Manage device provisioning

You can manage device provisioning in the Devices page of Guardian, as well as export your device provisioning report. You can begin the provisioning process from the Provisioning page.

Disconnected provisioning

For disconnected provisioning, users can use the command line or the Provisioning page to submit PRs and download certified profiles (CPs). They can then manage device provisioning and export the device provisioning report from the Devices page. This is an interim solution while we add full provisioning lifecycle support to the Devices page. For the full workflow walkthrough, refer to Understand device provisioning.

Connected provisioning

For connected provisioning, devices automatically submit requests to the Devices page.

Select system

1. In the breadcrumb trail in the main navigation bar, click the Select system name drop-down. You can also select this in the quick filter drop-downs on the page. You can only select one system name, also known as your system definition.

2. Click the Filters drop-down to filter on system instance, component, and other criteria.

Understanding approval workflows

Automatic approval type

In this approval workflow type, provisioning requests (PRs) will automatically be verified, approved, and provisioned. You cannot manually approve or reject PRs for this approval type. This approval workflow has the following steps:

Verifying → Auto-approved → Provisioning → Provisioned

• Verifying...: PR has just come in and the system has not yet auto-approved it.

• Auto-approved: PR has been auto-approved by the system and will soon move to Provisioning.

• Provisioning: PR is either in the process of provisioning or is queued to provision soon.

• Provisioned: PR has completed provisioning

• Various error codes: See Troubleshooting for more information.

Manual approval type

Provisioning requests require manual approval before processing.

This approval workflow has the following steps:

Verifying → Needs approval → Approving → Complete provisioning → Provisioning → Provisioned

• Verifying...: PR has just come in and the system has not yet moved it to Needs approval status.

• Needs approval: PR needs to be manually approved by a user.

• Approving...: PR approval is in progress

• Complete provisioning: PR needs to be manually provisioned by a user

• Provisioning: PR is either in the process of provisioning or is queued to provision soon.

• Provisioned: PR has completed provisioning

• Rejecting...: PR rejection is in progress

• Rejected by user: PR was manually rejected by a user.

• Various error codes: See Troubleshooting for more information.

Approve individual PR

For the Manual approval type, you can approve PRs for one or more devices. Approved PRs will move to Approved status.

1. For any PR in the Needs approval status, you will see an Approve and Reject button in the Actions column.

2. Click Approve. This will display the confirmation panel.

3. Click Approve PR in the panel. The PR status will move to Approving..., then to Complete provisioning. You will see a success message.

4. If you choose to reject the PR at this point, click Reject PR. This will change its status to Rejected by user. You will see a success message.

5. You can view Approved on and Approved by information. Click the Columns link at the top of the table to customize your display.

Bulk approve PRs

For the Manual approval type, you can approve or reject PRs for one or more devices. Approved PRs will move to Approved status.

1. For any PR in the Needs approval status, you will see an Approve and Reject button in the Actions column. You will also see the total number of PRs in this status in the bulk Approve X PRs action link in the toolbar (where X is this number).

2. Click Approve X PRs in the toolbar. This will display the confirmation panel.

3. Click Approve X PRs in the panel. The PR status will move to Approving..., then to Complete provisioning. You will see a success message.

4. If you choose to reject the PR at this point, click Reject X PRs. This will change their status to Rejected by user. You will see a success message.

Reject individual PR

For the Manual approval type, you can reject PRs for one or more devices. Rejected PRs will show a Rejected by user status.

1. For any PR in the Needs approval status, you will see an Approve and Reject button in the Actions column.

2. Click Reject. This will display the confirmation panel.

3. Click Reject PR in the panel. The Provisioning status will move to the Rejected by user status. You will see a success message.

4. You can view Rejected on and Rejected by information. Click the Columns link at the top of the table to customize your display.

Bulk reject PRs

For the Manual approval type, you can bulk reject PRs for one or more devices. Rejected PRs will move to Rejected by user status.

1. For any PR in the Needs approval status, you will see an Approve and Reject button in the Actions column. You will also see the total number of PRs in this status in the bulk Reject X PRs action link in the toolbar (where X is this number).

2. Click Reject X PRs in the toolbar. You'll have the opportunity to review the summary of the PRs you are rejecting.

3. Confirm your rejection. The Provisioning status will move to Rejecting..., then Rejected by user status. You will see a success message.

4. You can view Rejected on and Rejected by information. Click the Columns link at the top of the table to customize your display.

Provision individual device

For the Manual approval type, after approving device PRs, you can provision those devices individually or in bulk.

1. For any PR in the Complete provisioning status, you will see a Provision button in the Actions column.

2. Click Provision. This will display the confirmation panel.

3. Click Provision device in the panel. The Provisioning status will move to Provisioning..., then Provisioned status. You will see a success message.

4. You can view Rejected on and Rejected by information. Click the Columns link at the top of the table to customize your display. You will see a success message.

Bulk provision devices

For the Manual approval type, after approving device PRs, you can provision those devices individually or in bulk.

1. For any PR in the Complete provisioning status, you will see that device reflected in the Provision X devices action link in the toolbar. You will also see a Provision button in the Actions column.

2. Click Provision. This will display the confirmation panel.

3. Click Provision X devices in the panel. The Provisioning status will move to Provisioning..., then Provisioned status. You will see a success message.

4. You can view Rejected on and Rejected by information. Click the Columns link at the top of the table to customize your display. You will see a success message.

