When configuring an Endpoint (via the emnify user interface (EUI) or the RESTful API), emnify customers have the possibility to activate the IMEI lock. The IMEI is a unique serial number that the manufacturer assigns to cellular devices to identify devices connected to a GSM network. The IMEI lock option allows emnify users to lock the use of a SIM specifically to a device, indicated by its IMEI number. That way, even if an attacker has gained access to your device, there is no possibility to misuse your SIM by inserting it into another device.
You can enable the IMEI lock and provide the IMEI for each endpoint via the EUI or the API. In most cases, the number is printed on the packaging of your device or under the removable battery or cover. However, to use the IMEI lock, you do not need to know the IMEI of your device as it can be auto-discovered by the system.
In the EUI, you can enable the IMEI lock and optionally store the IMEI in the Endpoint's configuration section. A red lock marks endpoints that are locked to a SIM.
For simply enabling/disabling the IMEI lock without you can also use the 'More'-button above the endpoint list:
When using the RESTful API, you can configure the IMEI lock while endpoint creation or through an endpoint update.
Auto-Discovery of the IMEI
The system will automatically retrieve the IMEI, store it for the endpoint and fill it on the Endpoint's configuration section in the EUI, once the device establishes a PDP context. If there was no IMEI stored so far, then the IMEI received from the network will be stored and used for comparisons in future. You just need to enable IMEI lock without any entry and the device will be locked when the next PDP context is established. The IMEI will be displayed in IMEISV (IMEI+ Software Version) format (based on 3GPP TS23.003). The system will retrieve the IMEI from the next PDP-Context that will be established e.g. when the device tries to create an internet connection. If IMEI lock is disabled and the IMEI received from the network does not match the stored IMEI (or no IMEI stored) then the received IMEI be will stored but will not be used for comparison in further PDP-Context requests.
Effects of the IMEI lock
If IMEI lock is activated then the stored IMEI will be compared to the IMEI received from the network, in case they don't match, the PDP context will be rejected and the device will not be able to consume data. The following error will be shown in the EUI:
“PDP Context Request rejected, because IMEI lock active, but IMEIs do not match, EP IMEI=3562580635695401, IMEI provided from network = 8628170310374321”.
Limitations of an IMEI lock
Considering that the IMEI of a device is only sent when a PDP-Context has been established, when an IMEI lock is activated, all factors outside data connectivity will continue to work on other devices. For example, from another device it will be possible to attach to an operator and send/receive SMS and USSD messages.
Also, some network operators do not provide the IMEI, therefore the system cannot verify that the SIM is used within the device it was locked to. In the event there is no IMEI contained in the PDP-Context request, the system will skip the IMEI check and allow the SIM to connect to the network. That way, the SIM card will be able to use the data service even in networks which do not allow verification of the used device via the IMEI.
