Skip to main content
Before a device can receive updates, it must enroll with Thistle’s backend. There are two Provisioning flows supported: group-enrollment and pre-enrollment. Once a device has been enrolled with Thistle, it will have a unique device_id and device_token that are used for all subsequent communications with Thistle’s backend in order to identify and authenticate the fielded device.

Group Enrollment

Enrollment Group enrollment allows any device to enroll with Thistle’s backend using a group-shared device enrollment token upon the first invocation of Thistle Update Client. A device enrollment token is uniquelly associated with a Thistle project. It allows the Thistle Update Client to enroll a device to obtain a unique (device_id, device_token, device_certificate_pem, device_private_key_pem) quadruple, if such a quadruple does not already exist. After a successful enrollment, subsequent client-initiated requests will have device-unique device_id and device_token values included for device authentication and authorization. The Thistle Release Helper v1.6.0 (or above) can be used to create a configuration file (template) for a group of devices that can then be put on devices during device manufacturing. 
$ ./trh --signing-method="remote" gen-device-config \
--device-name="my_device_name" \
--enrollment-type="group-enroll" \
--persist="/path/to/persist/dir/on/device"
In this flavor of device provisioning, the Thistle Update Client will require an internet connection upon the first boot to enroll the device with Thistle’s backend.

Device Pre-enrollment

Device Pre-enrollment A pre-enrolled device has a unique device_id, device_token, device_certificate_pem and device_private_key_pem that must be loaded onto the device before the Thistle Update Client is first run. The Thistle Release Helper v1.6.0 (or above) can be used to create a unique configuration for each device, that can then be flashed during device manufacturing. 
$ ./trh --signing-method="remote" gen-device-config \
--device-name="my_device_name" \
--enrollment-type="pre-enroll" \
--persist="/path/to/persist/dir/on/device"
The identity file can also be used to pre-enroll devices, see the Identity File section for more information.
I