Enroll a device
Onboarding a device is one command. By the end of it the device has its own identity, the trust anchor it needs to verify updates, and a running agent that is already heartbeating into the fleet.
1. Mint an enrollment token
In the console, open Devices → Add device. This creates a short-lived enrollment token, bounded by an expiry and a use budget and revocable at any time. The console then renders the exact one-line install command with the token and URLs already filled in.
A token is a bootstrap credential, not a long-term secret: it authorizes a device to enroll once, and is consumed even if signing fails — so a stolen token cannot be used to probe the endpoint for free.
2. Run the installer on the device
Copy the rendered command and run it on the device:
curl -fsSL https://<your-domain>/install.sh | sudo sh -s -- \
--token mesh_xxxxxxxxxxxxxxxxxxxx \
--name jetson-line7-01
The installer:
- downloads the agent binary that matches the deployed control plane,
- generates the device's private key locally and builds a certificate signing request from it,
- enrolls with the token and receives back its signed certificate, the trust anchor, and its configuration,
- installs a hardened service unit and starts the agent.
The private key never leaves the device. Re-running the installer on the same device re-enrolls it with a fresh key and certificate.
3. Confirm it appears
Within a heartbeat the device shows up in Devices, live, with its detected hardware profile (SoC, architecture, memory, accelerators). Its enrollment is recorded in the audit trail.
Air-gapped devices
Where a device has no path to the internet, the same identity can be provisioned from removable media instead of an online token exchange. The agent verifies every update the same way regardless of how it was enrolled.