“Apple innovated, Samsung followed, Google copied, then Microsoft reinvented. This is the story of ‘zero-touch’ provisioning which is a BIG deal for IT admins all over the world.”

Why can’t my laptop experience be like my smartphone?  Why doesn’t my laptop start-up immediate, why doesn’t the battery last all day and why does it crash?  Why does it need hands-on IT support and why do I have to bring it to the office for an update? 

There is clearly a stark difference in the laptop and smartphone experience.  Both are mobile devices, both run similar chipsets and similar software like Office 365, and both require frequent updates and good security.  So why the difference?

Why do companies have a team of skilled IT people to physically provision laptops but not mobile devices?  Why do they require employees to bring laptops to the office for software updates, but not their smartphones?  Why do laptops need to be sent back to the office to be reconfigured when an employee leaves?  Why do employees need to remember a myriad of passwords for the laptop but enjoy biometrics on their smartphone?


Smartphone management was evolving

The story starts in April 2015 when Apple launched a new service called the Device Enrolment Program (DEP). This was a game changer for companies and millions of users who previously had to manually enrol their mobile devices in MDM (mobile device management) systems. The old process typically took 15 minutes and was notoriously painful for the end-user.

Thanks to Apple, from 2015 enterprises could register in the Device Enrolment Program by connecting their MDM system to Apple. Companies could then order iPhones or iPads and have the devices shipped pre-enrolled in their MDM. That saved at least 15 minutes for each device, so it was a huge hit with enterprises.

Samsung followed with a zero-touch enrolment process called Knox Mobile Enrolment (KME). Since Samsung are part of the open source Android movement, this idea was incorporated into Google’s Android Enterprise ecosystem and is called Zero Touch. By now, it was clear that the mobile industry had achieved something the 30-year-old desktop industry never did – provisioning and securing new devices remotely so the user had a great out-of-box experience.

Meanwhile, IT admins were setting up laptops the old way…

Creating a gold image, adding drivers, deploying packages. Whew. Every desktop and laptop required hours of work.

Then Microsoft came to the party. They were toiling hard in the background and soon brought out a slew of innovations that forever changed the way desktops and laptops would be provisioned and managed. The result of these innovations is that Windows 10 devices can now be managed like a smartphone! They called it Autopilot. By enrolling in the Autopilot program, a company can order Windows devices and have them shipped pre-enrolled to the company’s device management system – just like a smartphone.

The employee has the pleasure of opening the box and being the first person to touch this shiny new machine. The employee enters their Active Directory credentials and then auto-magically, a management profile is downloaded, WiFi is configured, security is applied, folders and files appear, and applications are installed. The device is configured for an individual user without needing hours of work from IT.

Manage Windows 10 like a smartphone

Well, the good news, great news in fact, is that you can now manage your Windows machines just like you manage your smartphones.  Let’s look at the device lifecycle and consider the 4 phases from order to EOL and consider how each part of the laptop experience now mimics the smartphone experience.

Windows vs iOS.png

The concept of managing Windows like a smartphone is liberating, exciting, ground-breaking and a little bit scary.  The net impact is the IT team will no longer have to be hands-on with Windows machines.  Windows devices can be ordered online, shipped to users, provisioned out of box, managed with a device profile, secured with a set of policies, unlocked with a face, updated over-the-air, monitored with a set of compliance rules, supported remotely, reconfigured at end-of-life and re-assigned to the next user.

Whew, that is a long sentence! It means that every aspect of the device lifecycle has changed, forever.  There is no going back.  IT teams have been liberated, golf handicaps will improve, gaming scores will skyrocket …yeah right!  In reality, skilled IT people will always be busy as there will always be complex problems to solve, new projects to tackle and processes to automate.  But those are privileges for the companies who embrace Modern Management and manage all their endpoints from a single pane of glass. 

Three Enabling Factors to modern Windows management

This is all possible for 3 reasons:

Profile-Based Management

First, Microsoft moved to a profile-based management model for Windows 10 – just like a smartphone. The Windows OS is standard and not modified by each company. Instead an XML profile is downloaded over the air and this profile defines the device configuration and security settings. One of the great benefits of this profile-based management is that when the profile is removed, the device reverts to its original state. This is very powerful for consultants and contractors who have BYO laptops that can be treated as zero-trust and configured with a profile to connect securely to a corporate network.

Extended Line-of-Sight

Second, Microsoft extended “Line-of-Sight” to devices outside your network. Previously SCCM could only update machines inside the network and remote machines were excluded. This made it extremely difficult to perform updates and implement Single Sign-On for people who worked out of the office. Now it is possible to have Line-of-Sight to any device outside the network perimeter – to the extent that the concept of a network perimeter is becoming irrelevant.

Single Pane of Glass

Third, is the ability to manage Windows 10 devices with the same UEM (Unified Endpoint Management) tools that are used to manage smartphones and tablets. The leading tool-sets can do this well so that IT Admins can manage desktops, laptops, tablets and smartphones using a single pane of glass. For reference, the leading vendors are Microsoft Endpoint Manager (formally Intune and EM+S), VMware Workspace ONE (formerly AirWatch) and MobileIron UEM. Single pane management facilitates a much simpler model than the traditional process, which requires different tools and processes for each device category.

There are significant benefits for IT and for businesses

We live in exciting times and these innovations bring enormous benefits to IT teams and to employees who generally have 2 or even 3 devices.

For us, the really big benefits are:

  1. All endpoints can be managed from a single pane of glass. IT admins can see the compliance status of all devices and restrict access to company data based on a consistent set of policies deployed to all devices. This results in reduced management overhead and increased transparency.

  2. Zero-touch provisioning for all devices means that it is possible to get a new employee up and running with a laptop, tablet or smartphone in minutes rather than hours. Not only are the devices configured and secure, but employees are immediately productive with the apps and services needed for their role.

  3. BYO laptops and smartphones can be secured just like a company owned laptop with no additional work for IT and no burden on the user. Policies and application updates are applied over the air; and OS updates are handled by Microsoft / Apple / Google. Companies can stop managing images and shut down SCCM, WSUS, and other related infrastructure.

The cost savings appear to be really significant. The TCO of a desktop / laptop is well documented and likewise, the TCO of a smartphone is well understood. It is too early for us to have a large body of empirical evidence for the savings, but industry studies show a 50% savings in the TCO of a Windows 10 machine that is managed like a smartphone. We will update this blog when we have enough data to qualify that estimate more accurately.

Our mission is to empower people to achieve more

For years we focused on smartphones, then we added tablets and now we can finally include laptops under the same umbrella. This means we can secure and manage all these devices using the same tools and processes to provide a seamless user experience.

Most importantly, we can manage all these endpoints at a fraction of the cost of the legacy management model, which is highly fragmented and requires manual work. Mobile Mentor is a Microsoft Gold partner, certified on ‘Windows and Devices.’

If you’re interested in learning how you can manage Windows like a smartphone then take a look at our services, or contact us.

Contact Us