IPROTECT Access - DOMBox API-integration

By MB
28 min

 

Installation Manual | IM-202401XX

iProtect Access / Security | Functionalities

 

Table of contents

1. Introduction

The use of cards or tags with Mifare® DESFire® technology in combination with battery-powered locks, such as door handles or door cylinders, is already widely used. TKH-Security has a close collaboration with DOM and together we have developed a solution to gain access to both wired and battery-powered locks with a Mobile device.

This manual describes only the use of a network-connected DOM controller (Bridge). When using an XML import/export, based on OSS version A1 or B1, please refer to another user manual.
Available in iProtect as of version 10.4.xx

For setting up the system for using access control, in combination with a DESFire card and with mobile access, please refer to another user manual. This manual describes how to add DOM (OSS and Mobile Access) to a working system.

1.1 The Solution 

IPROTECT connects to the DOM controller(s) based on a REST API. The connection works in real time, so both systems are always fully synchronized and there is no need to use old-fashioned XML import and export files (although this option will of course still exist).

When using DOM ENIQ hardware, the system is already prepared as standard for the use of "data on card", but also for mobile access. Using a mobile key makes it very flexible and easy. This applies not only to the use, but also to the creation and assignment of rights to locks and persons.

1.2 Features and Benefits DOMBox API-integration

The iProtect - DOM REST API is a new way to connect that greatly improves the A1/B1 setup. It brings new features to help both users and administrators.

It's important to note that switching from A1/B1 to the API is not mandatory.

The A1/B1 setup will still work as it always has. However, the API setup provides many extra benefits and features that can make the overall experience better.

Below are the key benefits of the iProtect - DOM REST API:

  • Support for multiple DOM controllers: Users can manage several DOM controllers at the same time, making security management more flexible and scalable.

  • IPROTECT ACCESS (mobile access): Users can conveniently access the offline devices from their mobile phones, enabling them to utilize a single mobile identifier for both online and offline locks.

  • Compatibility with DOM RF-Netmanager: The API works well with the DOM RF-Netmanager, making it easy to update lock configurations and send door commands, which improves efficiency.

  • Real-time synchronization of OSS configuration data: Configuration data changes are instantly updated across all systems, minimizing errors and ensuring that everyone has the most current configuration status of the locks.

  • Real-time synchronization of OSS device status: Users can continuously monitor the status of their devices, allowing for quick responses to any problems.

  • Ability to add temporary DOM controller users (APP USERS): Administrators can easily add or remove users who need temporary access, like contractors who need to implement a new lock, improving security without losing convenience.

  • Automation of DOM controller backup and restore processes: Automating these processes helps prevent configuration data loss and ensures backups are regularly maintained.

  • Provisioning of AES DESFire keys to the DOM Controller: This feature allows for secure sharing of encryption keys. It sends the encryption keys and configurations from the iProtect system to the DOM Controller, with the key encrypted in a KTL file (keystore).

  • Installation of discovery function processes: The API can automatically find new devices from the DOM Controller and link those devices to the correct readers, making the setup process easier and faster.

In summary, the A1/B1 setup remains unchanged, but the iProtect - DOM REST API introduces key enhancements that improve functionality, security, and user experience.

2. Support

2.1 Hardware and licence

Below is an overview of support for both the hardware and the software, including the necessary license:

Support

Hardware

License number

Minimum version

Support

Hardware

License number

Minimum version

IPROTECT Access

 

IPS-ATL (Mobile access)

>= 10.4.xx

Pluto rootFS

 

>= 6.12.x

Reader manager (OSS Update/Enrollment reader)

 

>= 6.00.16

Orion (USB)

 

>= 1.5.34

Sirius iX (RS485)

IPS-ON - online card reader license (44)

>= 2.9.6

 

Access Keys

IPS-ACL - number of cards that can be created within the system

 

DOM

  • DOM ENiQ Pro v2

  • DOM ENiQ Guard

  • DOM ENiQ LoQ

  • ENiQ RF-NetManager V2

 IPS-OFF - ofline card reader license (48)

 >= v5.9

Controller

 

>= v24.07.31

The following cards will be included with the DOM system:

  • RF-Wake-up

  • RF-Online

  • Replace battery

  • Master card (system specific, and this included card should be stored with safe)

Software and firmware versions related to TKH Security controllers and readers are managed by iProtect.

2.2 RFID card type support

The supported NXP rfid cards and tags are listed below:

MIFARE DESFire

SUPPORT

PIC MASTERKEY

TYPE

CARDNUMER LENGTH

TAG

CARD

SIZE

MIFARE DESFire

SUPPORT

PIC MASTERKEY

TYPE

CARDNUMER LENGTH

TAG

CARD

SIZE

EV1

NO

 

 

 

 

 

 

EV2 / EV3

YES

3DES / AES

CARDNR

12 digits

70pF

17 / 70pf

4k / 8k

UID

7 byte

70pF

17 / 70pf

4k / 8k

2.3 Supported features

The following features are supported:

DESCRIPTION

COMMENT

DESCRIPTION

COMMENT

Offline access control support (data on card based on OSS)

 

Set unlock time in seconds

 

Set alternate unlock time in seconds

 

Office mode (Mobile access and data on card)

