> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thistle.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Device Provisioning

> How to provision devices for the Thistle OTA Update system

Before a device can receive updates, it must enroll with Thistle's backend.
There are two Provisioning flows supported: group-enrollment and pre-enrollment.

Once a device has been enrolled with Thistle, it will have a unique `device_id`
and `device_token` that are used for all subsequent communications with
Thistle's backend in order to identify and authenticate the fielded device.

## Group Enrollment

<img src="https://mintcdn.com/thistletechnologies/MrBm0BC7xpW_ySdM/images/tofu.png?fit=max&auto=format&n=MrBm0BC7xpW_ySdM&q=85&s=fb35058c3aa0fe11f412ab72d7c709e4" alt="Enrollment" width="1283" height="605" data-path="images/tofu.png" />

Group enrollment allows any device to enroll with Thistle's backend using a
group-shared [device enrollment
token](/update/configuration_file#enrollment-fields) upon the first invocation
of Thistle Update Client. A device enrollment token is uniquely associated with
a Thistle project. It allows the Thistle Update Client to enroll a device to
obtain a unique (`device_id`, `device_token`, `device_certificate_pem`,
`device_private_key_pem`) quadruple, if such a quadruple does not already exist.
After a successful enrollment, subsequent client-initiated requests will have
device-unique `device_id` and `device_token` values included for device
authentication and authorization.

The Thistle Release Helper v1.6.0 (or above) can be used to create a
configuration file (template) for a group of devices that can then be put on
devices during device manufacturing.

```bash theme={"dark"}
$ ./trh --signing-method="remote" gen-device-config \
--device-name="my_device_name" \
--enrollment-type="group-enroll" \
--persist="/path/to/persist/dir/on/device"
```

<Note>
  In this flavor of device provisioning, the Thistle Update Client will require an
  internet connection upon the first boot to enroll the device with Thistle's
  backend.
</Note>

## Device Pre-enrollment

<img src="https://mintcdn.com/thistletechnologies/MrBm0BC7xpW_ySdM/images/prepro.png?fit=max&auto=format&n=MrBm0BC7xpW_ySdM&q=85&s=a003efcc427cc9a8d8314e76a0d6b8be" alt="Device Pre-enrollment" width="1206" height="647" data-path="images/prepro.png" />

A pre-enrolled device has a unique `device_id`, `device_token`,
`device_certificate_pem` and `device_private_key_pem` that must be loaded onto
the device before the Thistle Update Client is first run.

The Thistle Release Helper v1.6.0 (or above) can be used to create a unique
configuration for each device, that can then be flashed during device
manufacturing.

```bash theme={"dark"}
$ ./trh --signing-method="remote" gen-device-config \
--device-name="my_device_name" \
--enrollment-type="pre-enroll" \
--persist="/path/to/persist/dir/on/device"
```

<Note>
  The identity file can also be used to pre-enroll devices, see the Identity File
  section for more information.
</Note>