The Commission mobile application is a powerful and convenient tool for use with BACnet/IP Controller devices. However, as with any application, security considerations and appropriate actions must be taken to guard against unauthorized access.
For more information, see Commission Mobile Application Overview .
The Commission mobile application uses a wired Ethernet, WiFi connection, or Bluetooth Low Energy (BLE) to communicate with BACnet/IP controllers. If you are connecting to BLE, do not use the default password after the first use.
You configure the password for BLE access in the RP controller. For more information, see Changing the RP Controller Bluetooth 6-Digit PIN .
The Commission mobile application comes with the following security features:
The Commission mobile application runs on Android and iOS (Apple) phones and tablets, as well as laptops and other devices using Microsoft Windows 10. These devices have built-in security designed to prevent unauthorized use of the device, which in turn should provide secure access to the Commission mobile application installed on the device. In addition, the mobile application features user and password authentication to further prevent its unauthorized use.
Normal operations of the Commission mobile application use BACnet protocol, which is not secure. Therefore, HTTPS is used when the mobile application is downloaded prior to installation, and again during its activation.
Usage of the Commission mobile application is tracked and reported by Visual Studio App Center Analytics, using the account’s tracking ID. However, no personal information is recorded during this transaction.
The Commission mobile application uses signing certificates for the application stores from which the mobile application is downloaded: Google Play, the Apple App Store, and the Microsoft Store.
Usernames and passwords are stored on the mobile device only, and are not shared. They are encrypted and decrypted using the Advanced Encryption Standard (AES).
Installation of the Commission mobile application is performed by the user of the mobile device. The installer obtains an activation code from a Schneider Electric representative and then enters it during the activation process.
The Commission mobile application has no default password. Once the application is installed, the user is prompted, at the time of activation, to create a user name and password. The user may change the password at any time, following the application’s activation.
Several options are available for connecting the Commission mobile application to BACnet/IP controllers.
For more information, see Connection and Architecture Options .
Settings for BACnet/IP controller network communications are configured as part of the device settings.
For more information, see BACnet/IP Controller Device Settings .
Password requirements are in effect for use with the Commission mobile application:
Contains at least 8 characters in total
Contains at least 1 number
Contains at least 1 special character
Contains at least 1 upper-case character
Contains at least 1 lower-case character
Contains no more than 3 repeating identical characters
If you encounter cybersecurity incidents or vulnerabilities while using the Commission mobile application, report it to the following website: http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/contact-form.page
Once installed and activated, the Commission mobile application routinely checks the respective application store, namely Android Play, the Apple App Store, or the Microsoft Store, for updates. The mobile application is maintained through the update process, which is followed by the user when the mobile application indicates that a new build is available.
When the Commission mobile application is no longer needed, the application should be decommissioned. To do this, use the appropriate functions provided on the device and operating system to uninstall the application and remove all related data from the device.
To reset the Commission mobile application, for example to provide the application to a different user, use the appropriate functions provided on the device and operating system to uninstall and then reinstall the application.
The BACnet protocol is generally known to be a non-secure protocol. When using BACnet on a network, you must take precautions to prevent unauthorized access.