 

Reader access rights: Determ access authorisation, based on reader group(s)

 

SideID dependency, adjustable per reader

Max 1000 locations

Semi online access control support based on mobile devices (BLE)

 

Physical Controllers linked to one IPROTECT system

Max. 32 controllers

Online and real-time synchronisation with the DOM Controller

 

Discover function of new devices

 

Automatically add new DOM devices to none existing readers

 

Automatically add new DOM devices existing readers

 

Provisioning DOM controller configuration

 

Provisioning of OSS manufacturer settings

 

General BLE transmit setting per DOM controller

 

Automatic backup of DOM controller into iProtect

 

Restore DOM controller configuration

 

Change default password after first loging from iProtect to the DOM controller

 

Determine for each reader whether it should also support IPROTECT Access

 

When a reader is assigned for IPROTECT Access, determine the interaction:

  • All in background

  • Scan & Go device unlocked

  • Scan & Go in background

2.4 Known not supported features

The following features are NOT supported (yet):

DESCRIPTION

STATUS

DESCRIPTION

STATUS

Card card group limitation

Not available

Holidays

Not available

Intervention card / Firefighter card

Not available for mobile device

Office mode (Mobile Access)

Using UTC time and not Local time.

Example:

Amsterdam = UTC +1

Daylight saving time = +1

Office timezone = UTC + 2

2.5 Data on card and Mobile access

2.5.1 MIFARE DESFire RFID

DESCRIPTION

COMMENT

DESCRIPTION

COMMENT

Supported OSS events (enable/disable per event type)

See chapter: 2.6-OSS-Events

Office mode support

 

Access card authorisation

Based on card group(s) and reader(s) with time zone

Supported OSS black list cards

 

Firefighter (intervention) option per card

  • A tag with intervention mode can successfully open a device with a battery warning level 3 (battery dead)

  • Blok list check: yes

  • Expire date check: No

  • Access right check: Yes

  • Event write back on card: No

Every customer has its own MIFARE DESFire KeyFile set. This file is supplied by TKH-Security.

 

2.5.1.1 Standard OSS Application

OSS TYPE

 NUMBER

DESCRIPTION

DATA

69

No. of door or door-group (69-255)

8

Number of DayTimeSchedules (8-15)

4

Number of DayID per DayTimeSchedule (4-4)

2

Number if TimePeriods per DayID (2-4)

EVENT

18

Number if Events (18-18)

BLOCKLIST

5

 Number if Blocklisted cards (5-5)

Total

1792kB

Written on the card incl. backup file, conform OSS standard

The card layout explained above can be modified but must be requested.

Please contact your account manager for this.

2.5.2 Mobile device

DESCRIPTION

COMMENT

DESCRIPTION

COMMENT

Per card an overview of assigned reader(s) with a Mobile key

 

Per reader an overview of assigned persons with a Mobile key

 

Office mode support

 

Offline access rights synchronized automatically with mobile device

 

Semi online: All events (types) will be sent from Mobile device to iProtect.

See chapter: 2.6-OSS-Events

Support IPROTECT Access app.

IOS and ANDROID support

2.6 OSS Events

Possible OSS events are described below:

EVENT TYPE

DESCRIPTION

EVENT TYPE

DESCRIPTION

Internal error

Lock has detected an internal error. Several internal event types (memory error, power on test failure etc.) could be represented by this event when written to credential. The EventInfo field is used to supply ock manufacturer specific event codes

Access granted

Access granted

Access denied

No access. Possibility may be that the card needs to be updated.

Blocked card list full

tbt

Battery replaced

The batteries are replaced.

Failed to unlock

tbt

Blocklist

tbt

Lock jammed

tbt

Replace battery

Battery low event with the info bit from 1 to 3 depending on the level of alert

System event

General placeholder for lock events not detected as errors by the lock Intended use is for troubleshooting. The EventInfo field is used to supply lock manufacturer specific event codes.

Tampering

tbt

2.7 System architecture

2.7.1 OSS data on card - XML Import/Export (A1/B1)

image-20241029-095843.png

 

2.7.2 OSS data on card & Mobile access with RF-NetManager

image-20241029-102245.png

2.7.2.1 Use of RF-NetManager

When using the RF-NetManager, The following features are supported:

  • Max. 8 devices (1-15m)

  • Update configurations (no DOM Service App is needed anymore)

  • Readermode change (Open, Closed, Normal)

  • Pulse lock (reaction time 2-8 Sec)

The following features are NOT supported:

  • online access

  • support online events.

3. DOM Service App

To use the DOM Service App, the configuration of the DOM controller must be synchronized with the DOM Service App.

The connection can be made via:

WIFI

For programming you can use a WIFI network. The DOM controller and the cell phone must be able to communicate with each other.

USB/Ethernet dongle

For programming you can use a USB/Ethernet dongle. The DOM controller and the cell phone must be able to communicate with each other.

4. IPROTECT

iProtect supports the OSS, standard offline access application by means that it can enroll or update
cards which are confirmed to the standard data on card solution. The OSS offline standard is a data on card
standard in which the access profiles are distributed via the access cards instead of online card readers. This
is also called: “native” or “offline”, because the access rights are defined in the iProtect database itself and are
distributed to the Sirius i-Serie update readers.

