FR1 Identification and authentication control :heavy_check_mark: CR 1.1 Human user identification and authentication (==SL4==) Components shall provide the capability to identify and authenticate all human users according to IEC 62443‑3‑3 SR 1.1 on all interfaces capable of human user access. This capability shall enforce such identification and authentication on all interfaces that provide human user access to the component to support segregation of duties and least privilege in accordance with applicable security policies and procedures. This capability may be provided locally by the component or by integration into a system level identification and authentication system. :::info DeviceOn system is equipped with Role-Based Access Control (RBAC) and supports the use of multiple authentication factors. ::: :heavy_check_mark: CR 1.2 Software process and device identification and authentication (==SL4==) Components shall provide the capability to identify itself and authenticate to any other component (software application, embedded devices, host devices and network devices), according to IEC 62443‑3‑3 SR1.2.

New Power Suite Plugin Server 同時支援 EMBIPC & PowerSuite DeviceOn Agent 偵測到系統有 PowerSuite，自動停止載入EMBIPC 雙向同步問題:本地端的 Power Suite 修改設定後，同步狀態至 DeviceOn Server (反之亦同) DevieOn UI for Power Suite (new page?) DeviceOn Agent -> Launcher service (backend + Plugin) (PowerSuite 安裝時，裝成 Service) PowerSuite 打包成 OTA package, ISO 另外抽出來放

DeviceOn Overview What’s DeviceOn? Feature Highlight DeviceOn Cloud Version Standalone (VM) DeviceOn for Azure (Enterprise) - Kubernetes DeviceOn Agent Version DeviceOn Agent Architecture DeviceOn Agent Supported Operating Systems

General How to Get DeviceOn Product and News? You are welcome to visit the following pages for more information and experience on DeviceOn. DeviceOn Product Page News & Solution Package How to Get DeviceOn Server and DeviceOn Agent Installer? Please try to get the installer package from below download link.

Prerequisite A running DeviceOn server. To acquire the install program and make sure to have the latest version, please go to the landing page or download from the link below.DeviceOn Server Installer <i class="fa solid fa-download"></i> Option 1 (Upgraded by the Installer) Typically, the installation file of the new version can be used to upgrade the server. The service will be briefly suspended during the update process to allow for data backup and restore. As a result, the device will be offline for a brief period of time, and service will be unavailable. Step-by-Step Step 1: Launch the new installation and run as administrator

DeviceOn Server Installation Setup Standalone Version on Windows (On-premises) Step 1: Install the DeviceOn Package on Your System Copy the installation file (DeviceOn_Server_Setup_4.7.x.exe) to your target system and run it as administrator. Click “Next” to start the installation process. Select “I Accept the terms in the License Agreement” and click “Next” Select the “Installation Folder” for DeviceOn Server and click “Next”

:::spoiler Role Permission Role Permission Table Item Action Description Super Admin Admin Device Admin Account Management

DeviceOn Server (Standalone) The standalone version provides all packages of the DeviceOn software in one installer package, including RabbitMQ as a message broker, MongoDB, PostgreSQL as databases, Grafana for visualization, Tomcat for web services, Apache FTP for FTP server and a watchdog service that protects DeviceOn core components from crashing or becoming unresponsive. Server Management Tools 1. Service Management After the DeviceOn standalone version has been installed, a “Server Control” icon should show up in the system tray. If it does not show up for some reason, please go to installation path and launch the program (ServerControl.exe) manually as shown here: C:\Program Files\Advantech\DeviceOn Server\Tools\Server Management

This capability enables automated scheduled backups of the DeviceOn server configuration and relational databases, excluding MongoDB sensor data repositories, with configurable backup retention policies. The integrated migration utility facilitates restore operations in failure scenarios, restoring the system to previous known working states. :::info Note that backup archives created with TPM encryption enabled during initial server deployment can only be restored to identical TPM hardware modules. Additionally, restore operations are constrained to the same DeviceOn server version as the backup origination instance. ::: Enable System Schedule Backups Login to DeviceOn portal.

What's DeviceOn? A surge in market demand for Industrial IoT products has rapidly increased the number of connected devices that are currently deployed and managed across different locations. It is essential to effectively manage, monitor, and control thousands of connected devices while ensuring uninterrupted service. Devices must work properly and securely after they have been deployed - without requiring frequent visits from service technicians. Customers require secure access to their devices in order to detect, troubleshoot, and undertake time-critical actions. With Advantech’s DeviceOn, users can swiftly utilize onboard devices, efficiently monitor device health status, and securely send software and firmware updates over-the-air (OTA) on-site and remotely at scale. Advantech’s brand-new designed IoT device operations and management App solution gives users a transformational plug-and-play experience. Beginning with onboarding devices, DeviceOn’s zero-touch IoT tech seamlessly registers Advantech hardware systems with identity security and field site settings. A fast and simple setup helps provide instant intelligent edge onboarding, data acquisition, and status visualization at the device operations center. Power on/off, troubleshooting, and mission-critical actions are available at the tap of a button for quick and easy access. OTA software updates itself securely by sending software patch, firmware, software, and configuration updates through batch provisioning. The App is designed to ensure maximum efficiency in IoT device operations and management. Power up your IoT devices with this hardware and software integrated solution. Get the most out of the DeviceOn’s features with predictive device maintenance like IPC HDD lifecycle prediction, analytics-based dashboard and automated event alerts. In bringing artificial intelligence to your IoT needs, Advantech delivers improved risk management, faster daily operations, and better device performance while improving business value and intelligence through the extraction of big data. DeviceOn is compatible with all Advantech hardware systems and works on popular platforms and services like the WISE-PaaS public/private cloud, Microsoft Azure, VM on-premises, and Kubernetes. Get your DeviceOn version on the WISE-PaaS Marketplace and kick-start your new and improved device operations and management experience.

