Provisioner

What Is a Provisioner?

A Provisioner is a device in a Bluetooth Mesh network that is authorized to add new, unprovisioned devices to the network through the provisioning procedure. It manages the initial key distribution, address assignment, and post-provisioning configuration that transforms a standalone BLE device into a functioning mesh node.

Typical Provisioner Implementations

The most common provisioner is a smartphone running a mesh commissioning app. The app scans for unprovisioned device beacons, guides the user through authentication (OOB code entry, QR scan), and distributes network credentials. Other provisioner form factors include dedicated gateways, industrial tablets, and cloud-connected commissioning stations.

Responsibilities

A provisioner handles several critical functions:

• Address allocation -- assigning unique unicast addresses from a managed address pool. Each node's elements receive consecutive addresses, and the provisioner must track which ranges are in use to avoid collisions.
• Key management -- generating and distributing Network Keys (NetKeys) and Application Keys (AppKeys). A network may have multiple subnets with different NetKeys, and the provisioner decides which keys each node receives.
• Device database -- maintaining a composition data record for each provisioned node, including its elements, models, and capabilities. This database enables remote configuration after provisioning.
• Configuration -- using the Configuration Client model to set publication/subscription addresses, bind AppKeys to models, and enable features like relay or proxy.

Security Considerations

The provisioner is the most security-sensitive entity in the mesh network. Compromising the provisioner grants access to the NetKey and all AppKeys, effectively owning the network. Best practices include:

• Securing the provisioner app with device-level authentication (biometrics, PIN).
• Encrypting the device database at rest.
• Limiting provisioner authority to specific subnets in large networks.
• Revoking the provisioner's keys and re-provisioning if the device is lost or compromised.

Multiple Provisioners

The Bluetooth Mesh specification allows multiple provisioners in a single network, but they must coordinate to avoid address conflicts and key inconsistencies. The typical approach is to use a cloud-based backend that synchronizes the device database and address pool across provisioners. Without coordination, two provisioners might assign the same unicast address to different nodes, causing routing failures.

Provisioner vs. Configuration Client

While the provisioner performs the initial provisioning (key + address assignment), the Configuration Client model handles ongoing management. In practice, these roles are usually combined in the same device. However, some architectures separate them: a lightweight provisioner handles onboarding, while a dedicated management station (gateway) handles ongoing configuration changes. This separation improves scalability for large deployments with hundreds of nodes.