.png?version=1&modificationDate=1724241437279&cacheVersion=1&api=v2&width=758&height=272)
Installation Manual | IM-202401XX iProtect Access / Security | Functionalities  |
Table of contents
1. Introduction
The use of cards or tags with Mifare® DESFire® technology in combination with battery-powered locks, such as door handles or door cylinders, is already widely used. TKH-Security has a close collaboration with DOM and together we have developed a solution to gain access to both wired and battery-powered locks with a Mobile device.
This manual describes only the use of a network-connected DOM controller (Bridge). When using an XML import/export, based on OSS version A1 or B1, please refer to another user manual.
Available in iProtect as of version 10.4.xx
For setting up the system for using access control, in combination with a desfire card and with mobile access, please refer to another user manual. This manual describes how to add DOM (OSS and Mobile Access) to a working system.
1.1 The Solution
IPROTECT connects to the DOM controller(s) based on a REST API. The connection works in real time, so both systems are always fully synchronized and there is no need to use old-fashioned XML import and export files (although this option will of course still exist).
When using DOM ENIQ hardware, the system is already prepared as standard for the use of "data on card", but also for mobile access. Using a mobile key makes it very flexible and easy. This applies not only to the use, but also to the creation and assignment of rights to locks and persons.
1.2 Features and Benefits DOMBox API-integration
The iProtect - DOM REST API is a new way to connect that greatly improves the A1/B1 setup. It brings new features to help both users and administrators.
It's important to note that switching from A1/B1 to the API is not mandatory.
The A1/B1 setup will still work as it always has. However, the API setup provides many extra benefits and features that can make the overall experience better.
Below are the key benefits of the iProtect - DOM REST API:
Support for multiple DOM controllers: Users can manage several DOM controllers at the same time, making security management more flexible and scalable.
IPROTECT ACCESS (mobile access): Users can conveniently access the offline devices from their mobile phones, enabling them to utilize a single mobile identifier for both online and offline locks.
Compatibility with DOM RF Netmanager: The API works well with the DOM RF Netmanager, making it easy to update lock configurations and send door commands, which improves efficiency.
Real-time synchronization of OSS configuration data: Configuration data changes are instantly updated across all systems, minimizing errors and ensuring that everyone has the most current configuration status of the locks.
Real-time synchronization of OSS device status: Users can continuously monitor the status of their devices, allowing for quick responses to any problems.
Ability to add temporary DOM controller users (APP USERS): Administrators can easily add or remove users who need temporary access, like contractors who need to implement a new lock, improving security without losing convenience.
Automation of DOM controller backup and restore processes: Automating these processes helps prevent configuration data loss and ensures backups are regularly maintained.
Provisioning of AES DESFire keys to the Bridge: This feature allows for secure sharing of encryption keys. It sends the encryption keys and configurations from the iProtect system to the bridge, with the key encrypted in a KTL file (keystore).
Installation of discovery function processes: The API can automatically find new devices from the bridge and link those devices to the correct readers, making the setup process easier and faster.
In summary, the A1/B1 setup remains unchanged, but the iProtect - DOM REST API introduces key enhancements that improve functionality, security, and user experience.
2. Support
2.1 Hardware and licence
2.2 RFID card type support
2.3 Supported features
2.5 Data on card and Mobile access
2.6 OSS Events
2.7 System architecture
2.7.1 OSS data on card - XML Import/Export (A1/B1)
2.7.2 OSS data on card & Mobile access with RF-NetManager
2.7.2.1 Use of RF-NetManager
When using the RF-NetManager, The following features are supported:
Max. 8 devices (1-15m)
Update configurations (no DOM service app is needed anymore)
Readermode change (Open, Closed, Normal)
Pulse lock (reaction time 2-8 Sec)
The following features are NOT supported:
online access
support online events.
3. DOM Service app
4. IPROTECT
iProtect supports the OSS, standard offline access application by means that it can enroll or update
cards which are confirmed to the standard data on card solution. The OSS offline standard is a data on card
standard in which the access profiles are distributed via the access cards instead of online card readers. This
is also called: “native” or “offline”, because the access rights are defined in the iProtect database itself and are
distributed to the Sirius i-Serie update readers.
Supporting OSS does not mean that every lock can be integrated effortless since this part is not standardized. This manual only describes the DOM OSS manufacturer.
4.1 Presets
To begin the installation, you must first have the correct key and configuration files.
The KEY set is customer-specific and must be supplied by TKH Security.
Items required before the steps below can be performed:
File type | Type | Comment |
|---|---|---|
OSS update.xml | Reader provisioner | Card number based on AID or UID |
OSS enroll.xml | Reader provisioner | PMK dependency (AES, 3DES) and card number based on AID or UID |
OSS.xml | Node provisioner | Customer specific, supplied by TKH-Security B.V. |
OSS.ktl | Node and reader provisioner | Customer specific, supplied by TKH-Security B.V. |
4.2 Provisioner
A provisioner group consists of one or more elements. These elements can be configurations, key files or firmware.
The sections below describe the required combinations.
