After a lengthy chat it became clear that the Pi devices would need to be accessed by clients using a smartphone or a web-browser.
Each Pi device would have a set of settings, and be able to read GPIO data. Each device would have to be secure (with authentication and authorization). There are several options to go about this, but using a central relay server offers a lot of advantages.
Basically, a relay server (remote, shared by everyone in the system) would maintain a list of Pi devices along with their UUIDs and owners, employees, permissions. Once booted up the device would make a persistent connection over to the server using TCP, identify itself, and be able to send and receive data (configuration, sensor data). Look into Twisted, 0MQ (zeromq), and other TCP server/client stacks.
Clients would be able to use the relay server by logging in, and reading/writing (depending on permissions) to their Pi devices. Registering devices would be simple, by adding their UUID the relay server knows who it belongs to. Discarding devices due to theft, etc. (by the way, since the Pi will contact the server, if it's reported as stolen, it can relay its IP and other data when it comes online again).
Use properly configured SSL to secure your connections.
Advantages of this approach:
- Works without a NAT, no need for unique IPs per device.
- Simple UUID-based configuration, without addresses, etc.
- Centralized data, secure (if properly configured)
Disadvantages:
- Internet connection is a must.
- More work required to implement than a simple decentralized stack