Install the device agent

One command takes a device from factory-fresh to enrolled in your fleet. The device generates its private key locally — it never leaves the device — and exchanges an enrollment token for a signed identity and the root of update trust.

1. 1

   Create an enrollment token

   In the console, open Devices → Add device. Choose how many devices the token may enroll and how long it stays valid. The token is shown once and stored only as a hash.
2. 2

   Run the install command on the device

   The console gives you the exact command, including your token:

   curl -fsSL https://meshanics.com/install.sh | sudo bash -s -- --token <TOKEN>

   Add --name line7-cam-03 to override the device name (default: the device hostname). Prefer to read before you run? Download install.sh and inspect it — it is ~120 lines of plain bash.

3. 3

   Watch it appear

   The agent starts as a hardened systemd service, connects over mutual TLS and shows up in the console within seconds — hardware profile, heartbeat and OTA readiness included.

What the installer does

• · Downloads the static agent binary for the device architecture (arm64 or amd64) — a single file, no runtime dependencies.
• · Generates an ECDSA P-256 key on the device and sends a certificate signing request; the control plane signs it only if the enrollment token is valid, unexpired and within its use budget.
• · Installs the fleet CA and the TUF trusted root — the device verifies full signature chains on every future update. There is no unsigned path.
• · Configures the container runtime (podman or docker, if present) to pull application images through the Meshanics facade with the device certificate.
• · Enables skyforge-agent.service with systemd hardening (NoNewPrivileges, ProtectSystem, PrivateTmp).

Requirements

• · Linux on arm64 or amd64 (Jetson, Raspberry Pi, industrial PC…)
• · systemd, plus curl, tar and openssl — present on virtually every distribution
• · Root privileges for the install step
• · Outbound reach to your control plane (ports 443, 9443, 9444); devices never need inbound connectivity

Revoking access

Enrollment tokens can be revoked at any time from the same panel; expiry and use budgets bound the blast radius of a leaked token. Every token creation, enrollment and revocation lands in the append-only audit log that backs your CRA evidence reports.