Search

US-12627664-B2 - Offline device provisioning

US12627664B2US 12627664 B2US12627664 B2US 12627664B2US-12627664-B2

Abstract

Provisioning an on-premise device within an on-premise communications network includes connecting, via a network connection, an on-premise gateway system in the on-premise communications network with an off-premise device provisioning service system in an off-premise communications network. The network connection is disconnected between the on-premise communications network and the off-premise communications network. A discovery request response is received from the on-premise device via the on-premise communications network, while the network connection is disconnected. A provisioning request from the on-premise device is received at the on-premise device provisioning service of the on-premise gateway system via the on-premise communications network, while the network connection is disconnected. An on-premise device provisioning service of the on-premise gateway system provisions the on-premise device based on provisioning records, while the network connection is disconnected.

Inventors

  • Morgan Westlee LUNT
  • Alexander I. Tolpin
  • Mengxi CHI
  • Balendran Mugundan
  • Rajeev Mandayam Vokkarne
  • Nikhil Vithlani
  • Nicole Elaine BERDY
  • Mahesh Sham ROHERA

Assignees

  • MICROSOFT TECHNOLOGY LICENSING, LLC

Dates

Publication Date
20260512
Application Date
20200420

Claims (20)

  1. 1 . A method of provisioning an on-premise device within an on-premise communications network, the method comprising: connecting, via a network connection, an on-premise gateway system in the on-premise communications network with an off-premise device provisioning service system in an off-premise communications network, wherein the off-premise device provisioning service system is configured to register the on-premise device for use with off-premise solutions inaccessible by the on-premise device via the off-premise communications network while the network connection is disconnected; communicating one or more device provisioning records between the off-premise device provisioning service system and an on-premise device provisioning service of the on-premise gateway system via the network connection; disconnecting the network connection between the on-premise communications network and the off-premise communications network; responding to a discovery request received from the on-premise device via the on-premise communications network, while the network connection is disconnected; receiving, at the on-premise device provisioning service of the on-premise gateway system, a provisioning request from the on-premise device via the on-premise communications network, while the network connection is disconnected, responsive to the responding operation; and provisioning, by the on-premise device provisioning service of the on-premise gateway system, the on-premise device based on the one or more device provisioning records, while the network connection is disconnected, responsive to receiving the provisioning request, wherein the provisioning operation includes registering the on-premise device for use with on-premise solutions accessible to the on-premise device via the on-premise communications network while the network connection is disconnected.
  2. 2 . The method of claim 1 , wherein the operations of responding to the discovery request, receiving the provisioning request, and provisioning the on-premise device occur before the communicating operation and the disconnecting operation.
  3. 3 . The method of claim 1 , wherein the operations of responding to the discovery request, receiving the provisioning request, and provisioning the on-premise device occur after the communicating operation and the disconnecting operation.
  4. 4 . The method of claim 1 , wherein the provisioning operation comprises: authenticating the on-premise device using the one or more device provisioning records via the on-premise communications network.
  5. 5 . The method of claim 1 , wherein the one or more provisioning records are sourced from a gateway identity brokering system of the on-premise gateway system, and the provisioning operation comprises: registering a cryptographic identity of the on-premise device to access one or more in-gateway solutions.
  6. 6 . The method of claim 1 , wherein the one or more provisioning records are sourced from an on-premise identity system communicatively coupled to the on-premise gateway system by the on-premise communications network, and the provisioning operation comprises: registering a cryptographic identity of the on-premise device to access one or more on-premise solutions external to the on-premise gateway system, wherein the one or more on-premise solutions are communicatively coupled to the on-premise gateway system by the on-premise communications network.
  7. 7 . The method of claim 1 , wherein the off-premise device provisioning service system registers a cryptographic identity of the on-premise device to access one or more off-premise solutions, after the communicating operation.
  8. 8 . An on-premise gateway system for provisioning an on-premise device within an on-premise communications network, the on-premise gateway system comprising: one or more hardware processors; an off-premise network interface configured to communicate one or more provisioning records via a network connection with an off-premise device provisioning service system in an off-premise communications network, wherein the off-premise device provisioning service system is configured to register the on-premise device for use with off-premise solutions inaccessible by the on-premise device via the off-premise communications network while the network connection is disconnected; an on-premise network interface configured to communicate with an on-premise communications network; a discovery endpoint executed by the one or more hardware processors and configured to respond to a discovery request received from the on-premise device via the on-premise communications network, while the network connection is disconnected; and an on-premise device provisioning service executed by the one or more hardware processors, wherein the off-premise network interface is configured to communicate one or more device provisioning records between the off-premise device provisioning service system and the on-premise device provisioning service via the network connection, while the network connection is connected, and the on-premise device provisioning service is configured to receive a provisioning request from the on-premise device via the on-premise communications network, while the network connection is disconnected, and to provision the on-premise device based on the one or more provisioning records, while the network connection is disconnected, wherein the provisioning by the on-premise device provisioning service of the on-premise device includes registering the on-premise device for use with on-premise solutions accessible to the on-premise device via the on-premise communications network while the network connection is disconnected.