What's IEC 62443 The International Electrotechnical Commission (IEC) 62443 comprises a collection of cybersecurity standards specifically designed for safeguarding industrial automation and control systems (IACS). This comprehensive framework encompasses various sections that address the critical aspects of securing automation and control systems in terms of processes and technological considerations. Within the IEC 62443 standard, security topics are categorized based on the stakeholders and their respective roles, which include IACS product manufacturers, service providers, and operators. It is imperative for individuals and organizations fulfilling these roles to adhere to the recommended risk-based approach in order to effectively prevent and mitigate security risks. A Breakdown of the IEC 62443 Standards There are four parts to the IEC 62443 standards. The first part covers common topics for the whole standards series. The second part covers IACS security processes and techniques. The third part defines system-level requirements, while the fourth part details IACS product and component requirements. The standards propose a cybersecurity management system (CSMS) with the following elements:

在下述設定的前提下，進行下述實驗: :::info RabbitMQ Server: fail_if_no_peer_cert = false RabbitMQ Client: verification server certificates=false and verify_none ::: 實驗 測試Server憑證與Client憑證是否必須匹配，以及Server設定中的verify (verify_peer/verify_none)對連線的影響 基於實驗結果可知:

:::info :bulb: DeviceOn's license management system allows you to manage your own licenses. These licenses are used to activate and bind the number of devices that can be managed by the DeviceOn server. In this system, you can transfer licenses to other users. You can also freely split a single license into multiple licenses. For example, if you have 1 license for 100 devices, you can split this into 10 licenses for 10 devices each. The minimum unit is 1 device. Additionally, you can bind multiple licenses to a single DeviceOn server. The license system lets you manage licenses Licenses activate and limit device connections You can transfer licenses between users You can split a license into smaller licenses Smallest license is for 1 device

After installing DeviceOn, there will be an icon in the lower right corner of the screen. Right clicking on the icon will show you the status of each 3rd-party service. If one of the services is not green, you can try to repair it with the following section. Normally, the status of all 3rd-party services should show a green light, as shown above. :::warning If there is no icon at the bottom right corner, please click -> DeviceOn Server -> ServerControl to execute it. ::: Steps to Repair Integrations with External Services for DeviceOn PostgreSQL

Before you access your AMT devices through DeviceOn server, you should connect your AMT devices to OpenAMT server and complete the relative configuration about OpenAMT. This document tries to teach you how to configrue it. There are two topics we will cover through this document. The first part will show you how to get the GUID of your AMT devices. Another part will show you how to configure it in the portal of DeviceOn server. Enviroment Checking Before working the SOP, you must meet the following prerequisites: Completed the setup of OpenAMT portal and check it is available. Hardware A development system At least one Intel vPro® Platform

[TOC] App Store is another powerful feature DeviceOn provides. Users can install software application onto a device remotely, or even many devices broadly. This lab guides you how to accomplish upload and wrap your application to on-premises App Store. And, after this lab, you should: Learn how to wrap your software for remote provisioning. Have the NotePad++, a popular and famous text editor, populated within the target device. Prerequisite A running DeviceOn server.

[TOC] This section tries to teach you how to connect DeviceOn server through x509. There are two topics we will cover through this document. The first part will show you how to get the credential files from DeviceOn server. Another part will show you how to configure WISE-Agent and make it connect DeviceOn sever through x509. Prerequisite Your operation system should install the following software. DeviceOn Server that is greater than version 4.4.2 WISEAgent OpenSSL

[TOC] WISE-Agent will connect to DeviceOn server through Credential URL and IoT Key and those setting in agent_config.xml, if you have many devices (that has WISE-Agent in it) need to connect to the server, it takes time to modify agent_config.xml in each device. Here, we build-in the “Local Provision” Plugin to speed up this process. You will learn how to trigger all local devices to connect to the server with the same Credential URL and IoT Key. The WISE-Agent local provision plugin will send Credential URL and IoT key to other local agent devices, and the local agent devices can connect to the server successfully. In following figure, you can send trigger command to make device A and B connect to a server with a Windows GUI tool. Prerequisite All devices must install WISE-Agent in it. All devices and the control PC must in the same local network (The multicast packet will not be filtered)

[TOC] For devices protection, Windows built many nice features in natively. For instance, function key protection disables Ctrl, Alt, and WinKey. UWF protection guarantees your disk C (System Partition) rollbacks to the original state after you reboot the Windows operating system. This lab guides you how to enable Windows lockdown features, and how to active/inactive them via DeviceOn portal. After this lab, you should: Learn how to enable “Keyboard Filter” and “Unified Write Filter” (a.k.a. UWF) in Windows lockdown features. Know what lockdown features can be controlled via DeviceOn portal. Prerequisite A running DeviceOn server.

[TOC] Grafana is an open-source software for monitoring and analysis. One of its major characteristics is it supports many different data sources, from popular CloudWatch, Elasticsearch, Graphite, and influxDB, to OpenStack Gnocchi or Google Calendar. Its range is very extensive. However, for other data source require to implement SimpleJson to access your data. The DeviceOn native support SimpleJson APIs and data source plugin on Grafana. This lab guides you how to visualize device data via Grafana dashboard. Prerequisite A running DeviceOn server. A running Grafana service with DeviceOn data source plugin. A device which installed WISE-Agent, that connects to DeviceOn server.