Have you guys considered making it possible to restrict the provisioning of new devices?
Specifically I was thinking an IP address based restriction, or requiring a key to be available.
This is a tie in to our secure boot work where we would love to be able to restrict provisioning to the IP address of the factory, or require a key (which could be provided via USB for example).
Once provisioned of course the device key is all that is required. No changes there.