Zero Touch Enrollment & Deployment

Remember when you had to maintain an up-to-date master disk image (often called a ‘gold image’) for your fleet?

Then manually install the image on every new device with the associated software for your organization, complete the directory bind, and configure every new user, all before new employees could even touch their devices?

Remember the hours it took to manually provision a new employee with all that they needed? 

Fortunately, employee IT onboarding has evolved past imaging to save IT teams time and frustration. Infrastructure as code (IaC) is the new way. Instead of building and configuring a system through hands-on, interactive methods, IaC leverages machine readable files to get the job done. Zero-Touch enrollment embodies the concept of IaC and provides a hands-off, scalable model for streamlining device and user onboarding. 

Back in the days of imaging, device deployment was a one-time action. The new paradigm of Zero-Touch, however, approaches device deployment as a modular process that develops over time with your business.

The best part? This process can be automated and managed remotely. The following article will explore the limitations of the traditional model of IT onboarding (provisioning / deprovisioning) as well as the future of device deployment and user onboarding with Zero-Touch.

The Limitations of Traditional IT Device Deployment

In a traditional IT onboarding scenario, device deployment is centralized. Devices, whether new or redeployed, must funnel through the IT team on the way to a new user. Hardware is typically acquired by purchasing new machines or pulling existing machines from storage.

In both cases, IT is the initial recipient because the devices need human interaction to be configured, or wiped, and then configured. IT must then deliver the device to the user. There is significant time required for this, especially when remote employees are involved. 

Additionally, the configuration process followed by IT is time-consuming in and of itself. Not only do IT staff need to check all of the required boxes on the device setup list, they need to validate, return, and store that information for security purposes.

The role of incoming employees further complicates these onboarding tasks because different teams need access to different resources, applications, and software. There may also be unique device configurations required for, say, employees with higher levels of security clearance or employees using devices out in the field.

IT’s typical onboarding task list includes:

1. Obtain employee information – name, department, title, ID, start date, apps and access needs, equipment needs
2. Order machine or pull from storage, then set up manually – OS, budget, accounts, policies, connectivity, software, etc.
3. Install software and create accounts for each application – Office, Slack, AWS, Atlassian, Salesforce, Adobe, GitHub, Dropbox, Google, etc.
4. Configure licenses and/or authentication for each app
5. Deliver the machine to its new user, whether working globally, remotely, or in-office
6. Ensure device is securely accessed and booted (with the temporary password changed, most importantly)
7. Train users on accessing work apps and troubleshoot issues
8. Adjust roles, permissions and access

What happens when the onboarding cycle is disrupted? How are roadblocks managed in a timely manner with a distributed workforce or a hybrid workplace? How do you address changes in IT personnel? Or the inevitable changes to user or system requirements?

Yes, documentation can help standardize a manual configuration process, but onboarding still ultimately relies on IT staff involvement. Plus, additional effort is required to keep documentation up-to-date and relevant, especially as an organization scales and evolves. 

If users are completely reliant on IT to configure devices, what happens when IT is unavailable due to time off or other competing priorities? Work doesn’t happen. The traditional IT onboarding model can produce a bottleneck that inhibits employee productivity, and places undue strain on already understaffed and overutilized IT teams.

In contrast, the Zero-Touch model for IT onboarding eliminates this bottleneck by moving from centralized deployment to user-led deployment. It is a form of process automation that benefits IT teams, employees, decision makers, and the business as a whole.

The Future of Device Deployment: Zero-Touch Workflows

Take a moment to think about your current IT onboarding process. What does it look like? Are new users imported using an HR source or inputted manually? Do new employees on the accounting team receive the same onboarding process as new employees on the engineering team? As your company grows, will those manual processes scale? It’s important to design workflows for the future of your business and potential growth.

The ultimate goal in implementing a Zero-Touch model for device deployment is to architect an automated process that provisions new users with the settings and applications they need, without direct involvement from IT staff on day one. There is upfront time required to set this up, but once the preconfigured settings are in place and working properly, the IT onboarding task list is simplified down to just two items for every new hire:

1. Purchase a new device, or wipe an existing one, and ship it directly to the new employee
2. Associate user and device information with a robust device management system

That’s it! The rest of the process is completed automatically when the user boots up and connects to the internet for the first time. There is no longer human action required from IT staff for every new configuration because the device is executing what the MDM system is telling it to do, including configurations, software installation, security settings, and more.

A new device deployment that used to take hours or even days of IT time can now be completed in 10 to 15 minutes of a user’s time. Of course, the IT team configures this process one time and periodically updates it as needed, but you can see the benefits. This frees up a significant amount of time and energy for IT teams to focus on more strategic priorities.

Some other important things to consider when developing your own Zero-Touch workflow:

• What is your device management system capable of? Can it manage multiple OS’s or are you dealing with multiple point solutions? Can you deploy software, updates, policies, and security commands across your fleet? Does it provide continuous device telemetry?
• How will you manage employee identities? Are you using a directory? Is your directory integrated with your device management system? Can you group users based on access privileges to various applications and IT resources, or enforce policies such as multi-factor authentication? Locking down identities may be one of the most critical steps you take as an IT organization.
• What will the user experience look like at boot up? Are the enrollment prompts clear and welcoming? Does software installation happen efficiently in the background? Would you like to deploy a custom experience to better guide the user’s onboarding?

Once you have a solid device management system in place with a good single sign-on (SSO) tool, and you have your Zero-Touch strategy solved, it is entirely possible that IT no longer needs to be directly involved in device deployment. You could engineer a system in which HR is initiating the new identity process, Purchasing is ordering devices and having them drop shipped to end users, and everything else is happening in the background.

IT of course builds and monitors the system, but hands-on time is not required to get a new employee’s machine up and running. This is the potential future of device deployment.

Zero-Touch Deployment With JumpCloud

The JumpCloud Directory Platform is designed specifically to help streamline IT workflows and simplify both user and device onboarding. By combining a powerful, cloud-based device management system with both identity management and SSO, IT teams can manage the entirety of their onboarding process from a single, cloud-based console. Windows, Mac, and Linux machines can all be deployed, configured, and managed everywhere they exist, from anywhere.

A great way to start your implementation of a Zero-Touch model for onboarding is to leverage JumpCloud’s MDM feature. Our cloud directory platform has a built in workflow that enables Zero-Touch enrollment for macOS in three easy steps:

1. Purchase a Mac using Apple Business Manager and ship the device directly to the new employee.
2. Input both user and device info into JumpCloud, adding each to the right configuration group(s).
3. The user logs in with JumpCloud credentials, and the identity and device bind at boot up.

For Windows and Linux machines, IT admins can implement Zero-Touch principles to automate user and device configuration settings. Users can be grouped by the team they are joining to ensure the correct permissions are granted and access is provided to the applications they need to Make Work Happen©.

Devices can be grouped by OS or by job function to ensure the relevant security policies are applied and the right software is installed. The ability to preconfigure settings for both user and device provisioning saves IT teams significant time during the device deployment process.

If you’d like to learn more about JumpCloud’s device management philosophy, and why we think it’s crucial to include identity management in the conversation around deployment, check out our whitepaper: The Five Key Components of Modern Device Management.