Zero Touch Enrollment & Deployment

In 2020, remote work took us all by surprise.

Today, work-from-home and hybrid work environments are the norm, forcing IT teams to reinvent and reimagine their approach to device management. Without a physical office, device onboarding and offboarding can’t happen in person. Deployment and provisioning have to happen remotely, at scale.

That’s where zero-touch deployment comes into play, allowing IT teams and MSPs to leverage Infrastructure as Code (IaC) models and take a hands-off, efficient approach to device and user onboarding.

But what does “zero touch” really mean, and how does it work?

In this article, we explore the limitations of the traditional model of IT onboarding (provisioning and deprovisioning) and describe the future of device deployment and user onboarding with zero touch.

What Is Zero Touch Deployment?

Zero-touch deployment is a method of configuring employee devices with company-specific protocols, programs, and settings remotely. This hands-off approach is becoming more and more important as organizations’ cloud-based tech stacks and the volume of laptops, tablets, and mobile phones continue to sprawl.

Manually configuring devices with the right profile and application settings for every individual user takes significant time and effort that most IT and MSP teams don’t have and end users don’t have the patience for. However, ensuring proper configuration and employee offboarding procedures is critical to the safety and security of company and customer data.
Zero-touch deployment tools enable IT and MSP professionals to schedule and automate the tedious, rote tasks on their behalf, speeding up the onboarding and offboarding process tremendously.

The Five Key Components of Modern Device Management

Read the Whitepaper

The Limitations of Traditional IT Device Deployment

In a traditional IT onboarding scenario, device deployment is centralized. Devices, whether new or redeployed, must funnel through the IT team on the way to a new user. Hardware is typically acquired by purchasing new machines or pulling existing machines from storage.

In both cases, IT is the initial recipient because the devices need human interaction to be configured, or wiped, and then configured. IT must then deliver the device to the user. There is significant time required for this, especially when remote employees are involved. 

Additionally, the configuration process followed by IT is time-consuming in and of itself. Not only do IT staff need to check all of the required boxes on the device setup list, they need to validate, return, and store that information for security purposes.

The role of incoming employees further complicates these onboarding tasks because different teams need access to different resources, applications, and software. There may also be unique device configurations required for, say, employees with higher levels of security clearance or employees using devices out in the field.

IT’s typical onboarding task list includes:

1. Obtain employee information – name, department, title, ID, start date, apps and access needs, equipment needs
2. Order machine or pull from storage, then set up manually – OS, budget, accounts, policies, connectivity, software, etc.
3. Install software and create accounts for each application – Office, Slack, AWS, Atlassian, Salesforce, Adobe, GitHub, Dropbox, Google, etc.
4. Configure licenses and/or authentication for each app
5. Deliver the machine to its new user, whether working globally, remotely, or in the office
6. Ensure device is securely accessed and booted (with the temporary password changed, most importantly)
7. Train users on accessing work apps and troubleshoot issues
8. Adjust roles, permissions, and access

What happens when the onboarding cycle is disrupted? How are roadblocks managed in a timely manner with a distributed workforce or a hybrid workplace? How do you address changes in IT personnel? Or the inevitable changes to user or system requirements?

Yes, documentation can help standardize a manual configuration process, but onboarding still ultimately relies on IT staff involvement. Plus, additional effort is required to keep documentation up to date and relevant, especially as an organization scales and evolves. 

If users are completely reliant on IT to configure devices, what happens when IT is unavailable due to time off or other competing priorities? Work doesn’t happen. The traditional IT onboarding model can produce a bottleneck that inhibits employee productivity, and places undue strain on already understaffed and overutilized IT teams.

In contrast, the zero-touch model for IT onboarding eliminates this bottleneck by moving from centralized deployment to user-led deployment. It is a form of process automation that benefits IT teams, employees, decision makers, and the business as a whole.

Benefits of Zero-Touch Deployment

Zero-touch, automated endpoint management is beneficial to IT and MSP admins in myriad ways, including:

• Time savings: By eliminating manual device setup and configuration, zero-touch enrollment gives IT admins and MSPs substantial time back to focus on pressing helpdesk tickets and other strategic activities.
• Resource efficiency: Centralized device and user management enables IT and MSP teams to standardize configuration across the enterprise, ultimately reducing human error, the quantity of IT support tickets, and admins’ overall workload.
• Seamless employee onboarding experience: New employee laptops, tablets, and mobile devices are ready to use out of the box without any additional setup or IT support required. Departing employees no longer have to drop off their devices at the office. IT or MSPs can revoke access and wipe devices from anywhere — ex-employees simply ship the device back to HQ.
• Enhanced security: Devices are automatically enrolled in a predefined set of rules, network settings, and security policies, safeguarding the data on and transmitted between them.

How Does Zero-Touch Deployment Work?

