- 1. Get started
- 2. Overview
- 3. Client installation
- 4. Operating System updates: Debian family
- 5. Operating System updates: Yocto Project
- 6. Operating System updates: Zephyr
- 7. Orchestrate updates
-
8. Artifact creation
- Create an Artifact
- Create an Artifact with system snapshot
- Combining Operating System and Application updates
- Modify an Artifact
- State scripts
- Create a docker-compose update Artifact
- Create a Delta update Artifact
- Server-side generation of Delta Artifacts
- Standalone deployment
- Sign and verify
- Create a custom Update Module
- Software versioning
- CI/CD pipelines
- 9. Server installation
- 10. Server integration
- 11. Add-ons
- 12. Download
- 13. General
- 14. Server-side API
- 15. Device-side API
- 16. Troubleshoot
-
17. Release information
- Supported releases
-
Release notes & changelog
- Mender Server
- Mender Server Enterprise
- Hosted Mender
- Mender Client
- mender-connect
- mender-configure-module
- mender-setup
- mender-snapshot
- mender-flash
- mender-artifact
- mender-cli
- mender-convert
- meta-mender
- mender-binary-delta
- monitor-client
- Mender Gateway
- mender-client-subcomponents
- mender-container-modules
- mender-ci-workflows
- app-update-module
- Mender MCU
- Open source licenses
Clear History
Mender on Github
Identity
The identity of a device
Internally the Mender Server assigns a unique, unchangeable identifier to each Device called the Device ID. The Device ID does not have a directly visible relation to any Device attributes.
To ensure devices can also be uniquely recognized by humans, there is also a set of key-value pairs called Device identity. The MAC address of a network interface controller, a serial number, the eMMC CID, are all pieces of data that:
- do not change over the lifetime of a device
- are human-readable
- form a 1:1 relationship with the device
- you can store as key-value pairs
The Mender Client uses the MAC address as the default Identity attribute. Once you have accepted the device, you can see it in the UI:
The Mender Client allows you to define the identity attributes, which means that Mender can adapt to the identity scheme of any environment. However, Mender imposes the following requirements for device identities:
- The combination of the attribute values must be unique to each device, so that identities are not ambiguous when deploying software.
- Identity attributes must never change for the lifetime of a device, so that the Mender Server can recognize them reliably.
It is important to have the ability to regenerate keys if a device gets compromised, or as a recurring proactive security measure. Therefore, we do not recommend using device keys as part of an identity, as it makes the rotation or regeneration of keys over the lifetime of the device (as it in effect changes the identity) difficult.
When a device requests authentication, it includes the identity attributes. The Mender Server computes the persistent identity of the device based on these attributes.
Please refer to the client installation section to find detailed tutorial on managing Device identities.
Identity in the context of a System
When orchestrating updates across a System (see Orchestrate updates) it is important to distinguish between two distinct layers of identity. First is the System device identity, which is what is described above. Second is Component identity which identifies the specific peripherals managed by the System device. Unlike the System device identity, a Component's identity is defined within a scope of the System. It must be unique to this environment only and can be changed if a Component is replaced.
All Component identities are provided by the Components themselves using Identity call in corresponding Interface, described in Interface Protocol. The Component identities are reported to the Mender Server by the System device as part of its inventory.