Change date formatting

By default, device provisioning data is displayed in UTC time and in dd mmm yyyy format. You can change this to display ISO format and/or to show dates in your local time.

1. To change the date formatting, click the Settings drop-down in the toolbar.

2. Toggle the respective date settings, which will automatically apply.

Columns

Not all columns are shown by default. Click the Columns link at the top of the table to customize your display.

• System name: This is the system definition. It will also be referred to as system.

• System instance name: This is a particular instance of the system name.

• System instance ID: This is the unique ID for a system instance.

• Component name: This is a component in the system instance.

• Component instance ID: This is the unique ID for a component.

• Component instance created on: This is when the component instance was created.

• Device HW ID: This is the unique ID for a device.

• Approval type: This is either Manual or Automatic, as defined by your organization in your system definition.

• Provisioning status: This shows the provisioning status of the PR. Statuses will depend on your system's defined approval type.

• Request ID: This is the unique provisioning request ID.

• Request created on: This is the date the provisioning request was created.

• Response ID: This is the unique provisioning response ID.

• Response created on: This is the date the provisioning response was created.

• Provision source: This is either Appliance or Cloud, as defined by your organization in your system definition.

• Approved on: This is the date the provisioning request was approved.

• Approved by: This is either System or a user name. If you are using the Automatic approval type, it will be set to System. The PR will also

• Rejected on: This is the date the provisioning request was rejected.

• Rejected by: This is either System or a user name. If you are using the Automatic approval type, it will be set to System if the PR was rejected by our system. It will also have a Rejected by system provisioning status.

• Provisioned on: This is the date the provisioning request was provisioned.

• Provisioned by: This is either System or a user name. If you are using the Automatic approval type, it will be set to System when the PR is automatically provisioned by our system. It will also have a Provisioned provisioning status.

• Actions: If a PR needs to be approved, this will show Approve and Reject buttons. If there are additional actions that can be performed, you will see a ... action overflow button.

Troubleshooting

If a PR encounters an error during the provisioning process, its Provisioning status will indicate the problem.

• Rejected by user: PR was manually rejected by a user. This will only display for the Manual approval type.

• Rejected by system: PR was automatically rejected by our system. This should be very rare.

• Must be provisioned by appliance: The device can only be initially provisioned against an appliance. Error code: APPLIANCE_ONLY

• Duplicate HW ID: The hardware ID provided in the PR matches an existing device's hardware ID, and does not meet your organization's PR approval policy. Error code: DUPLICATE_HW_ID_FAILURE

• Missing PR signer key: The key used to sign the PR either does not exist or is not yet available to verify the PR. Error code: MISSING_PR_SIGNER_KEY

• Malformed PR signature: The signature of the PR did not meet expectations and could not be verified. Error code: PR_SIGNATURE_MALFORMED

• Max instances exceeded: The maximum number of this device (component) has already been reached, as defined in your system definition. Error code: MAX_INSTANCE_FAILURE

Vault errors

• Vault could not sign certificates: Vault was unable to sign device certificates. Error code: FAIL_SIGN_DEVICE_CERTIFICATES

• Vault could not sign profile: Vault was unable to sign a device certified profile. Error code: FAIL_SIGN_DEVICE_CERTIFIED_PROFILE

• Vault request timed out: Our service that drives provisioning timed out making a request to Vault. Error code: VAULT_REQUEST_TIMEOUT

• Vault could not find PR signer: Vault could not find the device identity of the device that signed the PR. Error code: UNABLE_LOOKUP_PROVISION_REQUEST_SIGNER

• Vault could not find device leaf certificates: Vault could not find device leaf certificates for a device. Error code: UNABLE_LOOKUP_DEVICE_CERTIFICATES

• Vault could not find vault signer certificate: Vault was unable to find the certificate of a vault signer. Error code: FAIL_SIGN_MISSING_SIGNER_CERTIFICATE

Reprovisioning errors

Some errors can only occur when reprovisioning a device.

• Component mismatch: The PR contains a different component name than the component that signed the PR. Error code: REPROVISIONING_MISMATCH_COMPONENT

• HW ID mismatch: The PR has a different hardware ID than the device that signed the PR. Error code: REPROVISIONING_MISMATCH_HARDWARE_IDENTIFIER

• Instance mismatch: The PR is for a device in a different system instance than the device that signed the PR. Error code: REPROVISIONING_MISMATCH_INSTANCE

• Device is already provisioning: The PR is a re-provision request for a device that is in the process of provisioning. Error code: Error code: REPROVISIONING_PROVISIONING_COMPONENT

Filter devices

You can filter on system, device, and provisioning information.

General section

• System name: Select the main system to view. This is also known as the system definition.

• System instance: Select one or more system instances to view.

• Component name: Select one or more components to view.

• Device hardware ID: Specify a particular device hardware ID to filter on.

Provisioning details section

• Toggle to view current provisioning status for all devices or all statuses the devices have moved through.

• Provisioning status: Select one or more provisioning status(es). The available statuses will depend on the approval type of the system you are currently viewing.

• Provisioned on: Select a date range to view devices that moved to the Provisioned status during that time.

Export provisioning report

You can either export the current provisioning status for all devices or select the devices you want to export the latest provisioning status for.

1. To export all devices, select Export drop-down in the toolbar. In the All devices group, select Device provisioning report.

2. To export selected devices, select the devices you want to export the status for, then select Export drop-down in the toolbar. In the Selected devices group, select Device provisioning report. This will export the device provisioning report in CSV format.