Supporting OSS does not mean that every lock can be integrated effortless since this part is not standardized. This manual only describes the DOM OSS manufacturer.

4.1 Presets

To begin the installation, you must first have the correct key and configuration files.

The KEY set is customer-specific and must be supplied by TKH Security.

Items required before the steps below can be performed:

File type

Type

Comment

File type

Type

Comment

OSS update.xml

Reader provisioner

Card number based on AID or UID

OSS enroll.xml

Reader provisioner

PMK dependency (AES, 3DES) and card number based on AID or UID

OSS.xml

Node provisioner

Customer specific, supplied by TKH-Security B.V.

OSS.ktl

Node and reader provisioner

Customer specific, supplied by TKH-Security B.V.

4.1.1 Add OSS manufacturer

  • Browse to the menu: Installation | Hardware | OSS manufacturer.

Field

Content

Field

Content

Name

OSS manufacturer name

OSS Manufacturer type

DOM

OSS version

DOM API-implementation

Default

TRUE

  • Save.

 

4.1.2 Add media element

Customer-specific elements supplied by TKH-Security.

  • Browse to the menu: General | Settings | Media element.

  • Add three types of files:

Field

Content

Field

Content

Name

Name of the .KTL file (General key file)

Type

Provisioner

Upload

Select .KTL file

  • Save this record.

Field

Content

Field

Content

Name

Name of the OSS update file (.xml)

Type

Provisioner

Upload

Select .xml file

  • Save this record.

Field

Content

Field

Content

Name

Name of the OSS Enrollment file (.xml)

Type

Provisioner

Upload

Select .xml file

  • Save this record.

Field

Content

Field

Content

Name

Name of the DOM Controller file (.xml)

Type

Provisioner

Upload

Select .xml file

  • Save this record.

 

4.2 Provisioner

A provisioner group consists of one or more elements. These elements can be configurations, key files or firmware.
The sections below describe the required combinations.

4.2.1 Provisioner element

  • Browse to the menu: Installation | Settings | Provisioner | Provisioner element..

  • Add provisioner elements.

Field

Content

Name

Logical name, e.g DOM-IP-DOM Controller.xml

Type

Reader - Offline settings (OSS)

Provisioner file

select the file which is created and saved in chapter 4.1.2

Active

Yes

  • Save this record.

Field

Content

Name

Logical name, e.g Keyfile.ktl

Type

Reader - Keystore

Provisioner file

select the file which is created and saved in chapter 4.1.2

Active

Yes

  • Save this record.

Field

Content

Name

Logical name, e.g OSS Enrollment.xml

Type

Reader - Sirius iX config

Provisioner file

select the file which is created and saved in chapter 4.1.2

Active

Yes

  • Save this record

Field

Content

Name

Logical name, e.g OSS update.xml

Type

Reader - Sirius iX config

Provisioner file

select the file which is created and saved in chapter 4.1.2

Active

Yes

  • Save this record.

 

4.2.1 Add Provisioner group (DOM Controller) and select elements

  • Browse to the menu: Installation | Settings | Provisioner | Provisioner group.

  • Add provisioner group DOM-IP-DOM Controller.xml.

Field

Content

Name

Logical name, e.g DOM-IP-DOM Controller

Visible

Yes

Provisioner tyoe

Node

  • After saving this record, open the Treeview and go to Provisioner elementlist and select:

    • Element: OSS Enrollment.

    • Element: Keyfile.ktl.

    • Save this record.

 

4.2.2 Add Provisioner group (OSS Enrollment) and select elements

  • Browse to the menu: Installation | Settings | Provisioner | Provisioner group.

  • Add provisioner group OSS Enrollment.

Field

Content

Name

Logical name, e.g OSS Enrollment

Visible

Yes

Provisioner tyoe

Reader

  • After saving this record, open the Treeview and go to Provisioner elementlist and select:

    • Element: OSS Enrollment.xml.

    • Element: Keyfile.ktl.

    • Element: Reader - LED settings, Led_act-red_acc-green_alt-blue.xml.

    • Save this record.

 

4.2.3 Add Provisioner group (OSS Update) and select elements

  • Browse to the menu: Installation | Settings | Provisioner | Provisioner group.

  • Add provisioner group OSS Update.

Field

Content

Name

Logical name, e.g OSS Update

Visible

Yes

Provisioner tyoe

Reader

  • After saving this record, open the Treeview and go to Provisioner elementlist and select:

    • Element: OSS update.xml.

    • Element: Keyfile.ktl.

    • Element: Reader - LED settings, Led_act-red_acc-green_alt-blue.xml.

    • Save this record.

4.3 Card coding

Only fields with data, or fields that need to be specifically set are named in the table below.

4.3.1 Add Card number presentation

  • Browse to the menu: Access | Settings | Card coding | Card number presentation.

  • Add Default DESFire.

Field

Content

Name

Logical name, e.g TKH DESFire

Format

Decimal

Calculated length

6

Tab: Card

Start: 2

  • Save this record.

 

4.3.2 Add Card data interpretation group

  • Browse to the menu: Access | Settings | Card coding | Card data interpretation group

  • Add a group.

