BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
As the number of devices in organizations increases, device enrollment becomes more cumbersome, time-consuming and frustrating. Automation can help alleviate many of those pain points.
Without automation, IT might need to manually track and configure devices while also carrying out multiple hands-on, resource-intensive tasks. IT may require users to download mobile device management (MDM) client software, perhaps by navigating to a website or scanning a QR code. From there, users must follow a series of prescribed steps to connect to and register with the MDM service. Even the simplest process can result in an influx of IT support calls.
An automated device enrollment process eliminates many of the manual configuration steps that go into device enrollment and ensures that each device is set up with the policies necessary to properly manage and secure it. In most cases, users must perform only a few basic steps to self-activate their devices, which makes enrollment simple and fast and reduces administrative overhead.
The ability to automate enrollment depends on several core services available to mobile device platforms, including the Apple Device Enrollment Program (DEP), Android Zero-Touch Enrollment (ZTE) and Samsung Knox Mobile Enrollment (KME) for Android devices. Microsoft also offers a few of its own services to simplify Windows 10 device enrollment.
Apple Device Enrollment Program
Apple has led the way with automated device enrollment through DEP, which streamlines the process of deploying corporate-owned macOS, Apple TV and iOS devices purchased directly through Apple or through an authorized reseller. The service automates MDM enrollment for large-scale deployments and enables zero-touch provisioning, which removes the need for administrators to physically access each device.
To set up Apple devices for automatic device enrollment, IT can use any MDM product that supports DEP integration, which includes all the major players, even Microsoft Intune. Administrators should use Apple's DEP website to specify which MDM platform they will use to manage the devices.
The DEP service works in conjunction with the platform to enroll the devices and uses the MDM capabilities built into the devices' operating systems. Administrators need only provide the device serial numbers or order numbers to include them in the DEP provisioning process.
When users start their DEP-enabled devices, internal mechanisms launch the Setup Assistant, which guides them through the steps necessary to configure and activate their devices. To help streamline this process, administrators can specify that users skip certain steps, such as signing into iCloud, acknowledging terms and conditions, and setting up Apple Pay. After the user activates and registers the device with the MDM service, he can access the necessary apps, account settings and permissions.
Android Zero-Touch Enrollment
Android recently introduced its ZTE service as a way to make Android rollouts more seamless and secure. The new service allows organizations to purchase preconfigured devices that have the management settings necessary for end users. Users need only sign into their devices to get the resources they need.
To take advantage of Android's ZTE service, an organization must purchase the devices from an approved Android vendor or carrier that supports the ZTE program, such as Samsung, Sony, LG Electronics, Motorola or Huawei. The organization cannot purchase the devices from a consumer store.
Once the organization places the order, the reseller can set up a ZTE account for the organization. The account enables the organization's administrators to access the ZTE portal where IT must define the devices' configuration policies.
Administrators can also use the portal to specify the MDM platform that will manage the devices. Several MDM vendors have integrated ZTE with their products, including VMware, BlackBerry, MobileIron and Soti.
The Android reseller uses the configuration settings from the ZTE portal to set up the mobile devices before shipping them to the customer. For each device, the reseller also assigns a unique ID, which the employee must use to sign into the device for the first time. This will kick off a self-provisioning process that automatically enrolls the device in the designated MDM service.
Samsung Knox Mobile Enrollment
Samsung was the first Android vendor to get serious about automatic device enrollment. The Samsung KME service makes it possible to enroll thousands of devices at one time, and it doesn't require IT to touch the devices.
An organization can use any MDM system that supports KME provisioning as long as the MDM server can connect to the KME server. The KME service is flexible enough to support multiple MDM platforms and multiple enrollment configurations at the same time. Administrators should also use the KME server to create a profile for each applicable MDM platform.
To use the KME service, an organization must purchase the devices from an approved reseller or distributor. Along with the devices, the seller provides the customer with the devices' serial numbers and International Mobile Equipment Identity numbers. An administrator can upload either type of number to the KME server to register a device for KME provisioning.
When a user starts a device for the first time, the KME setup wizard launches an MDM agent and then configures it to enroll the device with the MDM service. The user does not have to do anything but start the device.
Microsoft Azure AD and Windows AutoPilot
Although the number of Windows 10 mobile devices in the enterprise is at an all-time low, organizations continue to use Windows 10 desktops and laptops and Microsoft continues to move customers toward modern mobile management products that can help streamline device enrollment and administration.
One way that Microsoft supports modern management is through Azure Active Directory (AD) Join, an Azure AD service that enables administrators to automatically enroll and manage corporate-owned Windows 10 devices using an MDM system, including Intune.
To carry out the enrollment, Azure AD Join authenticates the user and device and then provides the MDM service with the identification information necessary to automatically enroll the device, a process that helps simplify enrollment for both administrators and end users. To use Azure AD Join for automatic enrollment, an organization must license it through Azure AD Premium.
Starting with Windows 10, version 1709, organizations can also use Group Policy settings to configure Windows devices to automatically enroll with an MDM product, but this approach comes with a number of restrictions. For example, the devices must already be joined in AD, and a running MDM service must be registered with Azure AD. In addition, users must be licensed through Azure AD Premium.
More recently, Microsoft introduced its Windows AutoPilot service, a set of technologies used to preconfigure and automatically provision new Windows 10 devices. When users first turn on their devices, they need only connect to a network and verify their credentials. The AutoPilot features take care of everything else, which includes enrolling them in the target MDM service. Administrators can then use the service to manage policies, profiles, apps and other components.