Getting Started with XoT Technology™
This guide provides the essential steps to get your first secure connection established using the XoT Management System (XMS), an XoT-Lock, and the XoT-Desktop client. It assumes you have the necessary components ready and focuses on the core workflow.
Prerequisites
Before you begin, ensure you have the following components installed and accessible:
- XoT Management System (XMS): To use XoT Technology, you must have access to a running XMS. This is where you'll manage devices, users, and policies. If you do not have an XMS installation, Xertified can provide one for you, or you can install one yourself: consult the XMS Installation Manual.
- XoT-Lock(s): At least one XoT-Lock needs to be ready. This can be the software installed on a compatible Linux system or the XoT-S1 hardware appliance. This component protects the asset(s) you want to access.
- See: Software XoT Installation Guide
- Client Machine: A computer (Windows or macOS) where you intend to install the XoT-Desktop client. You will need administrator privileges on this machine to perform the installation. This is the machine you will connect from.
- See: XoT-Desktop Client Installation Guide
Preparation
Log in to your XMS web interface. Before enrolling devices or creating policies, it's helpful to define organizational structures. These help categorize your devices and target policies effectively. Create some basic categories that can later be targeted by policies:
- Device Locations: Hierarchical structure of geographical locations: Country, City, Address, Room
- Device Types: High level device category.
- Device Groups: Sub-category of device types.
These attributes will be assigned during XoT-Lock enrollment or from the device page afterward, and will then be targeted by access policies. You can always add more of these later, but keep in mind that you can only target policies as narrowly as the categorization you have created.
Enroll Your XoT-Lock
Enrollment is the process of registering your XoT-Lock with the XMS. This establishes a secure management connection and allows the XMS to configure the XoT-Lock.
The process generally involves:
-
Obtaining an enrollment URL from the XoT-Lock (either via QR code on XoT-S1 or a command on Software XoT).
-
Navigating to this URL in a browser connected to the XMS.
-
Logging into XMS and following the enrollment instructions, where you will name the device and assign the Location, Group, and Type you prepared earlier.
-
For detailed steps, see: Enrolling XoTs Guide
Create Client Configuration for XoT-Desktop
To allow a user (and their XoT-Desktop client) to authenticate and connect, you need to generate a client configuration package from the XMS.
- Ensure the user exists in XMS (either via Keycloak or synced from Entra ID) and has appropriate XMS Access rights assigned. See: User Management Guide.
- Navigate to "Create Client Configuration" in the XMS.
- Specify the user (by their Common Name, usually their email) and choose the token type (Soft-token for file-based).
- Set a strong password for the configuration package. The end-user will need this password during the XoT-Desktop client setup.
- Download the generated
.zippackage. - Distribute this
.zippackage and the password securely to the end-user.
Install and Configure XoT-Desktop
Now, on the client machine identified in the prerequisites:
-
Obtain the XoT-Desktop client installer (
.msifor Windows,.pkgfor macOS,.deb/.rpmfor Linux). -
Run the installer with administrator privileges.
-
After installation:
-
For Windows, run the XoT Client Config application.
-
For macOS or Linux, run the
config-setup.shscript. -
Use the tool or script to import the
.zipclient configuration package that was created and distributed in the previous step. You will be prompted for the package password. -
Once configured, start the XoT-Desktop client application. It will attempt to connect to the XMS.
-
Having troubles, see the detailed configuration or installation guides.
Create an Access Policy
Even with the client connected and the XoT-Lock enrolled, no traffic will flow until an access policy permits it.
- Go back to the XMS web interface and navigate to the Policies section.
- Click "Create" to start building a new policy.
-
Define the policy using the "Who, What, Where, How, When" model:
-
Source (Who): Select the User Group the user belongs to.
- Destination (What/Where): Select the Device Type, Group, and Location that matches the XoT-Lock you enrolled earlier.
- How: Add specific services/rules. Start simply, perhaps allowing
ICMP(ping) or specific TCP ports like443(HTTPS) or22(SSH), depending on what you need to access on the protected device. By default, access is Deny-All. -
When: Leave as default (Always) for initial setup.
-
Give the policy a name and save it.
The XMS will automatically push the policy update. The XoT-Desktop client should now be able to establish a secure tunnel to the protected asset(s) behind the enrolled XoT-Lock, according to the rules you defined. You can test this by trying to ping or connect to the service you allowed on the protected device's IP address.
- For detailed policy creation, see: Policies and Access Control Guide
Verify Your Setup
-
Access the “Devices” menu, click your XoT-Lock, and select “Access Control”
-
At the bottom, you should see your policy listed if you have a policy match.
-
Open your Desktop client and click the grid icon. You should see a connection here.
-
Test connectivity from the PC to your protected device


Congratulations! You have completed the basic setup for a secure connection using XoT Technology™. From here, you can explore more advanced configurations like machine-to-machine policies, using XoT-Bridges, or setting up XoT-WebAccess. Refer to the relevant sections in the documentation for further details.