Deploying and managing devices in a remote-work world

Building and rebuilding devices has always occupied too much time for IT teams.

This has traditionally caused headaches for both the user—who has to wait to receive their device before they can begin working—as well as the IT teams who lose precious hours to manual device builds and resets.

Modern working requires IT teams to deliver devices and support to their users whenever they need it, wherever they are located. With the transition to a world of remote work, the need to implement a solution to these challenges has become even more pressing for organisations.

Thankfully, the cloud is transforming how we deploy, manage and reset our corporate devices – allowing organisations to thrive wherever their workforce is based.

Provisioning new devices

The traditional approach

The traditional manual approach to provisioning new devices always required a lot of time and resources.

If a user was without a device, the IT team had to place an order for the new hardware. The order then had to be processed and would usually be shipped to the IT department, which would take days or even weeks.

Once the hardware had arrived, IT would need to build the new device, using an image that they had maintained, to ensure all new devices were configured with the correct apps, policies and settings etc. IT admins would need to maintain one or more ‘golden images’ to do this. With bi-annual Windows 10 feature updates, this would often result in an IT Admin spending much of their time simply updating and testing the latest feature updates and then creating new golden images.

Once this process had been completed, the device would need to be shipped to the employee if they were working remotely — who would often be frustrated with the lengthy setup experience. It’s also worth noting that with Covid-19, the extra ‘touchpoints’ which require physical intervention from an IT Admin are particularly undesirable for everyone involved in the process.

For organisations rolling out multiple new devices simultaneously (possibly tens or hundreds of devices) this traditional approach to device deployment can become hugely expensive just in terms of lost time and productivity, let alone the cost of the new hardware and courier costs.

The modern approach

Thankfully, there is now a modern way to deploy new devices — a solution which uses a zero-touch deployment model to ensure that IT don’t even have to lay a finger on the device to get it business-ready. Windows Autopilot and Microsoft Intune make this possible for Windows 10 devices.

Windows Autopilot & Intune

Autopilot is a cloud service which allows users to simply self-service provision a new Windows 10 off-the-shelf device into a business-ready state without IT having to maintain or install custom Windows images – whilst Intune is Microsoft’s device management cloud service.

If a user needs a new Windows device, IT can simply place an order (with their preferred OEM or reseller) and have the device shipped straight to the employee at their home.

All the employee needs to do is unbox the device, switch it on and connect to the internet. At this point, Autopilot will automatically install all the apps and settings — pulling all the relevant information from the cloud (leveraging Azure Active Directory) to set the device up.

Rather than IT having to physically handle the devices and maintain golden images, all IT need to do is connect the device to Azure Active Directory (for identity) and set up the devices in Microsoft Intune (for mobile device management) — adding apps, user policies, app policies and choosing a setup experience for users. So when the user receives their device and connects to the internet, the rest is done automatically in front of them.

IT can also remotely pre-provision autopilot devices before users get them, so the users don’t even need to wait for the apps and settings to download – with everything already loaded onto the machine.

Rebuilding existing devices

Rebuilding existing Windows devices traditionally required an IT Admin to attend to devices locally. For obvious reasons, the pandemic has posed serious challenges for organisations still using this approach with remote workforces. Shipping devices between users’ homes and the IT department certainly isn’t an efficient strategy when the user could be left without a device to work on.

However, the modern approach of Autopilot and Intune can solve this issue once again.

If a user has a problem with their existing Autopilot device while working from home, as long as the device has been enrolled for mobile device management with Intune and connected to Azure Active Directory, IT can reset the device remotely.

Windows Autopilot Reset takes the device back to a business-ready state, removing some information such as personal files, settings and apps – and keeping other important information such as the device’s connections to Azure AD (identity) and Intune (device management) and any provisioning packages already applied to the device.

Once the device has been reset, the user (or a new user) can sign in and use the device again.

Device Management

The traditional approach

There are some key benefits that these cloud-based solutions provide over the traditional approaches to device provisioning and management that we have already discussed.

Traditional approaches resulted in devices being joined to on-premise Active Directory (AD) and managed by Group Policy Objects (GPO) which are a virtual collection of policy settings. The issue with these ageing technologies is that they were developed before remote working and devices being used outside the corporate network were widely permitted by organisations.

The problem with remote working was that changes to GPOs could often only be applied to devices when the device was connected to the corporate network — meaning any IT-mandated changes wouldn’t be enforced while the user was working from home. Not an ideal situation during a pandemic when your employees may be working remotely for months on end.

Similarly, another issue which arises from extended periods outside the corporate network is the ‘trust’ formed when the on-premise Active Directory computer object synchronizes a password with the device. Put simply, users can be locked out of their device if they don’t log on frequently enough using the corporate network.

Of course, Virtual Private Networks (VPNs) have traditionally been the solution to this — allowing remote workers to securely connect to the corporate network from home. However, many organisations don’t support a ‘network logon’ or for the user to connect to the VPN until they’ve logged into the device. Even if these aren’t issues for some organisations, many VPN services ‘force tunnel’ all network traffic from the device through the corporate network, contributing to ‘bottlenecks’ which negatively impact important high-bandwidth services such video conferencing apps like Microsoft Teams.

The modern approach

With Windows Autopilot, you can resolve these issues by joining your devices to Azure AD and Intune for device management. In this scenario, GPOs are replaced by device configuration profiles which allow you to create profiles for different devices and platforms, with the ability to push them out via Intune. Because you have registered the device in Azure AD (as opposed to on-premise Active Directory), there aren’t any computer object passwords to synchronize which solves that issue.

With Autopilot and Intune, you can perform all of your device management over the internet without any VPN and GPO requirements — making remote worker device management simple and effective.

Security & Compliance

Many organisations have internal policies which mandate compliance and security requirements for employee devices. For example, ensuring devices have BitLocker device encryption is a common requirement.

However, the IT teams still using traditional on-premise technologies often have no way of knowing which remote workers’ devices are compliant with organisational requirements and those which aren’t. When IT teams are building new devices manually, a surprising number of steps in the build process can be missed — and if the end user is working remotely and outside the corporate network, they won’t receive the GPO to update the device with whatever was missed during the build.

The cloud is transforming the way we secure and manage devices for remote workers. Microsoft Intune allows you to assign compliance policies to your devices. The device will be marked as either compliant or non-compliant depending on whether the device meets your minimum compliance requirements. Using Azure AD Conditional Access, you can create access policies which leverage the device compliance state to block access where a device isn’t determined to be compliant or secure enough.

This can also be extended to in-app controls. For example, access could be granted from non-compliant devices but Conditional Access would force the app to be accessed through Microsoft Cloud App Security (MCAS). This would apply an MCAS access policy to prevent the user from being able to use certain features such as downloads, printing, copy and pasting etc. These granular controls allow you to find the optimal balance of users being able to work easily on a range of devices, whilst also ensuring your data is secured and only available locally on compliant, managed devices.

Next steps

If you’d like to find out more about the capabilities of Microsoft Autopilot and Intune, or if you’d like some support with your device provisioning and management processes, get in touch with us today and we can help.