Devices & lifecycle
A device is the unit of the fleet. Each one runs a small agent — a single static binary — that proves the device's identity, reports what hardware it is, keeps a live connection to the platform, and applies updates with verification and rollback. Nothing about a device is taken on trust from the request it sends; its identity comes from the certificate it presents on every connection.
Enrollment and registration
A device joins by enrolling with a short-lived token and a key it generates locally, receiving back a signed certificate. From then on it registers over mutual TLS. Registration is idempotent: the same device certificate always maps to the same device record, so re-registering simply refreshes the device's reported hardware profile, agent version, and tags rather than creating a duplicate.
See Enroll a device for the operator flow and Device identity for why the key never leaves the box.
The hardware profile
On registration the agent reports what the device actually is, detected from the running system rather than declared by hand:
| Field | Example |
|---|---|
| Model | NVIDIA Jetson Xavier NX Developer Kit |
| SoC | nvidia-jetson-xavier-nx |
| Architecture | arm64, amd64 |
| RAM / CPU cores | physical memory and core count |
| Accelerators | nvidia-gpu, google-edgetpu |
| OS / kernel | OS pretty-name and kernel version |
This profile is what later lets a heterogeneous fleet be targeted by what devices
can run, not by a single golden image. Free-form tags (for example
site=plant-7) can also be set to carry your own grouping dimensions.
Heartbeats and liveness
The agent heartbeats on an interval the server sets (and can widen to back off large fleets). Each heartbeat returns the device's desired state — the artifact assignments it should converge on — and the agent reconciles against what is installed. A device whose last heartbeat is older than three times its interval is shown as offline; it is still enrolled, just not currently reachable.
Status and reporting
As a device applies an assignment it reports progress through distinct states — downloading, verifying, applying, healthy, rolled back, or failed — so an operator watches real convergence, not a fire-and-forget push. Only metadata flows back; the platform never inspects the contents of your payloads.
When deeper diagnosis is needed, an operator can request a log bundle. The agent collects only from an allowlisted source — its own service journal — gzips it, and uploads it. There is no arbitrary-path read and no remote shell.
Retirement
A retired device is decommissioned, not merely deleted. The platform refuses its identity going forward, and the next time the device learns it has been offboarded it wipes its own key material and exits permanently. The device's record and its history remain in the audit trail; a decommissioned device is excluded from new rollout targeting so it can never leave a wave stuck waiting on a box that will never report again. A decommissioned device can be reactivated if it returns to service.