Field

Content

Name

Logical name, e.g Access group

  • Save this record.

 

4.3.3 Add DESFire Card data interpretation

  • Browse to the menu: Access | Settings | Card coding | Card data interpretation.

  • Add Default DESFire:

Field

Content

Name

Logical name, e.g TKH DESFire

Card number presentation

Select, see chapter 4.3.1 ( e.g TKH DESFire)

Default card data interpretation

TKH DESFire

Card data interpretation group

Select, see chapter 4.3.2 (e.g. Access group)

Format

Reader communication protocol

ABA

Card type

None

Data length

12

System code

Start

1

Code

Supplied by TKH-Security (6 digits)

Demo code is 002974

Card number

Start

7

Length

6

  • Save this record.

 

4.3.4 Add OSS Enrollment card data interpretation

  • Browse to the menu: Access | Settings | Card coding | Card data interpretation.

  • Add OSS Enrollment.

Field

Content

Name

Logical name, e.g OSS Enrollment

Card number presentation

Select, see chapter 4.3.1 ( e.g TKH DESFire)

Default card data interpretation

OSS TKH DESFire access (enroll)

Card data interpretation group

Select, see chapter 4.3.2 (e.g. Access group)

Format

Reader communication protocol

ABA

Card type

None

Data length

14

System code

Start

1

Code

Supplied by TKH-Security (6 digits)

Demo code is 002974

Card number

Start

7

Length

6

Interpretation selection

Start

13

Length

2

Code

1

Offline validity

Validity period (hh:mm)

12:00

Validity update after (hh:mm)

08:00

  • Save this record.

4.3.5 Add OSS Update card data interpretation

  • Browse to the menu: Access | Settings | Card coding | Card data interpretation.

  • Add OSS Update.

Field

Content

Name

Logical name, e.g OSS Update

Card number presentation

Select, see chapter 4.3.1 ( e.g TKH DESFire)

Default card data interpretation

OSS TKH DESFire Update/Enroll

Card data interpretation group

Select, see chapter 4.3.2 (e.g. Access group)

Format

Reader communication protocol

Hexadecimal

Card type

None

Data length

26

System code

Start

5

Length

6

Code

Supplied by TKH-Security (Hexadecimal)

Demo code is 000B9E

Facility

Start

21

Length

4

Code

0001 (Site code)* (Decimal)

Card number

Start

15

Length

6

Interpretation selection

Start

25

Length

2

Code

1

Offline validity

Validity period (hh:mm)

12:00

Validity update after (hh:mm)

08:00

  • Save this record

When using multiple locations, each location should get there own site code (and own card data interpretation).

When using multiple locations, please take in to account that when physically moving from one location to another, as well as going back to the first location, that the update time is calculated accordingly.

4.4 Hardware used for update and enrollment of OSS cards

This chapter describes both DOM OSS data on card and mobile access. A physical controller line is created for using DOM OSS data on card that can also be used for normal access or mobile access The hardware which is used are:

  • Pluto network device.

  • Orion door controller.

  • Sirius iX card reader which supports BLE.

The on-line hardware is needed to profide the RFID card of a OSS application or to update these cards.

 

4.4.1 Add Network device for update- and enrollment function

Create a Pluto Network device. The readers connected to this line are used to write (add) an OSS application to the card and to update the cards when a card is presented on the reader before access is granted.

In iProtect, browse to menu: Installation | Hardware | Line.

  • Right click in the Treeview and click on the icon “Add Line”:

Field

Content

Field

Content

Name

Logical name for the Line

Features

Type

Network device.

Host type

Pluto

Communication

Active

Activated

Active (with Nodes)

Activated

Status

Function of the line

Physical line

Address

IP Address

IP address of the relevant pluto

  • Save this record.

 

4.4.2 Add Orion door controller (Node)

In iProtect, browse to menu: Installation | Hardware | Line.

  • Select the Pluto line to which the Orion door controller is to be connected. Press right mouse-button: “Add Node”:

Field

Content

 

Field

Content

 

Name

Logical name of the Node

Status

Node online

Active

When activating the Node, the Orion will be detected automatically.

When the line is active and the Orion is already connected to the Pluto, Press the button “Discover”. The Orion (with connected card readers) are created automatically.

  • Save this record.

 

4.4.3 Add online (Sirius) reader

4.4.3.1 Update reader

An update reader is required (per location) to read/write:

  • the events (e.g. access granted, no access).

  • the battery statuses of offline locks.

  • update access rights .

  • update the block list.

When using multiple locations, each location should get there own site code. Select the corresponding Card data interpretation with the correct site code.

Browse to the menu: Installation | Hardware | Node.

  • Select the Orion door controller Node and open this in the Treeview (+).

  • Select in the Treeview Orion #1-4, prt 1 or prt2. Press right mouse-click, “Add Reader”

  • Fill in a logical name for the reader.

  • Select the OSS update card data interpretation at the tab “general”.

  • Select the correct provisioner group with the OSS update files.

  • See for more settings and setting details chapter “Reader dialog details”.

  • Save this record.

 

4.4.3.2 Enrollment reader

An enrollment reader is necessary to provide existing cards with an OSS application.

Browse to the menu: Installation | Hardware | Node.