  9. 9 . The on-premise gateway system of claim 8 , wherein the discovery endpoint is configured to respond to the discovery request, and the on-premise device provisioning service is configured to receive the provisioning request and provision the on-premise device, before the off-premise network interface communicates the one or more provisioning records with the off-premise device provisioning service system and before the network connection is disconnected.
  10. 10 . The on-premise gateway system of claim 8 , wherein the discovery endpoint is configured to respond to the discovery request, and the on-premise device provisioning service is configured to receive the provisioning request and provision the on-premise device, after the off-premise network interface communicates the one or more provisioning records with the off-premise device provisioning service system and after the network connection is disconnected.
  11. 11 . The on-premise gateway system of claim 8 , wherein the on-premise device provisioning service is configured to authenticate the on-premise device using the one or more device provisioning records via the on-premise communications network.
  12. 12 . The on-premise gateway system of claim 8 , wherein the one or more provisioning records are sourced from a gateway identity brokering system of the on-premise gateway system, and the on-premise device provisioning service is configured to register a cryptographic identity of the on-premise device to access one or more in-gateway solutions.
  13. 13 . The on-premise gateway system of claim 8 , wherein the one or more provisioning records are sourced from an on-premise identity system communicatively coupled to the on-premise gateway system by the on-premise communications network, and the on-premise device provisioning service is configured to register a cryptographic identity of the on-premise device to access one or more on-premise solutions external to the on-premise gateway system, wherein the one or more on-premise solutions are communicatively coupled to the on-premise gateway system by the on-premise communications network.
  14. 14 . The on-premise gateway system of claim 8 , wherein the off-premise device provisioning service system is further configured to register a cryptographic identity of the on-premise device to access one or more off-premise solutions after the one or more provisioning records are communicated to the off-premise device provisioning service system via the off-premise network interface.
  15. 15 . One or more tangible processor-readable storage media of a tangible article of manufacture encoding processor-executable instructions for executing on an electronic computing device a process of provisioning an on-premise device within an on-premise communications network, the process comprising: connecting, via a network connection, an on-premise gateway system in the on-premise communications network with an off-premise device provisioning service system in an off-premise communications network, wherein the off-premise device provisioning service system is configured to register the on-premise device for use with off-premise solutions inaccessible by the on-premise device via the off-premise communications network while the network connection is disconnected; communicating one or more device provisioning records between the off-premise device provisioning service system and an on-premise device provisioning service of the on-premise gateway system via the network connection; disconnecting the network connection between the on-premise communications network and the off-premise communications network; responding to a discovery request received from the on-premise device via the on-premise communications network, while the network connection is disconnected; receiving, at the on-premise device provisioning service of the on-premise gateway system, a provisioning request from the on-premise device via the on-premise communications network, while the network connection is disconnected, responsive to the responding operation; and provisioning, by the on-premise device provisioning service of the on-premise gateway system, the on-premise device based on the one or more device provisioning records, while the network connection is disconnected, responsive to receiving the provisioning request, wherein the provisioning operation includes registering the on-premise device for use with on-premise solutions accessible to the on-premise device via the on-premise communications network while the network connection is disconnected.
  16. 16 . The one or more tangible processor-readable storage media of claim 15 , wherein the operations of responding to the discovery request, receiving the provisioning request, and provisioning the on-premise device occur before the communicating operation and the disconnecting operation.
  17. 17 . The one or more tangible processor-readable storage media of claim 15 , wherein the operations of responding to the discovery request, receiving the provisioning request, and provisioning the on-premise device occur after the communicating operation and the disconnecting operation.
  18. 18 . The one or more tangible processor-readable storage media of claim 15 , wherein the one or more device provisioning records are sourced from a gateway identity brokering system of the on-premise gateway system, and the provisioning operation comprises: registering a cryptographic identity of the on-premise device to access one or more in-gateway solutions.
  19. 19 . The one or more tangible processor-readable storage media of claim 15 , wherein the one or more device provisioning records are sourced from an on-premise identity system communicatively coupled to the on-premise gateway system by the on-premise communications network, and the provisioning operation comprises: registering a cryptographic identity of the on-premise device to access one or more on-premise solutions external to the on-premise gateway system, wherein the one or more on-premise solutions are communicatively coupled to the on-premise gateway system by the on-premise communications network.
  20. 20 . The one or more tangible processor-readable storage media of claim 15 , wherein the off-premise device provisioning service system registers a cryptographic identity of the on-premise device to access one or more off-premise solutions, after the communicating operation.

