user_standard Log on
Log on to rate and give feedback 1 2 3 4 5 Log on to rate


Products: Commission, IP-IO , MP-C, MP-V, RP-C
Functionalities: Engineering, BACnet/IP devices
Product version: 2022, 2023, 2024

Cybersecurity and the Commission Mobile Application

arrow1_rotationConnectivity arrow1_rotationSecurity Features arrow1_rotationConfiguration arrow1_rotationOperation arrow1_rotationMaintenance arrow1_rotationDecommissioning arrow1_rotationResetting arrow1_rotationLimitations

The Commission mobile application is a powerful and convenient tool for use with BACnet/IP Controller devices. However, as with any application, security considerations and appropriate actions must be taken to guard against unauthorized access.

For more information, see Commission Mobile Application Overview .


The Commission mobile application uses a wired Ethernet, WiFi connection, or Bluetooth Low Energy (BLE) to communicate with BACnet/IP controllers. If you are connecting to BLE, do not use the default password after the first use.

You configure the password for BLE access in the RP controller. For more information, see Changing the RP Controller Bluetooth 6-Digit PIN .



Change default passwords at first use to help prevent unauthorized access to device settings, controls, and information.

Failure to follow these instructions can result in loss of data or equipment damage.

Security Features

The Commission mobile application comes with the following security features:

  • The Commission mobile application runs on Android and iOS (Apple) phones and tablets, as well as laptops and other devices using Microsoft Windows 10. These devices have built-in security designed to prevent unauthorized use of the device, which in turn should provide secure access to the Commission mobile application installed on the device. In addition, the mobile application features user and password authentication to further prevent its unauthorized use.

  • Normal operations of the Commission mobile application use BACnet protocol, which is not secure. Therefore, HTTPS is used when the mobile application is downloaded prior to installation, and again during its activation.

  • Usage of the Commission mobile application is tracked and reported by Visual Studio App Center Analytics, using the account’s tracking ID. However, no personal information is recorded during this transaction.

  • The Commission mobile application uses signing certificates for the application stores from which the mobile application is downloaded: Google Play, the Apple App Store, and the Microsoft Store.

  • Usernames and passwords are stored on the mobile device only, and are not shared. They are encrypted and decrypted using the Advanced Encryption Standard (AES).


Installation of the Commission mobile application is performed by the user of the mobile device. The installer obtains an activation code from a Schneider Electric representative and then enters it during the activation process.

The Commission mobile application has no default password. Once the application is installed, the user is prompted, at the time of activation, to create a user name and password. The user may change the password at any time, following the application’s activation.


Several options are available for connecting the Commission mobile application to BACnet/IP controllers.

For more information, see Connection and Architecture Options .

Settings for BACnet/IP controller network communications are configured as part of the device settings.

For more information, see BACnet/IP Controller Device Settings .

Password requirements are in effect for use with the Commission mobile application:

  • Contains at least 8 characters in total

  • Contains at least 1 number

  • Contains at least 1 special character

  • Contains at least 1 upper-case character

  • Contains at least 1 lower-case character

  • Contains no more than 3 repeating identical characters

If you encounter cybersecurity incidents or vulnerabilities while using the Commission mobile application, report it to the following website:


Once installed and activated, the Commission mobile application routinely checks the respective application store, namely Android Play, the Apple App Store, or the Microsoft Store, for updates. The mobile application is maintained through the update process, which is followed by the user when the mobile application indicates that a new build is available.


When the Commission mobile application is no longer needed, the application should be decommissioned. To do this, use the appropriate functions provided on the device and operating system to uninstall the application and remove all related data from the device.


Loss of data

If the Commission mobile application is allowed to remain on the device, an unauthorized person may use the application to access certain vulnerable items, including the following:

  • Controller lists created by the Controller List Creator

  • Diagnostic reports

  • Flow balance reports

Failure to follow these instructions can result in loss of data.


To reset the Commission mobile application, for example to provide the application to a different user, use the appropriate functions provided on the device and operating system to uninstall and then reinstall the application.


The BACnet protocol is generally known to be a non-secure protocol. When using BACnet on a network, you must take precautions to prevent unauthorized access.

  • Commission Mobile Application Overview
  • Connection and Architecture Options
  • BACnet/IP Controller Device Settings
  • Changing the RP Controller Bluetooth 6-Digit PIN