Device & player security

Digital signage means hardware on your network, in your building — so device security isn't a footnote for us, it's a product requirement. OptiSigns first-party devices are purpose-built signage players running OptiSigns-signed software, not generic consumer TV boxes. They ship with storage encryption and boot-integrity protection, receive automatic signed updates, and communicate outbound-only over TLS.

First-party players (Pro Player & OptiStick)

On customer-supplied hardware — Android and Fire TV devices, Windows/Mac via our desktop player, or the browser-based WebPlayer — the OptiSigns player runs as an application, and device-level security inherits the host operating system's posture (its encryption, boot integrity, and OS updates).

The OptiStick runs the OptiSigns player as a signed system app on a device with a locked bootloader, Android verified boot, and file-based encryption, with recurring vendor security updates. It is not a generic AOSP TV box — the class of device targeted by supply-chain malware campaigns like Badbox.

  • Enterprise Wi-Fi (802.1X EAP, certificate-based) is supported on OptiStick and Pro Player; player Wi-Fi supports WPA2 and WPA3.
  • Enterprise Network compatibility depends on your network configuration.
  • Wi-Fi credentials on the OptiStick are stored encrypted — OptiSigns staff cannot view them.
  • Content preconfiguration uses an AES-encrypted boot configuration file.
  • Kiosk/lockdown mode on first-party devices prevents users from leaving the signage experience.

Network behavior

All player traffic is outbound-only over HTTPS on port 443. Players never require inbound firewall rules, port-forwarding, or a VPN to operate — there is no listening surface to expose on your network.

Allow OptiSigns through your firewall by domain name (FQDN) rather than IP where possible; the full whitelist of domains, ports, and published fixed IPs is maintained in our support knowledge base:

Firewall whitelist article →
  • Enterprise Wi-Fi (802.1X EAP, certificate-based) is supported on OptiStick and Pro Player; player Wi-Fi supports WPA2 and WPA3.
  • Wi-Fi credentials on the OptiStick are stored encrypted — OptiSigns staff cannot view them.
  • Content preconfiguration uses an AES-encrypted boot configuration file.
  • Kiosk/lockdown mode on first-party devices prevents users from leaving the signage experience.

Bring-your-own-device players

The Pro Player runs OptiSigns' own hardened Linux with TPM2-backed full-disk encryption, a sealed read-only root filesystem, and A/B over-the-air updates that roll back automatically if an update fails.

  • BYOD Android (10+) defaults to file-based encryption; kiosk lockdown requires Device Owner enrollment.
  • Fire TV inherits Fire OS security — file-based encryption, Amazon-managed bootloader and OS updates.
  • Windows/Mac desktop players rely on host encryption (BitLocker / FileVault); the browser WebPlayer runs in the browser sandbox, always fresh from the CDN.

Remote access & fleet management

Remote support access to first-party players goes through OptiSigns SecureLink, an outbound-initiated secure channel from the device — no inbound firewall holes are ever required. On the Pro Player, all remote diagnostic and support access in production is gated behind this secured channel.

What staff can't reach matters as much as what they can: OptiSigns staff cannot view stored Wi-Fi credentials on devices, and the AI camera add-on (if used) processes anonymized detection counts locally, storing no images or facial identifiers on the device or our servers.

Questions about a specific device model?
Our engineering team can confirm per-model encryption and boot posture during your security review.