  • Select the Orion door controller Node and open this in the Treeview (+).

  • Select in the Treeview Orion #1-4, prt 1 or prt2. Press right mouse-click, “add Reader”

  • Select the correct OSS update card data interpretation at the tab “general”.

  • Select the correct provisioner group with the OSS Enrollment files.

  • See for more settings and setting details chapter “Reader dialog details”.

  • Save this record.

The reader is also created automatically by pressing the discover button on the pluto line

For both the update reader and the enrollment reader, the update card data interpretation must be selected, the provisioner files determine whether a reader is an update or enrollment reader.

4.5 Add the DOM controller

 

4.5.1 Add Virtual line (DOM)

Create a Virtual line. This line is needed to connect DOM controllers.

In iProtect, browse to menu: Installation | Hardware | Line.

  • Right click in the Treeview and click on the icon “Add Line”:

Field

Content

Field

Content

Name

Logical name for the Line

Features

Type

Server

Host type

Server

Status

Virtual

  • Save this record.

 

4.5.2 Add DOM controller (Node)

In iProtect, browse to menu: Installation | Hardware | Line.

  • Select the virtual line to which the DOM Controller is to be connected. Press right mouse-button: “Add Node”: image-20240806-084437.png

Field

Content

Description

Field

Content

Description

Name

Logical name of the Node

Features

Node type

OSS

 

Network

HTTP port

443

Port number of the connection to the DOM controller

IP address

e.g. 192.168.1.120

Unique IP address of the DOM controller

Password

 

Password of the DOM Controller (only visible for system users with Installer rights)

Set keys (SC)

 

Once the connection is established, you can modify the password to a unique one by clicking on the "Set Keys (SC)" button.

General image-20240806-084544.png

Provisioner group

Customer specific

Customer specific, supplied by TKH-Security B.V.

Other image-20240806-084622.png

Offline

OSS manufacturer

DOM API-implementation, see chapter 4.1.1

Bluetooth

Default TX power (iBeacon)

Transmit power 0 dBm

Logging

Log minutes

 

Installation option

  • Link to existing reader

  • Link to new reader

Chapter 4.6.1.2 and 4.6.1.3

Temparary login image-20240806-085557.png (root or installer only)

Button

Fetch

Retrieve the temporary users from the DOM controller.

After updating iProtect or a restart of the system, the temporally users will be deleted.

Button

Add

You can utilize this button to create a temporary user, such as a user for the mobile app or a system user requiring temporary access to the DOMPloy application.

After updating iProtect or a restart of the system, the temporally users will be deleted.

Select user

Delete button

Delete selected user

 

Edit button

Edit selected user

Global settings (root or installer only)

Button

Fetch

  • Mobile

  • Card

Get detailed system information

Field

Description

Discover

When a new device is added to the system (e.g. NetManager, lock or door handle), it can be discovered in iProtect by pressing this button. image-20240806-141349.png

Backup

Pressing the button will back up the configuration of the DOM controller. The backup is saved with the date/time of the moment of creation.

  • Activate the check mark behind "Node online.

  • Save this record.

When the connection is successful, the status check mark behind "connected" will turn black.

Temporary users will be automatically deleted when the OSS service restarts.

 

4.5.2.1 Node tree-view items image-20240806-091211.png

After creating a DOM controller (Node), multiple items are displayed under the Node in the Treeview.

Tree-view item

Description

Tree-view item

Description

Node backup

Whenever something is changed in the configuration of the DOM controller, iProtect backs it up. The backup is kept for a maximum of 3 months.

Device manager: No

All offline devices associated with a door/reader.

Device manager: Yes

Devices which are associated to a RF-NetManager (on-line)

Device manager

Connected RF-NetManager, interfaced with the DOM Controller

Devices unbound

All offline devices, not linked to a door/reader.

4.6 Add offline device

Using DOM OSS, the device is always linked to a door (a card reader in iProtect). Access rights are then associated with the card reader.

DOM devices such as ENIQPro or ENIQGuard, for example, are added to the system using the DOM Service App.

4.6.1 Add device

Although there are several methods to create the hardware, two methods will be described in this chapter.

  • The readers with access rights are prepared in iProtect and linked to the device in the Service app.

  • The reader and device are created in the DOM Service App.

 

4.6.1.2 Link to existing reader by manually adding readers within iProtect.

Navigate to the menu: Installation | Hardware | Node.

  1. To add a reader, right-click on the DOM node.

  2. Select the “add reader” icon.

  3. Enter the logical name of the reader and choose the appropriate card data interpretation.

  4. If needed, adjust the door open time in the "door behavior" tab.

  5. After completing the necessary fields, click the save button.

  6. To grant access rights to the reader, add it to the desired reader groups, which can be done in the reader group list associated with the newly created reader.

Next, you can add the new devices using the DOM Service App and couple them to the appropriate reader.

 

4.6.1.2.1 DOM Service App

Use the DOM Service App to add the devices. During this process you can directly link the newly created readers to the correct devices in the DOM Service App.

  • Synchronize the DOM Service App with the DOM controller.

  • Add a device by clicking the Devices button and then clicking the + sign in the DOM Service App.

  • Apply the mobile phone (Android) to the device (NFC) or present de RF Wake-up card to the device (IOS).

