Our mission is to empower people to achieve more.
For years we focused on smartphones, then we added tablets and now we can finally include laptops under the same umbrella.
This means we can secure and manage all these devices using the same tools and processes to provide a seamless user experience.
Most importantly, we can manage all these endpoints at a fraction of the cost of the legacy management model which is highly fragmented and requires manual work.
Apple innovated, Samsung followed, Google copied, then Microsoft reinvented. This is the story of ‘zero-touch’ provisioning which is a BIG deal for IT admins all over the world.
The story starts in April 2015 when Apple launched a new service called the Device Enrolment Program (DEP). This was a game changer for companies and millions of users who previously had to manually enrol their mobile devices in MDM (mobile device management) systems. The old process typically took 15 minutes and was notoriously painful for the end-user.
Thanks to Apple, from 2015 enterprises could register in the Device Enrolment Program by connecting their MDM system to Apple. Companies could then order iPhones or iPads and have the devices shipped pre-enrolled in their MDM. That saved at least 15 minutes for each device, so it was a huge hit with enterprises.
Samsung followed with a zero-touch enrolment process called Knox Mobile Enrolment (KME). Since Samsung are part of the open source Android movement, this idea was incorporated into Google’s Android Enterprise ecosystem and is called Zero Touch. By now, it was clear that the mobile industry had achieved something the 30-year-old desktop industry never did – provisioning and securing new devices remotely so the user had a great out-of-box experience.
Meanwhile, IT admins were setting up laptops the old way……creating a gold image, adding drivers, deploying packages. Whew. Every desktop and laptop required hours of work.
Then Microsoft came to the party. They were toiling hard in the background and soon brought out a slew of innovations that forever changed the way desktops and laptops would be provisioned and managed. The result of these innovations is that Windows 10 devices can now be managed like a smartphone! They called it Autopilot. By enrolling in the Autopilot program, a company can order Windows devices and have them shipped pre-enrolled to the company’s device management system – just like a smartphone.
The employee has the pleasure of opening the box and being the first person to touch this shiny new machine. The employee enters their Active Directory credentials and then auto-magically, a management profile is downloaded, WiFi is configured, security is applied, folders and files appear, and applications are installed. The device is configured for an individual user without needing hours of work from IT.
Three Enabling Factors
This is all possible for 3 reasons:
- Profile-Based Management
First, Microsoft moved to a profile-based management model for Windows 10 – just like a smartphone. The Windows OS is standard and not modified by each company. Instead an XML profile is downloaded over the air and this profile defines the device configuration and security settings. One of the great benefits of this profile-based management is that when the profile is removed, the device reverts to its original state. This is very powerful for consultants and contractors who have BYO laptops that can be treated as zero-trust and configured with a profile to connect securely to a corporate network.
- Extended Line-of-Sight
Second, Microsoft extended “Line-of-Sight” to devices outside your network. Previously SCCM could only update machines inside the network and remote machines were excluded. This made it extremely difficult to perform updates and implement Single Sign-On for people who worked out of the office. Now it is possible to have Line-of-Sight to any device outside the network perimeter – to the extent that the concept of a network perimeter is becoming irrelevant.
- Single Pane of Glass
Third, is the ability to manage Windows 10 devices with the same UEM (Unified Endpoint Management) tools that are used to manage smartphones and tablets. The leading tool-sets can do this well so that IT Admins can manage desktops, laptops, tablets and smartphones using a single pane of glass. For reference, the leading vendors are Microsoft Endpoint Manager (formally Intune and EM+S), VMware Workspace ONE (formerly AirWatch) and MobileIron UEM. Single pane management facilitates a much simpler model than the traditional process, which requires different tools and processes for each device category.
We live in exciting times and these innovations bring enormous benefits to IT teams and to employees who generally have 2 or even 3 devices.
For us, the really big benefits are:
- All endpoints can be managed from a single pane of glass. IT admins can see the compliance status of all devices and restrict access to company data based on a consistent set of policies deployed to all devices. This results in reduced management overhead and increased transparency.
- Zero-touch provisioning for all devices means that it is possible to get a new employee up and running with a laptop, tablet or smartphone in minutes rather than hours. Not only are the devices configured and secure, but employees are immediately productive with the apps and services needed for their role.
- BYO laptops and smartphones can be secured just like a company owned laptop with no additional work for IT and no burden on the user. Policies and application updates are applied over the air; and OS updates are handled by Microsoft / Apple / Google. Companies can stop managing images and shut down SCCM, WSUS, and other related infrastructure.
The cost savings appear to be really significant. The TCO of a desktop / laptop is well documented and likewise, the TCO of a smartphone is well understood. It is too early for us to have a large body of empirical evidence for the savings, but industry studies show a saving of about 50% in the TCO of a Windows 10 machine that is managed like a smartphone. We will update this blog when we have enough data to qualify that estimate more accurately.