How to de-provision a single device enrolled from an Enrollment group using X.509 ?

Kong Stony 26 Reputation points
2021-03-13T01:48:26.107+00:00

Below is the guideline from Azure Learning : To deprovision a single device from an enrollment group: Create a disabled individual enrollment for its leaf (device) certificate. This revokes access to the provisioning service for that device while still permitting access for other devices that have the enrollment group's signing certificate in their chain. Do not delete the disabled individual enrollment for the device. Doing so will allow the device to re-enroll through the enrollment group. However, in the Azure DPS service portal, I can only find "Delete Registration" for that device. But apparently deleting the registration does not do the work of disabling that particular device certificate as I still can use the same certificate to re-provision the same device. What is the proper way to "create a disabled individual enrollment" ?

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,157 questions
0 comments No comments
{count} vote

Accepted answer
  1. QuantumCache 20,261 Reputation points
    2021-03-16T04:51:31.587+00:00

    Hello @Kong Stony

    Thanks for this great helpful query on this forum.

    When we talk about X.509 attestation.

    Since every device has its own leaf certificate with it, we have to create a disabled individual enrollment for its leaf (device) certificate in the DPS in order to de-provision it. And then we can delete its entry from the IoTHub's identity registry.

    If we go this route, we will be having a record of all disabled devices and it will make sure a particular device is de-provisioned and not in use. By doing this we make sure the device will never make use of the existing leaf certificate in the future. (And of course, this is the best approach when we are dealing with millions of devices where manual management is very tough)

    If we just delete the device Registration, then the device may get registered with the DPS services in the future (Because it has got the leaf certificate with valid\expiration date), which is not desirable.

    To de-provision a single device from an enrollment group:

    • Create a disabled individual enrollment for its leaf (device) certificate. This revokes access to the provisioning service for that device while still permitting access for other devices that have the enrollment group's signing certificate in their chain. Do not delete the disabled individual enrollment for the device. Doing so will allow the device to re-enroll through the enrollment group.
    • Use the list of provisioned devices for that enrollment group to find the IoT hub that the device was provisioned to and disable or delete it from that hub's identity registry.

    Please comment in the below section to let us know your thoughts & experiences in this matter.

    If the response is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

0 additional answers

Sort by: Most helpful