4.3 Card coding
4.4 Hardware used for update and enrollment of OSS cards
4.5 Add the DOM controller
4.5.1 Add Virtual line (DOM)
Create a Virtual line. This line is needed to connect DOM controllers.
In iProtect, browse to menu: Installation | Hardware | Line.
Right click in the tree view and click on the icon “Add Line”:
Field | Content | |
|---|---|---|
Name | Logical name for the Line | |
Features | Type | Server |
Host type | Server | |
Status | Virtual | |
Save this record.
4.5.2 Add DOM controller (Node)
In iProtect, browse to menu: Installation | Hardware | Line.
Select the virtual line to which the DOM Controller is to be connected. Press right mouse-button: “Add Node”:
Field | Content | Description |
|---|---|---|
Name | Logical name of the Node | |
Features | ||
Node type | OSS |
|
Network | ||
HTTP port | 443 | Port number of the connection to the DOM controller |
IP address | e.g. 192.168.1.120 | Unique IP address of the DOM controller |
Password |
| Password of the DOM Controller (only visible for system users with Installer rights) |
Set keys (SC) |
| Once the connection is established, you can modify the password to a unique one by clicking on the "Set Keys (SC)" button. |
General | ||
Provisioner group | Customer specific | Customer specific, supplied by TKH-Security B.V. |
Other | ||
Offline | OSS manufacturer | DOM API-implementation, see chapter 4.1.1 |
Bluetooth | Default TX power (iBeacon) | Transmit power 0 dBm |
Logging | Log minutes |
|
Installation option |
| |
Temparary login | ||
Button | Fetch | Retrieve the temporary users from the DOM controller. After updating iProtect or a restart of the system, the temporally users will be deleted. |
Button | Add | You can utilize this button to create a temporary user, such as a user for the mobile app or a system user requiring temporary access to the DOMPloy application. After updating iProtect or a restart of the system, the temporally users will be deleted. |
Select user | Delete button | Delete selected user |
| Edit button | Edit selected user |
Global settings (root or installer only) | ||
Button | Fetch
| Get detailed system information |
Field | Description | |
Discover | When a new device is added to the system (e.g. NetManager, lock or door handle), it can be discovered in iProtect by pressing this button. | |
Backup | Pressing the button will back up the configuration of the DOM controller. The backup is saved with the date/time of the moment of creation. | |
Activate the check mark behind "Node online.
Save this record.
When the connection is successful, the status check mark behind "connected" will turn black.
Temporary users will be automatically deleted when the OSS service restarts.
4.5.2.1 Node tree-view items 
After creating a DOM controller (Node), multiple items are displayed under the Node in the treeview.
Tree-view item | Description |
|---|---|
Node backup | Whenever something is changed in the configuration of the DOM controller, iProtect backs it up. The backup is kept for a maximum of 3 months. |
Device manager: No | All offline devices associated with a door/reader. |
Device manager: Yes | Devices which are associated to a RF-NetManager (on-line) |
Device manager | Connected RF-NetManager, interfaced with the DOM Controller |
Devices unbound | All offline devices, not linked to a door/reader. |
4.6 Add offline device
Using DOM OSS, the device is always linked to a door (a card reader in iProtect). Access rights are then associated with the card reader.
DOM devices such as ENIQPro or ENIQGuard, for example, are added to the system using the DOM Service app.
4.6.1 Add device
Although there are several methods to create the hardware, two methods will be described in this chapter.
The readers with access rights are prepared in iProtect and linked to the device in the Service app.
Method 1: Link to existing reader <Prefered>.
The reader and device are created in the DOM service app.
Method 2: Link to a new reader.
4.6.1.2 Link to existing reader 
Start by adding manually readers within iProtect.
Browse to the menu: Installation | Hardware | Node.
Add a reader by clicking with the right-mouse button on the DOM node.
Click on the icon “add reader”.
Fill in the logical name of the reader and select the correct card data interpretation.
If desired, you can adjust the door open time in the "door behavior" tab.
Once everything has been filled in, you can press the save button.
You can grant access rights to the reader by adding the reader to the desired reader groups, you can do this in the reader group list under the created reader.
Browse back to the menu: Installation | Hardware | Node.
Select the DOM Controller Node.
Open the tab: Other and enable by Installation option the checkbox “Add automatically”.
Select “Link to existing reader' at the New device (app) option.
When the auto-discovery process is started, assigning of new device and readers will be activated for 4 hours. After this time this process will stop automatically.
All newly added devices with the dom service app are automatically added to iProtect and linked to the correct reader.
After about a minute the device should been enrolled and linked to the reader, and you can also see this on the detail page of the readers.
The offline sync status will be visible and if everything is correct the status should be changed in a minute to the status “The configuration is synchronized”.
If the status is different, you should check this within the DOM service app by first synchronizing the DOM service app with the DOM controller and then synchronizing the locks.
4.6.1.2.1 DOM Service app
Use the DOM service app to add the devices. During this process you can directly link the newly created readers to the correct devices in the DOM service app.
Synchronize the DOM service app with the DOM controller.
Add a device by clicking the Devices button and then clicking the + sign in the DOM service app.