Description

BACKGROUND A device provisioning service (DPS) can be used to authenticate and configure smart devices via an Internet network connection. Each smart device connects to a remote DPS via the Internet to request provisioning. When contacted by the smart device, the remote DPS challenges the smart device to prove its identity before securely configuring the smart device to work with other network-connected devices, service systems, and workloads (collectively, “solutions”). In this way, the smart device can securely communicate with solution systems in the cloud. For example, the smart device may be a smart sensor, plug, lightbulb, or another device (e.g., thermostat, doorbell, security camera) that is hardcoded to “wake-up” and begin registering itself with one or more cloud-based DPSs, such as Nokia Smart Home, Google Home®, Samsung SmartThings, Nest, Phillips Hue, Smart Life, Garmin Connect, etc. Each DPS then sets up the smart device to work securely with other network-connected solutions. Unfortunately, without Internet connectivity to a DPS, smart devices are unable to receive secure provisioning. Therefore, at an on-premise location with an intermittent or nonexistent Internet connection (e.g., a remote drill site), installing and configuring a new smart device at that location is problematic. Accordingly, provisioning such devices without a reliable Internet connection presents unsolved challenges. SUMMARY The described technology provides a system and method of provisioning an on-premise device within an on-premise communications network. The method connects, via a network connection, an on-premise gateway system in the on-premise communications network with an off-premise device provisioning service system in an off-premise communications network. One or more device provisioning records are communicated between the off-premise device provisioning service system and an on-premise device provisioning service of the on-premise gateway system via the network connection. The network connection is disconnected between the on-premise communications network and the off-premise communications network. The method responds to a discovery request received from the on-premise device via the on-premise communications network, while the network connection is disconnected. A provisioning request from the on-premise device is received at the on-premise device provisioning service of the on-premise gateway system via the on-premise communications network, while the network connection is disconnected. An on-premise device provisioning service of the on-premise gateway system provisions the on-premise device based on the one or more provisioning records, while the network connection is disconnected. This summary is provided to introduce a selection of concepts in a simplified form that is further described below in the Detailed Description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Other implementations are also described and recited herein. BRIEF DESCRIPTIONS OF THE DRAWINGS FIG. 1 illustrates example offline device provisioning of a new on-premise device. FIG. 2 illustrates an example offline device provisioning system for in-gateway solutions. FIG. 3 illustrates an example offline device provisioning system for on-premise solutions. FIG. 4 illustrates an example offline device provisioning system with pre-provisioning enrollment. FIG. 5 illustrates example operations for offline provisioning with pre-provisioning enrollment. FIG. 6 illustrates example operations for offline provisioning with post-provisioning enrollment. FIG. 7 illustrates an example communication device for implementing the features and operations of the described technology. DETAILED DESCRIPTIONS In at least one implementation of the described technology, a networked-connected device, such as an Internet-of-Things (IoT) device, a network-connected industrial asset, a mobile computing device, or another communications device, can be securely provisioned within an on-premise network that is offline (not contemporaneously connected to the Internet). As such, even when an on-premise network is not connected to the Internet, such devices can be configured within the on-premise network to work securely with other on-premise devices and services available via the on-premise network. In addition, offline device provisioning can support configuring such devices to securely work with devices and services outside the on-premise network after the on-premise network connects to the Internet. FIG. 1 illustrates example offline device provisioning of a new on-premise device 100. In the illustrated example, assume that the on-premise location is a drill site with an unreliable Internet connection, although other on-premise locations are contemplated. As context, the drill site has control systems, sensors, monitoring serv