  • Click on the OSS-SO-configuration button to link the device to the door (iProtect reader).

  • Press on the couple button.

  • Follow the instructions in the DOM Service App.

  • Sync the data back from the DOM Service App to the DOM controller.

Devices integrated via the DOM Service App and paired with an iProtect reader will be automatically added to iProtect and linked to the appropriate reader without any manual intervention..

  • Within approximately one minute, the device should be enrolled and linked to the reader, which you can verify on the detail page of the readers.
    image-20241203-162634.png

  • The offline sync status will be displayed, and if everything is functioning correctly, the status will change to “The configuration is synchronized” within a minute.

If the status is different, you should check this within the DOM Service App by first synchronizing the DOM Service App with the DOM controller and then synchronizing the locks.

If you change access rights or other reader settings after this step, synchronization must take place again for the device in question.

Once the new devices have been assigned from the DOM Service App and the app has been synchronized with the DOM controller, the devices will be enrolled and automatically linked to the correct reader in iProtect. After it has been linked automatically, when using mobile access, enable the checkbox “IPROTECT Access”.

 

4.6.1.3 Link to a new reader

This setup can be done automatically by the system by enabling the auto discovery function.
When a new device is assigned from the DOM Service App, and the app is synchronized with the DOM controller, iProtect will automatically recognize it and assign the preset settings to the device.

By using this way of configuration, multiple synchronizations with the device are needed!

The mobile phone used to program the locks must have a stable and direct online connection with the DOM controller. If this is not possible, we recommend using the manual method.

Browse to the menu: Installation | Hardware | Node.

  • Select the DOM Controller Node.

  • Open the tab: Other and enable by Installation option the checkbox “Add automatically”.

  • Select the below option

    • DOM Service App (Offline) 4.6.1.3.1 DOM Service App

  • Select “Link to new reader' at the New device (app) option.

  • Select the correct Card data interpretation.

  • When using mobile access, enable the checkbox “IPROTECT Access”.

  • Select a Reader group which can be used during testing the system.

  • Start the auto discovery process by pressing on the start button.

When the auto-discovery process is started, assigning of new device and readers will be activated for 4 hours. After this time this process will stop automatically.

 

4.6.1.3.1 DOM Service App

Use the DOM Service App to add a new device.

  • Synchronize the DOM Service App with the DOM controller.

  • Add a device by clicking the Devices button and then clicking the + sign in the DOM Service App.

  • Apply the mobile phone (Android) to the device (NFC) or present de RF Wake-up card to the device (IOS).

  • Change the name of the device (this will be the reader name in iProtect).

  • Press on the couple button.

  • Follow the instructions in the DOM Service App (sometimes multiple synchronizations are necessary).

When the reader is synchronized, the following is displayed:

image-20240219-145840.png

4.7 Lock sensor

After connecting a DOM device to a card reader, after synchronizing the device, a sensor will automatically be created containing the battery status of the device.

Battery status

Discovery

Battery status

Discovery

No status available

No status available

Replace battery

Battery is almost empty

Battery replaced

Battery is replaced

Full

Battery is full

4.8 Add online device

To change the offline device into an online device, a RF-NetManager is required.

The RF-NetManager needs to be configured using the DOMPloy software, please consult the DOMConnect manual and go to next chapter "Configure and deploy a RFNM".

4.8.1 Discover a new RF-NetManager

Ones the RF-NetManager is configured in DOMPloy, follow the steps below.

Browse to the menu: Installation | Hardware | Node.

  • Open the tab: Other.

  • Press on the Discover button. image-20240806-105940.png

  • Add the RF-NetManager by selecting the checkbox and press the button Add.

  • In the Treeview, below the DOM Node, go to RF-NetManager, the device will be displayed.

  • Click on the RF-Netmanager device to display the details page.

  • Click on the “couple” button to program the RF-Netmanager.

The linking process may take a few minutes. In some cases, it may be necessary to present the RF Wake-up card. see to the DOMConnect manual for guidance.

 

4.8.2 Add New Online Device Link to a New Reader

This setup can be done automatically by the system by enabling the auto-discovery function.
When a new device is in range of the RF-Netmanager, iProtect will automatically link the device to a new reader and send the preset settings to the device.

By using this way of configuration, multiple synchronizations with the device are needed!

Browse to the menu: Installation | Hardware | Node.

  • Select the DOM Controller Node.

  • Open the tab: Other and enable by Installation option the checkbox “Add automatically”.

  • Select the below option

  • Select “Link to new reader” at the New device (app) option.

  • Select the correct Card data interpretation.

  • When using mobile access, enable the checkbox “IPROTECT Access”.

  • Select a Reader group which can be used during testing the system.

  • Start the auto-discovery process by pressing the start button.

The message “Wizard running” will be shown in the iProtect GUI when the auto discovery process is started.

 

4.8.2.1 RF-NetManager (Online)

Add new devices by discovering and linking them to the RF-Netmanager, follow these steps:

  • Ensure that the devices are in range of the RF-Netmanager. You can check their status on the detail page of the RF-Netmanager in iProtect.

  • Click the wake-up button located on the detail form of the RF-Netmanager to activate it.