Apply the mobile phone (Android) to the device or present de RF Wake-up card to the device (IOS).
Click on the OSS-SO-configuration button to link the device to the door (iProtect reader).
Press on the couple button.
Follow the instructions in the DOM service app.
By using this way of configuration, only one synchronization with the device is needed
If you change access rights or other reader settings after this step, synchronization must take place again for the device in question.
Once the new devices have been assigned from the DOM Service app and the app has been synchronized with the DOM controller, the devices will be enrolled and automatically linked to the correct reader in iProtect. After it has been linked automatically, when using mobile access, enable the checkbox “IPROTECT Access”.
4.6.1.3 Link to a new reader
This setup can be done automatically by the system by enabling the auto discovery function.
When a new device is assigned from the DOM Service app, and the app is synchronized with the DOM controller, iProtect will automatically recognize it and assign the preset settings to the device.
By using this way of configuration, multiple synchronizations with the device are needed!
The mobile phone used to program the locks must have a stable and direct online connection with the DOM controller. If this is not possible, we recommend using the manual method.
Browse to the menu: Installation | Hardware | Node.
Select the DOM Controller Node.
Open the tab: Other and enable by Installation option the checkbox “Add automatically”.
Select “Link to new reader' at the New device (app) option.
Select the correct Card data interpretation.
When using mobile access, enable the checkbox “IPROTECT Access”.
Select a Reader group which can be used during testing the system.
Start the auto discovery process by pressing on the start button.
When the auto-discovery process is started, assigning of new device and readers will be activated for 4 hours. After this time this process will stop automatically.
4.6.1.3.1 DOM Service app
Use the DOM service app to add a new device.
Synchornize the DOM service app with the DOM controller.
Add a device by clicking the Devices button and then clicking the + sign in the DOM service app.
Apply the mobile phone (Android) to the device or present de RF Wake-up card to the device (IOS).
Change the name of the device (this will be the reader name in iProtect).
Press on the couple button.
Follow the instructions in the DOM service app (sometimes multiple synchronizations are necessary).
When the reader is synchronized, the following is displayed:
4.7 Lock sensor
4.8 Add online device
To change the offline device into an online device, a RF-NetManager is required.
The RF-NetManager needs to be configured using the DOMPloy software, please consult the DOMConnect manual and go to next chapter "Configure and deploy a RFNM".
4.8.1 Discover a new RF-NetManager
Ones the RF-NetManager is configured in DOMPloy, follow the steps below.
Browse to the menu: Installation | Hardware | Node.
Open the tab: Other.
Press on the Discover button.
Add the RF-NetManager by selecting the checkbox and press the button Add.
In the treeview, below the DOM Node, go to RF-NetManager, the device will be displayed
In the treeview, below the DOM Node, go to RF-NetManager: No, open this tree.
A list of devices are shown. Select the offline device which must be connected to the RF-NetManager.
Enter by Network-manager the RF-NetManager
Save this record.
In the treeview, the device will be moved to RF-NetManager: Yes.
Now the RF Wake-up card needs to be presented to the device (lock). After presenting, the leds of the device should blink blue.
This linking process can take a view minutes. Sometimes a second time of presenting the RF Wake-up card is needed, or consult the DOMConnect manual.
After the device is synchronized, the paired reader is given the following options:
Reader | General
Reader mode: Open, Close and Normal.
Reader | Door behavior
Button option, Open ones.
When using the RF-NetManager, The following features are supported:
Max. 8 devices (1-15m)
update configurations (no DOM service app is needed anymore)
Readermode change (Open, Closed, Normal)
Pulse lock (reaction time 2-8 Sec)
The following features are NOT supported:
online access
support online events.
5. Configuration management
5.1 Offline devices
The following section uses the DOM Service App
5.2 Online devices
The following section uses the RF-NetManager. The DOM service app is not needed.
6. Migrating from A1/B1 to DOM API-implementation
To take advantage of the new API-implementation and hereby the benefits (see Chapter 1.2), the setting in IPROTECT must be changed.
If you want to convert A1/B1 configuration to API-implementation, the system must meet the minimum requirements, see Chapter 2.1.
Browse to the menu: Installation | Hardware | Oss manufacturer.
Select the used OSS element in the tree-view.
Change the OSS Version from “A1” or “B1” to “DOM API-implementation“ .
Browse to menu: Installation | Hardware | Node.
Select the DOM OSS Node in the tree-view.
Set the correct settings for the DOM controller see Chapter 4.5.2 .
It is essential to configure the correct provisioner group at the DOM OSS node, as this will transmit the configuration and keys to the Bridge.
If an incorrect provisioner is selected, the locks may be programmed with the wrong keys, rendering them incompatible with the existing cards.
Discover the devices by using the wizard or manually see chapter 4.6.1.2.
Set the correct unbound “device address/PHI” to the reader .
Synchronize the locks by using the DOM service app see Chapter 3 .
The configuration file and the keys for the bridge are sent via the provisioner in version =>10.04. This is different from older iProtect versions. To set this up correctly, it is necessary to request a key set from TKH.
When migrating a system from A1/B1 to API, all locks must be re-synchronized.