Documentation

Mistake on this page? Email us

Manage accounts, groups and users

Device Management supports the following users:

  • Developers:

    • Embedded developers create the software that runs on IoT devices. They use the cloud to collect information those devices generate.
    • Application developers, or cloud system integrators, create applications that communicate with and control IoT devices with Device Management. These applications can run on a server, a mobile phone and so on. They use Device Management to access device information and potentially to send commands and new information to the device.
  • Manufacturers and operators who need to produce, deploy and update large numbers of IoT devices and want to automate as much of the process as possible.

Teams

To use Device Management, you need an organization account. This is called a Team in Device Management Portal. A Team contains your users and API keys. If you are using the free tier account, you can create a team directly in the portal, and do not need Arm to create a Team on your behalf.

Note: The first user added to a Team has administrator rights.

There are several types of Team accounts. Each type of account has a different usage limit. You can find the different account types and limits for them.

Groups and users

As the Team administrator, the first thing to do is add users so that your team can start working.

You can also choose to enhance the level of security for all portal user accounts in your team by enforcing two-factor authentication. Refer to Maintaining account security for instructions on how to do this.

User groups

With both free and commercial accounts, you can add users to one or more user groups. By default, the available groups are Developers and Administrators:

  • A developer cannot control other users and groups, or access the manufacturing workflow. Users in this group can manage their own API keys.
  • An administrator can perform all actions, such as:
    • Invite users.
    • Remove users.
    • Reset passwords.
    • Manage API keys.
    • Create new groups.

Creating a new group

If you are using Secure Device Access, you may want to create a new group for a different type of user, such as service technicians. For more details, refer to the documentation about creating groups for Secure Device Access.

Creating new identity providers

If you are an administrator, you can create new IdPs as follows:

  1. Navigate to Team configuration.
  2. Select Identity and security.
  3. Click New ID provider.
  4. Enter your IdP details:
    • Name of your IdP, max 100 characters.
    • Description for the IdP (optional).
    • IdP entity ID. It must match the actual entity ID provided by the IdP.
    • SSO URL for the IdP's Single Sign On action.
    • SLO URL for the IdP's Single Log Out action.
    • Service Provider entity ID (optional). We recommend you leave it unspecified here, as it will be generated. It is always specific to the IdP/SP relation.
    • Signing certificate for the Identity Provider in PEM format (optional).
      • You can add multiple signing certificates -> Click Add another certificate.
  5. Click Save.
  6. Invite new users with your new IdP.

Note: When you have saved your settings you can fetch the SP metadata as an XML file from the metadata endpoint once the IdP ID is known (https://api.us-east-1.mbedcloud.com/auth/saml2/{identity_provider_id}/metadata).

In addition, you must set the following in the IdP, not in the portal:

  • Name ID format of your IdP as "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
  • IdP's AudienceRestriction with the SP entity ID, for example <saml:Audience>https://sp.example.com/SAML2</saml:Audience>.

Creating additional users

You can invite users to the Team through the portal:

  1. Log in to your administrator account.
  2. Go to Access management > Users.
  3. Click Invite new user. A form opens.
  4. Specify an email address and group.
  5. Specify the identity provider used to authenticate the user.
  • Native means that the user has to log in with a Pelion account.
  • Mbed.com (OIDC) means that user has to log in with an Mbed.com account.
  • Additional identity providers may be available depending on your account.
  1. An invitation email is sent to the address you specified in the form. The email includes an activation link.
  2. When the user clicks the link, the user can complete the registration process. This gives them a Device Management account.
  3. The account administrator receives an email saying that the invitation has been accepted.
  4. The user also gets a 'welcome to the team' mail.

Tip: You can add an existing user to other team accounts. The user won't have to complete a second registration process. An email notification to the user tells them you have added them to another team.

  • For commercial accounts, the account management API allows the direct creation of additional users. In this case, you have to communicate the login credentials (email address and password) to each user yourself. This feature is not visible in the Portal.

Editing user information

For an existing user, you (as an administrator of the team) can do the following:

Change the group association:

  1. Navigate to Access management.
  2. Select Groups. The groups are listed.
  3. Click the desired group.
  4. Click Add users to the group. The users are listed.
  5. Select the desired users.
  6. Click Add users to the group.
  7. Give your password to complete the change.

Reset a user's password:

This feature is useful if, for example, a user's account is compromised.

  1. Log in to your administrator account.
  2. Go to Access management > Users.
  3. The table lists all users in your team. Select the user whose password you want to reset by clicking the user's name. The User details view opens.
  4. Click the Security tab.
  5. Click the Reset password button.
  6. Device Management generates a single-use password that you need to give to the user.
  7. When the user logs in with the single-use password, the user must create a new password. If the user fails to complete the process, you need to generate another single-use password.

Revoking a user's access rights

If you are suspicious of a user's actions, you may delete their profile. You will be able to recreate the user later if you need to.

Resetting your own password

You can reset your own password from the login page by clicking the "Forgot your password?" link and entering the email address associated with your account. You receive a link in your email, which lets you set a new password. All users have this privilege for their own accounts.