Skip to content

Getting Started with XoT Technology™

This guide provides the essential steps to get your first secure connection established using the XoT Management System (XMS), an XoT-Lock, and the XoT-Desktop client. It assumes you have the necessary components ready and focuses on the core workflow.

1. Prerequisites

Before you begin, ensure you have the following components installed and accessible:

  • XoT Management System (XMS): To use XoT Technology, you must have access to a running XMS. This is where you'll manage devices, users, and policies. If you do not have an XMS installation, Xertified can provide one for you, or you can install one yourself: consult the XMS Installation Manual.
  • XoT-Lock(s): At least one XoT-Lock needs to be ready. This can be the software installed on a compatible Linux system or the XoT-S1 hardware appliance. This component protects the asset(s) you want to access.
  • See: Software XoT Installation Guide
  • Client Machine: A computer (Windows or macOS) where you intend to install the XoT-Desktop client. You will need administrator privileges on this machine to perform the installation. This is the machine you will connect from.
  • See: XoT-Desktop Client Installation Guide

2. Preparation

Log in to your XMS web interface. Before enrolling devices or creating policies, it's helpful to define organizational structures. These help categorize your devices and target policies effectively. Create some basic categories that can later be targeted by policies:

  • Device Locations: Hierarchical structure of geographical locations: Country, City, Address, Room
  • Device Types: High level device category.
  • Device Groups: Sub-category of device types.

These attributes will be assigned during XoT-Lock enrollment or from the device page afterwards, and will then be targeted by access policies. You can always add more of these later, but keep in mind that you can only target policies as narrowly as the categorization you have created.

3. Enroll Your XoT-Lock

Enrollment is the process of registering your XoT-Lock with the XMS. This establishes a secure management connection and allows the XMS to configure the XoT-Lock.

The process generally involves:

  1. Obtaining an enrollment URL from the XoT-Lock (either via QR code on XoT-S1 or a command on Software XoT).

  2. Navigating to this URL in a browser connected to the XMS.

  3. Logging into XMS and following the Enrollment Wizard, where you will name the device and assign the Location, Group, and Type you prepared earlier.

  4. For detailed steps, see: Enrolling XoTs Guide

4. Create Client Configuration for XoT-Desktop

To allow a user (and their XoT-Desktop client) to authenticate and connect, you need to generate a client configuration package from the XMS.

  1. Ensure the user exists in XMS (either via Keycloak or synced from Entra ID) and has appropriate XMS Access rights assigned. See: Adding Users Guide
  2. Navigate to "Create Client Configuration" in the XMS.
  3. Specify the user (by their Common Name, usually their email) and choose the token type (Soft-token for file-based).
  4. Set a strong password for the configuration package. The end-user will need this password during the XoT-Desktop client setup.
  5. Download the generated .zip package.
  6. Distribute this .zip package and the password securely to the end-user.

5. Install and Configure XoT-Desktop

Now, on the client machine identified in the prerequisites:

  1. Obtain the XoT-Desktop client installer (.msi for Windows, .pkg for macOS).

  2. Run the installer with administrator privileges.

  3. After installation, run the XoT Client Config application (Windows) or the config-setup.sh script (macOS).

  4. Use the tool/script to import the .zip client configuration package you created and distributed in the previous step. You will be prompted for the package password.

  5. Once configured, start the XoT-Desktop client application. It should attempt to connect to the XMS.

  6. For detailed installation steps, see: XoT-Desktop Client Installation Guide

6. Create an Access Policy

Even with the client connected and the XoT-Lock enrolled, no traffic will flow until an access policy permits it.

  1. Go back to the XMS web interface and navigate to the Policies section.
  2. Click "Create" to start building a new policy.
  3. Define the policy using the "Who, What, Where, How, When" model:

  4. Source (Who): Select the User Group the user belongs to.

  5. Destination (What/Where): Select the Device Type, Group, and Location that matches the XoT-Lock you enrolled earlier.
  6. How: Add specific services/rules. Start simply, perhaps allowing ICMP (ping) or specific TCP ports like 443 (HTTPS) or 22 (SSH), depending on what you need to access on the protected device. By default, access is Deny-All.
  7. When: Leave as default (Always) for initial setup.

  8. Give the policy a name and save it.

The XMS will automatically push the policy update. The XoT-Desktop client should now be able to establish a secure tunnel to the protected asset(s) behind the enrolled XoT-Lock, according to the rules you defined. You can test this by trying to ping or connect to the service you allowed on the protected device's IP address.

7. Verify Your Setup

  1. Access the “Devices” menu, click your XoT-Lock, and select “Access Control”

  2. At the bottom, you should see your policy listed if you have a policy match.

  3. Open your Desktop client and click the grid icon. You should see a connection here.

  4. Test connectivity from the PC to your protected device


Congratulations! You have completed the basic setup for a secure connection using XoT Technology™. From here, you can explore more advanced configurations like machine-to-machine policies, using XoT-Bridges, or setting up XoT-WebAccess. Refer to the relevant sections in the documentation for further details.