Zero-touch deployment procedures differ from organization to organization, but the main steps remain fairly consistent across companies:

1. Device preparation. For zero-touch deployment to work, company devices must be enabled with zero-touch provisioning (ZTP) capabilities. Purchasing devices through Apple and Windows enterprise programs ensures devices are ZTP-enabled before they ship to employees. 
2. Enrollment profiles. Different employees use different devices and applications in their day-to-day work. Establishing clear, templated role-based profiles can help IT and MSPs deploy the right systems and permissions to the right devices from the moment employees power on their devices for the first time.
3. Connection to MDM or EMM. Mobile device management (MDM) and Enterprise Mobility Management (EMM) solutions configure device settings without end-user interaction. Connecting to a stable Wi-Fi network triggers ZTP-enabled devices to send requests to MDMs and EMMs through Dynamic Host Configuration Protocol (DHCP) or Trivial File Transfer Protocol (TFTP). In a DHCP setup, end users connect their laptop to an internal network, and the MDM or EMM automatically assigns IP addresses and parameters to the device. With TFTP, a new device sends and receives files from MDMs or EMMs via a remote host.
4. Configuration. After a device has established a connection with a company’s MDM or EMM solution, the corresponding image data, applications, and security features download and run, getting employees up and running with their new device in a few minutes.
5. Follow-up. Post-setup, IT and MSP admins can use device management tools like JumpCloud to automatically prompt app updates, monitor usage, and troubleshoot throughout the device’s lifecycle.

The Future of Device Deployment: Zero-Touch Workflows

Take a moment to think about your current IT onboarding process. What does it look like? Are new users imported using an HR source or inputted manually? Do new employees on the accounting team receive the same onboarding process as new employees on the engineering team? As your company grows, will those manual processes scale? It’s important to design workflows for the future of your business and potential growth.

The ultimate goal in implementing a zero-touch model for unified device deployment and management is to architect an automated process that provisions new users with the settings and applications they need, without direct involvement from IT staff on day one. There is upfront time required to set this up, but once the preconfigured settings are in place and working properly, the IT onboarding task list is simplified down to just two items for every new hire:

1. Purchase a new device, or wipe an existing one, and ship it directly to the new employee
2. Associate user and device information with a robust device management system

That’s it! The rest of the process is completed automatically when the user boots up and connects to the internet for the first time. There is no longer human action required from IT staff for every new configuration because the device is executing what the MDM system is telling it to do, including configurations, software installation, security settings, and more.

A new device deployment that used to take hours or even days of IT time can now be completed in 10 to 15 minutes of a user’s time. Of course, the IT team configures this process one time and periodically updates it as needed, but you can see the benefits. This frees up a significant amount of time and energy for IT teams to focus on more strategic priorities.

Some other important things to consider when developing your own zero-touch workflow:

• What is your device management system capable of? Can it manage multiple OSs or are you dealing with multiple point solutions? Can you deploy software, updates, policies, and security commands across your fleet? Does it provide continuous device telemetry?
• How will you manage employee identities? Are you using a directory? Is your directory integrated with your device management system? Can you group users based on access privileges to various applications and IT resources, or enforce policies such as multi-factor authentication (MFA)? Locking down identities may be one of the most critical steps you take as an IT organization.
• What will the user experience look like at boot up? Are the enrollment prompts clear and welcoming? Does software installation happen efficiently in the background? Would you like to deploy a custom experience to better guide the user’s onboarding?

Once you have a solid device management system in place with a good single sign-on (SSO) tool, and you have your zero-touch strategy solved, it is entirely possible that IT no longer needs to be directly involved in device deployment. You could engineer a system in which HR initiates the new identity process, Purchasing orders devices and has them drop-shipped to end users, and everything else happens in the background.

IT, of course, builds and monitors the system, but hands-on time is not required to get a new employee’s machine up and running. This is the potential future of device deployment.

Zero-Touch Deployment With JumpCloud

The JumpCloud Directory Platform is designed specifically to help streamline IT workflows and simplify both user and device onboarding. By combining a powerful, cloud-based device management system with both identity management and SSO, IT teams can manage the entirety of their onboarding process from a single, cloud-based console. Windows, Mac, and Linux machines can all be deployed, configured, and managed everywhere they exist, from anywhere.

A great way to start your implementation of a zero-touch model for onboarding is to leverage JumpCloud’s MDM capabilities. Our cloud directory platform has a built in workflow that enables zero-touch enrollment for macOS in three easy steps:

1. Purchase a Mac using Apple Business Manager and ship the device directly to the new employee.
2. Input both user and device info into JumpCloud, adding each to the right configuration group(s).
3. The user logs in with JumpCloud credentials, and the identity and device bind at boot up.

And that’s just one example. Android EMM is included in the JumpCloud Platform as well, at no additional cost for existing customers. For Windows and Linux machines, IT admins can implement zero-touch principles to automate user and device configuration settings. Users can be grouped by the team they are joining to ensure the correct permissions are granted, and access is provided to the applications they need to Make Work Happen^®.

Devices can be grouped by OS or by job function to ensure the relevant security policies are applied, and the right software is installed. The ability to preconfigure settings for both user and device provisioning saves IT teams significant time during the device deployment process.

If you’d like to learn more about JumpCloud’s device management philosophy, and why we think it’s crucial to include identity management in the conversation around deployment, check out our whitepaper:

Or, if you’re ready to start benefiting from a more streamlined employee onboarding and offboarding experience, sign up for a free trial of JumpCloud or check out our favorable pricing.