Linux device readiness for the Microsoft security and management suite
Article
Through a combination of rich cloud services and compact efficient device-side components, Microsoft provides fundamental security and management capabilities for Azure-IoT-connected devices. These capabilities include threat management, workload management, configuration management, and update management.
Enterprises and solution builders consistently want to focus at the top of the stack. For example: differentiated value through AI, operational insights, and customer experiences. Microsoft provides off-the shelf security and management services so that you or your customers can focus on differentiation, not re-inventing fundamentals.
When you include Microsoft's free-to-install components in your devices, you or your customers will be ready to activate and use Azure management and security features at any time. Adding device-side components later in the design or deployment lifecycle can be slow and costly, so we encourage builders to include these device-side components early in the lifecycle.
Azure IoT Edge is Microsoft's tool for remotely and securely deploying and managing cloud-native workloads—such as AI, Azure services, or your own business logic—to run directly on your IoT devices. IoT Edge can be used to optimize cloud spend and enable your devices to react faster to local changes and operate reliably even in extended offline periods. By using IoT Edge, you can:
Deploy Azure IoT Edge on premises to break up data silos and consolidate operational data at scale in the Azure Cloud.
Remotely and securely deploy and manage cloud-native workloads—such as AI, Azure services, or your own business logic—to run directly on your IoT devices.
Optimize cloud spend and enable your devices to react faster to local changes and operate reliably even in extended offline periods.
Defender for IoT provides a comprehensive set of security features and capabilities that can be integrated into their products during the development process. This helps to secure devices from the ground up and reduces the risk of vulnerabilities and attacks. The solution can be customized to meet the specific security needs of different IoT devices and can be integrated with the device builder's existing development tools and processes. With Defender for IoT, one can:
Comply with industry regulations and standards: Defender for IoT helps device builders to comply with relevant security regulations and standards, such as the NIST Cybersecurity Framework, by providing a comprehensive set of security controls.
Proactively monitor the security posture of an IoT device: Defender for IoT provides security posture recommendations based on the CIS benchmark, along with device-specific recommendations. With the micro-agent, users can also get visibility into operating system security, including OS configuration, firewall settings, and permissions.
Secure your products against cyber threats: The solution provides real-time monitoring and protection (EDR - Endpoint Detection and Response) against malware, hacking, unauthorized access, and other security threats, helping to ensure the security of IoT devices throughout their lifecycle.
Ensure interoperability with Microsoft SIEM/SOAR and XDR to stop attacks with automated, cross-domain security and built-in AI.
In summary, Defender for IoT provides device builders with a comprehensive set of security features and capabilities that help to secure IoT devices from the ground up and reduce the risk of vulnerabilities and attacks. It enables device builders to deliver secure, compliant, and trustworthy IoT products to their customers.
Device Update for Azure IoT Hub is a service that enables you to deploy over-the-air updates for your IoT devices.
As Internet of Things (IoT) solutions continue to be adopted at increasing rates, it's essential that the devices forming these solutions are easy to connect and manage at scale. Device Update for IoT Hub is an end-to-end platform that customers can use to publish, distribute, and manage over-the-air updates for everything from tiny sensors to gateway-level devices.
To realize the full benefits of IoT-enabled digital transformation, customers need the ability to operate, maintain, and update devices at scale. Device Update for IoT Hub unlocks capabilities like:
Rapidly responding to security threats
Deploying new features to obtain business objectives
Avoiding the extra development and maintenance costs of building your own update platforms.
IoT Hub's Automatic Device Management and twin-based workflows link with Microsoft's OSConfig component on devices to deliver end-to-end configuration management. For example:
Automatically provision firewall rules to devices, at deployment time, based on the device's site or role
Audit network configuration on individual devices or at-scale
Troubleshooting and diagnostics
Automatically configure package manager sources, so devices pull packages from your approved repositories
Get and set host names, hosts files, etc.
Get device information including hardware properties, OS version properties, or security processor status
Remotely reboot a problematic device, or many devices on a schedule
The remainder of this document focuses on how to prepare devices by installing the requisite device-side components. For more information on the cloud services and operational usage scenarios, see Next steps.
Which device-side components to install, and how to install them
List of device-side components
Component
Notes
Azure IoT Edge runtime or for smaller devices: Azure IoT Identity Service
The Edge runtime is best known for container management, but also provides several additional services on the device. The Identity Service sub-component enables all the components on the device to work seamlessly with your IoT Hub. For full functionality, install the IoT Edge runtime (aka aziot-edge) which includes the Identity Service. For smaller devices which will not run containers, you can install just the Identity Service (aka aziot-identity-service) to save space. For installation details, see the following section of this article.
Microsoft Defender for IoT
For installation details, see the following section of this article.
Device Update for IoT Hub
For installation details, see the following section of this article.
Microsoft OSConfig
For installation details, see the following section of this article.
At this time, the Edge Config Tool v2 does not install a Device Update client.
Installation packages for each component of the suite are available on packages.microsoft.com.
At this time, package availability varies by disto and CPU architecture. For example, all components have packages published for Ubuntu Server 18.04 (x86_64 and Aarch64) and some components have packages available for many additional Linux environments. If you are using a distro or CPU architecture where no package is available for a given component, consider the build-from-source path.
Create device identity in the cloud
In IoT Hub, establish an identity for the device as in this example: Register your device
Note
Skip the above step if you are only pre-installing software at this time (not connecting to Azure)
For simplicity this example uses a manually provisioned symmetric key. For production scale and security, rich options are available such as x.509-based authentication, and at-scale identity provisioning through the Device Provisioning Service.
Install first package
Add packages.microsoft.com as a package source on the device, and install IoT Edge (or just the Identity Service for smaller devices), as in this example: Install IoT Edge
Note
For smaller devices which will not run containers, modify the above step as follows:
Do not install a container engine
Install the aziot-identity-service package instead of aziot-edge
Skip the above step if you are only pre-installing software at this time (not connecting to Azure)
For smaller devices with just the Identity Service rather than the full IoT Edge runtime, use the command line tool aziotctl rather than iotedge in the above step. Although the tools have different names, they use the same arguments for setting up the device identity
Building from source is the most flexible approach when you need to adapt the device-side components to your unique devices, distros, or CPU architectures.
Microsoft is working with partners to enable the ecosystem to buy devices with the components already installed. For example, the Edge Secured-core (Preview) program requires that devices implement a hardware-backed security posture with Secure Boot, etc. and include these components for Azure security and management.
In the meantime, some devices are already reaching the catalog with a subset of the suite included. For example, the following devices already include the IoT Edge runtime, the Defender for IoT component, and the OSConfig component: