As currently implemented, anyone with an email address can create an InControl2 (IC2) account. If a person has the serial numbers of Peplink devices, they can enter them into any IC2 account to which they have access as their devices. Currently there is no verification of device ownership in IC2.
If a person has malicious intent, they can cause havoc for legitimate IC2 users. For example, if an Enterprise Customer (EC) that purchases devices in bulk for later installation has a disgruntled employee, the employee can record inventoried device serial numbers. The employee can then enter them into their own, not the EC’s IC2 account. When the legitimate owner of the devices (the EC) then tries to enter the devices into IC2 they are told the devices are already in IC2 and belong to someone else. When they ask Peplink who the owner is Peplink won’t say due to legitimate legal and privacy concerns. The EC then calls their supplying VAR and accuses the VAR of having sold them used devices. As I said, havoc, all because there is no control in IC2 governing new device additions.
I am a VAR with multiple ECs as customers. Several have almost a thousand Peplink devices each. One of them is dealing with this exact situation. In their case it was caused by their poor internal training and lack of controls, not a malicious employee, but it’s the same exact situation.
Peplink needs to implement an enhancement to the current device sale registration system that requires VARs to supply an initial authorized user and email address for a device as part of sales registration. This info needs to flow to IC2 immediately. IC2 needs to be enhanced so that only someone with those credentials can add the device to IC2 and then reassign the device as required. Each VAR should have a default person and email that is entered by the system automatically should a unique customer specific authorized user and email not be available. In this way the VAR can initially access IC2 on behalf of their customer. Operationally however, it is in the best interest of the VAR to collect and input the customer specific authorized username and email address for sales registration.
This is one way of addressing the issue. I’m sure there are others. This needs to be addressed for very large multi-location enterprise customers. It is also necessary to protect Peplink legally. This is not rocket science. It is also not unique. A similar methodology is used by a nameless Peplink competitor (whose devices I also grudgingly supply) to lock down access to their equivalent to IC2.
Every Peplink serial number also contains a checksum. I.e. serial numbers are actually not in serial. So it is very hard to formulate a valid serial number.
InControl has also implemented a protection mechanism. If a user adds a number of invalid s/ns or s/ns that belong to organizations the user does not belong to, the user will be blocked from adding more devices afterward. This will effectively avoid any brute-force s/n addition attacks.
Hope the above explanations can address your concerns.
As a reseller we add the devices sold to our IC2 and invite the customer to their own group to join if they wish. At a later date if requested by the end user we remove from our IC2 and then the user can add the devices to their own IC2 org. This prevents any rouge registrations and assists both small customers and enterprise customers. If we have access to the Enterprise customers IC2, we have also added the devices they bought to an inventory group. This process has worked well for us.
I think a simple option to allow VARs / resellers to have devices automatically registered to an end users IC2 account would certainly be helpful.
As an end customer we just get the serial numbers from the invoices for anything we buy and add them straight into our account into a holding group, if that could be done automatically as part of the sales process that would be helpful for sure and also mitigate the concerns that @lenl has I think.
However, any kind of hard locking so only a singular email or Ic2 account is permitted to claim devices though I can see just leading to pain and I would be strongly against this if it was forced on us.
Consider the scenario of what happens if you sell someone a few hundred devices and only Fred is allowed to register them but Fred is on vacation when they come to claim them, or they leave the company or is run over by a bus and then Jane tries to register them instead - same position you are in now isn’t it - a device that cannot be claimed without faff.
I think the only thing you should need as the seller is the end customers Ic2 ORG-ID and a simple tick box that says “end customer would like these devices adding to this account” when you register the sale and part of the sales process for new customers should probably include getting them setup with an Ic2 account to facilitate this.
A further enhancement Ic2 may be needed here too, the concept of an inventory where we can have devices not in a group but owned by an organisation - Meraki does exactly this, I can have any quantity of devices claimed at the organisational level without them being part of any specific group or network, but it prevents anyone being able to claim those devices into another organisation.
Now, that doesn’t stop someone malicious with the right access removing them and claiming them elsewhere but quite honestly if you’re dealing with that level of malice or incompetence you have other problems and getting the devices back to the right place should be easily resolvable between customer, vendor and seller with some simple paperwork for proof of sale and ownership and physical possession.
Unfortunately, your points, while helpful, do not address the substantive issue that I raised. It is what legally is called a chain of custody. Currently the chain can easily be broken. We need to ensure that that can not happen. The cause can be malicious or lack of proper owner organization execution. It doesn’t matter. The point is that Peplink should not allow anyone who happens to know a valid serial number from “claiming” a device as their own and then preventing the rightful owner from claiming it in IC2.