Skip to main content

Secure Device Onboard

Secure Device Onboard (SDO) is an LF Edge project that provides a secure, automated mechanism for onboarding Internet of Things (IoT) and edge devices to target cloud or on-premises (on-prem) platforms.

  • Automated late-binding onboarding of IoT and edge devices to chosen device management or cloud platforms (device onboarding).
  • Cryptographic device identity and ownership transfer during onboarding (device identity and security).
  • Protocol and reference implementation for secure enrollment workflows between device manufacturers, owners, and service providers (onboarding protocol).
  • Support for onboarding devices to multiple supported clouds or management backends via pluggable service info modules (platform integration).
  • Open-source codebase hosted under the LF Edge umbrella for integration into enterprise edge and IoT deployments (edge/IoT infrastructure).

More About Secure Device Onboard

Secure Device Onboard (SDO) targets the problem of securely and efficiently onboarding large numbers of IoT and edge devices to enterprise backends (device onboarding, edge/IoT infrastructure). Traditional provisioning workflows often require manual configuration, pre-binding to a specific cloud, or per-device handling at installation time. Standards Development Organization (SDO) introduces a protocol and reference implementation that separates device manufacturing from final ownership and cloud selection, which enables “late binding” of devices to their ultimate destination platform at or after installation.

At its core, SDO defines a secure onboarding protocol (onboarding protocol) that uses cryptographic identities embedded in devices during manufacturing and ownership vouchers that can be transferred along the supply chain. Device manufacturers register device credentials and issue vouchers that represent ownership rights. When a device is deployed in the field, the onboarding service uses these vouchers to verify legitimate ownership and to direct the device to the appropriate owner-controlled rendezvous and service endpoints. The system uses public key cryptography (security) to protect device identity, integrity of vouchers, and the onboarding message flows.

The project provides reference implementations of core SDO components (reference implementation), including device-side client software that runs on supported hardware platforms, a rendezvous service that helps devices discover their final onboarding service, and owner onboarding services that integrate with device management or cloud platforms (platform integration). Through these components, SDO automates transfer of control from manufacturer to owner and then to the selected service platform, without requiring that devices be hard-coded for a specific cloud at build time.

In enterprise and institutional environments, SDO can be used to onboard edge gateways, sensors, and other IoT devices into chosen management systems or cloud services (enterprise IoT deployment). Operators can integrate SDO with existing device lifecycle management workflows and public or private cloud endpoints, using configurable service information payloads to install agents, configure network parameters, or apply initial policies during onboarding (configuration management). This reduces per-device manual intervention and supports more repeatable provisioning processes for distributed edge deployments.

From an architecture perspective, SDO aligns with secure device identity and attestation patterns (security architecture). It introduces roles such as manufacturer, device owner, rendezvous server, and owner onboarding service, with defined message exchanges between them. The protocol supports extensible service information, so integrators can define custom payloads that run during onboarding while still relying on the standardized security and ownership-transfer mechanism. Because SDO is developed under LF Edge, it fits into broader edge computing ecosystems and can be combined with other LF Edge projects for device management or edge application orchestration (edge ecosystem integration).

For directory and taxonomy purposes, Secure Device Onboard is best categorized under device onboarding and provisioning, IoT and edge security, and edge infrastructure integration. It addresses secure initial enrollment and ownership transfer for connected devices, provides an open protocol and reference implementation for automated onboarding workflows, and integrates with multiple backend platforms via pluggable modules.