  • Use the RF-Online Card to enable the Bluetooth beacon of the devices.
    New devices found

  • Wait until the devices appears in the Child Device list of the RF-Netmanager.
    image-20241205-110039.png

  • The reader is created in iProtect, and the device will be automatically coupled.

  • To verify if the devices are ready, check the status field of the reader. The reader is fully programmed when the status changes to “The configuration is synchronized.”

By following these steps, you can successfully add new devices to your RF-Netmanager system.

It is sometimes necessary to wake-up the RF-NetManager to speed-up (couple process) the discovery of the new device.

 

4.8.3 Change a Device from Offline to Online

  • In the Treeview, below the DOM Node, go to RF-NetManager: No, open this tree.

    • A list of devices is shown. Select the offline device that must be connected to the RF-NetManager.

    • Select by Network manager: the desired RF-NetManager.
      image-20241205-135811.png

    • Save this record.

  • In the Treeview, the device will be moved to RF-NetManager: Yes.

Use the DOM Service App:

  • Synchronize the DOM Service App with the DOM controller.

  • Apply the mobile phone (Android) to the device (NFC) or present de RF Wake-up card to the device (IOS).

  • Synchronize the DOM Service App with the DOM controller.

  • To verify if the devices are ready and online, check the status field of the reader. The reader is fully online when the status changes to “The configuration is synchronized.” and the communication status: Connected.
    image-20241205-140344.png

  • After the device is synchronized, the paired reader is given the following options:

    • Reader | General

      • Reader mode: Open, Close and Normal.

    • Reader | Door behavior

      • Button option, Open ones.

When using the RF-NetManager, The following features are supported:

  • Max. 8 devices (1-15m)

  • update configurations (no DOM Service App is needed anymore)

  • Readermode change (Open, Closed, Normal)

  • Pulse lock (reaction time 2-8 Sec)

The following features are NOT supported:

  • online access

  • support online events.

5. Configuration management

5.1 Offline devices

The following section uses the DOM Service App

5.1.1 Access rights management

If you want to add or remove access rights to an offline lock, you can do this using the steps below.

Browse to the menu: Installation | Hardware | Reader.

  1. Find the desired reader and unfold the reader with the + sign.

  2. Click on the reader group list, here you can add or remove the desired reader groups.

  3. After +- one minute the offline synchronization status of the lock will change to "the configuration is not in sync"

  4. Get the configuration with the DOM Service App by syncing the app with the DOM controller.

  5. Sync the offline device with the DOM Service App.

  6. Sync the DOM controller with the DOM Service App.

  7. After +- one minute the offline synchronization status of the lock will change to "the configuration is synchronized".

For more information about Access Rights see this *Access rights in iProtect™ - Knowledge Base - Confluence (atlassian.net) article on our knowledge base.

 

5.1.2 Remove a device

Browse to the menu: Installation | Hardware | Node

  • Double click on the DOM controller node.

  • Right-click on the reader in the tree-view to be deleted.

  • Press on the button Delete.

  • Open the Device unbound section below the DOM controller node.

  • Select the device and click on the button “Uncouple”.

  • Sync the DOM Service App with the DOM controller.

  • Sync the offline device with the DOM Service App.

  • Sync the DOM controller with the DOM Service App.

  • Please wait a moment and verify whether the device has been removed from iProtect.

When a device has been successfully removed and properly uncoupled, the device is in freewheel mode.

Be aware! When removing a device without proper disconnection, the device may enter a state that it can only be disconnected using the master card. In the worst case, the lock must be returned to the supplier.

 

5.2 Online devices

The following section uses the RF-NetManager. The DOM Service App is not needed.

5.2.1 Access rights management

If you want to add or remove access rights to an offline lock, you can do this using the steps below.

Browse to the menu: Installation | Hardware | Reader.

  1. Find the desired reader and unfold the reader with the + sign.

  2. Click on the reader group list, here you can add or remove the desired reader groups.

  3. The device and the RF-NetManager start communication and synchronize the changes automatically.The offline synchronization status of the reader will display “The configuration is not in sync” when it is busy with the program task. Once the reader is updated, the status will revert to “The configuration is synchronized.”

The update process may take a few minutes. In some cases, it may be necessary to wake-up the Device and the RF-Netmanager, or you can refer to the DOMConnect manual for guidance.

 

5.2.2 Remove a device

Browse to the menu: Installation | Hardware | Node

  • Double click on the DOM controller node.

  • Right-click on the reader to be deleted.

  • Press on the button Delete.

  • Open the Device unbound section below the DOM controller node.

  • Select the device and click on the button “Uncouple”.

  • The device and the RF-NetManager will start communication and the device will be uncoupled automatically.

 

5.2.2 Remove a RF-Netmanager

Browse to the menu: Installation | Hardware | Node

  • Double click on the DOM controller node.

  • Unlink all the linked devices (Chiled devices) from the RF-Netmanager.

  • Click on the Uncouple button at the RF-Netmanager detail page.

  • The device will be removed from the configuration and can be used on another installation.

6. Migrating from A1/B1 to DOM API-implementation

To take advantage of the new API-implementation and hereby the benefits (see Chapter 1.2), the OSS configuration in IPROTECT must be changed.

