrator proceeds as follows:

  1. Sets the default network to the akron network.
  2. Enables the remaining devices.

The newly activated devices will boot and be assigned identities on the akron network.

The end result is that there are 700 devices running on the scranton network and 300 running on the akron network.

Didn't find what you were looking for?

Contact us and we’ll get back to you as soon as possible.

Contact Us