What is OSConfig for IoT?

IoT/Edge solution builders and operators often need to configure and observe device settings. Common examples include network settings, hostnames, time zones, security benchmarks, firewall rules, ssh users, and so on.

OSConfig for IoT is a compact (≈5MB) device side component which brings these configuration management capabilities directly into your Azure IoT workflows. Compared to alternative practices in the IoT/Edge space, using Azure IoT + OSConfig can:

  • Reduce the number of device images you need to maintain, by allowing at-scale dynamic configuration at deploy time
  • Reduce the frequency of full image updates, by allowing reconfiguration in the field for a specific device or devices at scale
  • Eliminate heavy weight data center sever management tools from your IoT/Edge solution, by allowing for configuration management directly from Azure IoT

The Microsoft capability suite for IoT

OSConfig is part of the broader suite of device management and security capabilities from Microsoft.

Broad conceptual diagram showing workload management, update management, configuration management, hardening, and threat management as overlapping circles

To get the full suite of capabilities, ensure that your devices have:

  • The OSConfig for IoT client
  • The Device Update for IoT Hub client
  • The Defender for IoT client
  • (for larger devices) the IoT Edge runtime.

How it works with Azure IoT

The compact and efficient OSConfig agent for Linux runs on each device. It projects the device's configurable and observable properties into your Azure IoT Hub. This enables twin-based workflows (for example: IoT Explorer, Azure IoT Device Management Configurations, and Azure IoT Device Management Queries) to observe and configure the devices.

overview diagram showing devices linked to IoT Hub Device Management features via OSConfig client and twins

What can I provision and manage?

OSConfig includes a standard library of built-in capabilities. It also has a plug-in model so you can add or modify functionality for your unique devices.

The following are examples of scenarios you can accomplish using the built-in capabilities.

Network adapter and IP information

For reference information and hands-on examples, see: Working with network adapter status, IP addresses, etc., using OSConfig and Azure IoT.

  • Inventory IP addresses for all devices
  • Get the IP address of a device for troubleshooting, to connect and IP camera, etc.
  • Get the DNS servers used by a device to investigate a name resolution issue
  • Audit that all devices are using approved network infrastructure, to catch devices accidentally left connected to test networks, or connecting from an unexpected coffee shop
  • Transition devices from static IP to DHCP as part of a deployment process
  • Adapt to network infrastructure changes

Package manager configuration

For reference information and hands-on examples, see: Manage the OS package manager using Azure IoT and OSConfig.

  • Ensure devices are using your private package repos for approved versions of libraries, etc.
  • Dynamically point devices to vendor/partner package repos for specific packages
  • Ensure that certain package are installed
  • Compare installed packages state across a fleet of devices, and detect drift

Host name

For reference information and hands-on examples, see: Working with host names using Azure IoT and OSConfig.

  • Set OS level host names to comply with standards or to ensure data and logs coming from devices can be evaluated in context
  • Get OS level host names for inventory and audit

Hosts file

For reference information and hands-on examples, see: Working with /etc/hosts file using Azure IoT and OSConfig.

  • Add hosts file entries to enable communication with on-prem infrastructure
  • Dynamically provision specific entries based on device role or location
  • Audit that devices have the desired entries present

Firewall

For reference information and hands-on examples, see: Manage host firewall with Azure IoT and OSConfig.

  • Audit that host-based firewall is enabled across devices
  • Audit that the cumulative rule set across devices matches a known-good fingerprint
  • Ensure that environment specific rules like “deny all ssh inbound, except from my management subnet” are in place
  • Make temporary changes to allow for developer and diagnostic access
  • Adapt to changes in security landscape, such as blocking certain traffic based on a newly reported vulnerability
  • Adapt to changes in app/workload requirements and network infrastructure, such as enabling access to a new HTTP endpoint

Device information including CPU, OS, TPM, device vendor, and more

For reference information and hands-on examples, see: Report hardware and OS information with Azure IoT and OSConfig.

  • Report on OS distros and versions across your fleet
  • Target IoT Hub Configurations by reported properties for CPU architecture, OS, etc.
  • For heterogenous fleets, discover which devices have TPM capabilities
  • For devices with TPM, audit that TPM is active and interfacing with OS as expected

Reboot and Shutdown

For reference information and hands-on examples, see: Reboot or shut down devices with Azure IoT and OSConfig.

  • Reboot or shut down misbehaving device
  • Coordinate maintenance reboots across many devices

Azure Device Health Service (ADHS) governance

  • Set and audit the opt-in level for the ADHS diagnostic data service

Delivery Optimization governance

  • Set and audit Delivery Optimization parameters such as Microsoft Connected Cache URLs, throttling, and so on

Custom configuration at scale

For reference information and hands-on examples, see: Custom configuration and reporting with Azure IoT and OSConfig and How to interact with the CommandRunner feature of OSConfig and Azure IoT.

  • Run a custom script to configure workloads, OS components, files, etc.
  • Configure OS time zones across all devices, for example to ensure that data and logs coming from the device are stamped with organization standard timestamps
  • Configure network time source across all devices, to ensure that devices stay in sync with organization standard timekeeping, and don’t use rogue time sources
  • Configure package manager settings, such as adding trusted package repositories as sources
  • Your imagination is the limit; custom configurations are based on shell commands

Custom reporting at scale, and remote diagnostics

For reference information and hands-on examples, see: Custom configuration and reporting with Azure IoT and OSConfig and How to interact with the CommandRunner feature of OSConfig and Azure IoT.

  • Run a custom command to get any information from the devices
  • Audit that a certain daemon is running on all devices
  • Audit that devices can regularly ping a certain endpoint which is important to your solution
  • Your imagination is the limit; custom reporting is based on shell commands
  • Verify that a device is alive
  • Run diagnostic and developer commands on a device

Next steps