If you want to convert A1/B1 configuration to API-implementation, the system must meet the minimum requirements, see Chapter 2.1.

  1. Browse to the menu: Installation | Hardware | Oss manufacturer.

  2. Select the used OSS element in the tree-view.

  3. Change the OSS Version from “A1” or “B1” to “DOM API-implementation“ .

  4. Browse to menu: Installation | Hardware | Node.

  5. Select the DOM OSS Node in the tree-view.

  6. Set the correct settings for the DOM controller see Chapter 4.5.2 .

It is essential to configure the correct provisioner group at the DOM OSS node, as this will transmit the configuration and keys to the DOM controller.

If an incorrect provisioner is selected, the locks may be programmed with the wrong keys, rendering them incompatible with the existing cards.

  1. Discover the devices by using the wizard or manually see chapter 4.6.1.2.

  2. Set the correct unbound “device address/PHI” to the reader .

  3. image-20241026-124444.png

  4. Synchronize the locks by using the DOM Service App see Chapter 3 .

The configuration file and the keys for the DOM Controller are sent via the provisioner in version =>10.04. This is different from older iProtect versions. To set this up correctly, it is necessary to request a key set from TKH.

When migrating a system from A1/B1 to API, all locks must be re-synchronized.

7. Extensive information

7.1 Reader dialog details

Below is a detailed description of the reader settings:

Field

State/Status

DOM ONLY or DOM & ORION

ORION ONLY

Field

State/Status

DOM ONLY or DOM & ORION

ORION ONLY

Name

Logical name for the Reader or same as DOM Device name

Hardware

ORION ONLY

Offline reader

Unique DOM reader ID

Automatically generated unique readerID which can be changed manually.

not available

Sub number

Unique IPROTECT sub number

Automatically generated unique Sub number which can be changed manually.

Read only field when the on-line card reader is connected the Pluto.

Status

ORION ONLY

Offline synchronization status

Not coupled

Not coupled

The coupling has been started

The coupling has been started

The configuration is not in sync

The configuration is not in sync.

The configuration is being synchronized

The configuration is being synchronized

The configuration is synchronized

The configuration is synchronized

Connection is lost

Connection is lost

Decoupling process has been started

Decoupling process has been started

Device address / PHI

Select the correct DOM Device

not available

Cosmos Access

ORION ONLY

Enable Cosmos Access

By enabling Cosmos Access on a reader, a new type of identification is activated.

By enabling Cosmos Access on a reader, a new type of identification is activated.

Only available when using SIRIUS IX card readers

Force remove button

When reader cannot be unassigned (broken), it will remove the reader from the Token Autority.

Be aware! When doing this action and the reader will be re-used again for Cosmos Access, the reader must be sent back to TKH-Security.

Synchronization status

Undefined

No status

Reader sent

Reader is signed up with the TokenAuthority

Reader assigned and tokens sent

Intermediate stage in assigning a reader

Reader assigned

Reader is assigned and can be used with Cosmos access

Interaction

All - In background

The mobile device does not need to be unlocked before it is presented to the reader. When opening the app nearby readers can be selected and opened in the app at the touch of a button

Scan & Go - Device unlocked

The mobile device does not need to be unlocked before it is presented to the reader

Scan & Go - In background

Nearby readers can be selected and opened in the app at the touch of a button

 

Scan & Go - and Select & Go

not available

Mobile device needs to be unlocked before presenting it to the reader. Select & Go can also be used for this reader.

Select & Go only supported when using SIRIUS IX card readers

 

Select & Go

not available

Nearby readers can be selected and opened in the app at the touch of a button

Select & Go only supported when using SIRIUS IX card readers

Entity state

Unknown

Unknown

To be assigned

Reader needs to be assigned

To be unassigned

Reader needs to be unassigned

Assigned

Reader is assigned

The table below describes the other reader settings:

Field

State/Status

DOM ONLY or DOM & ORION

ORION ONLY

Field

State/Status

DOM ONLY or DOM & ORION

ORION ONLY

General / General

Card data interpretation

Select the correct Card data interpretation

(Card data interpretation: update)

Per reader:

  • 1x OSS update per location

  • 1x OSS enroll

Provisioner group

NA for DOM

Per reader:

  • 1x OSS update

  • 1x OSS enroll

Reader mode (only available when reader is in connected to Device manager, when reader is on-line)

Locked

The door is closed. Access not granted.

Normal

Access granted.

Open

The door is open.

Door behavior / Door control

ORION ONLY

Unlock time (1/10 sec)

Default unlock time (3 sec - Default)

Alternate Unlock time (1/10 sec)

Default unlock time (3 sec - Default)

Device info

ORION ONLY

Public key for Cosmos

Public key is shown when the DOM controller and Mobile access are configured correctly

not available

Bluetooth / TX power (iBeacon)

Transmit power 0 dBm

Strength of the bluetooth signal can be adjusted. Do not adjust this at random! (0 dBm - Default)

not available

Fetch

Show all data from the device (registered at the DOM controller)

not available

IPROTECT ACCESS

ORION

Person

The person to check if it has a Mobile key (token) for the specific door/reader

Fetch

Shows which person(s) has a Mobile key (token) for the reader

7.2 DOMConnect Manual

Related content