Bulk device deployment: How UEM can help

The amount of work done to get ONE device work-ready is enough to make even the most patient person pull out his hair. Let alone the sleep-deprived, highly caffeinated IT guy trying to set up hundreds of thousands of those devices! Add to it the fact that each device is different. They need to be handled according to their framework and architecture. Yup! All the patience in the world wouldn’t be enough.

The different types of devices may be a problem that we can’t do away with. After all, variety is the spice of life. But what if there was a way to set up all devices of a particular type together? Say, with a click! Just a click might be a stretch, but you get the point. Configurations, profiles, and policies on the one hand and a list or a CSV file of devices on the other. A few keystrokes and a suitable platform to bring the two hands together and, lo and behold, all the devices have been provisioned!
Welcome to the wonders of bulk deployment!

Why bulk device deployment?

Manually configuring each device one after the other is not efficient in a world where every second counts. After all, manual efforts can’t beat the accuracy and efficiency of an automated system. In addition, there is extra pressure as the team has to be extra cautious. Adding on to that, the massive number of devices makes the entire process cumbersome.
Bulk enrollment processes provide for quickly configuring network and security services on the devices. It allows easy visibility of the hardware, software, and security status to authorized personnel within an organization. Furthermore, the organization can reassign licenses and perform remote actions like locking or wiping devices. Automating configuration tasks decreases employees’ hours, thus ensuring more time to focus on other high-priority tasks and reducing operational costs.

Bulk deployment methods:

Apple Device Enrollment Program:

Apple has always prided itself on the security and privacy that it offers to its users. So much so that it becomes a hassle when it comes to managing the devices using third-party software. This particular problem, however, has been addressed by the company. Apple Device Enrollment Program (DEP), recently renamed Automated Device Enrollment, helps provide the necessary control over the devices used in a corporate setting. Accordingly, it is an efficient bulk enrollment platform for corporate Apple devices.

Features:

• Automated enrollment and management of corporate owned Apple devices
• Seamless integration with most UEM solutions
• Apple DEP portal enables IT admins to enroll devices into their favored UEM solutions without physically touching the devices
• Portal also provides for configuring and managing initial setup of the device – allows skipping several setup steps
• Automated bulk enrollment and configuration of Apple devices

Why Apple DEP?

Apple DEP is popular because of its functional utilities like mandatory irreversible UEM enrollment, wireless supervision, and customizable streamlined setup assistant. To enroll in DEP, purchase your devices directly from Apple or authorized participating resellers. In case you didn’t purchase your devices from an Apple-authorized reseller, fret not! Apple allows the use of Apple Configurator to add them to DEP. Moreover, mandatory irreversible enrollment ensures that all the corporate Apple devices enroll in the UEM solution adopted by the organization. In addition, the administrators do not have to set the configurations for the customized setup assistant separately for each device, making it easier to configure many devices at once.

Setup flow:

The setup flow essentially involves:

• Enrolling and getting a DEP ID
• Purchase of devices from authorized resellers against DEP ID
• Log into DEP portal and create a UEM server
• Assign the devices to the UEM server
• Define DEP policy in the UEM console
• Lastly, unbox the device and connect the device to Wi-Fi

Connecting the device to the Wi-Fi ensures that the device is locked into the UEM solution, thus allowing remote management.

Zero-touch enrollment – Bulk deployment for Android devices:

Android’s Zero-Touch Enrollment program is yet another bulk deployment method that caters to the provisioning of Android devices. A large chunk of the working population is comfortable with Android devices. Undeniably, the necessary provisioning of these devices to protect the organization from corporate data leakage is a must in the modern digital market. Android’s Zero Touch enrollment helps fix the issues of corporate data leakage by managing Android devices using an appropriate UEM solution.

Features:

• Enables bulk device deployment for android devices
• Fast, easy and efficient
• Allows for pre-configuring devices with all the necessary work apps installed even before the device is unboxed
• Locks the device into the organization’s chosen UEM solution
• Enables remote management

Why Android Zero-touch?

Android Zero Touch promises a better user experience ensured by faster device delivery and non-complicated activation processes. It also alleviates the demands on the IT team by automating the deployment process. In addition, Android Zero Touch offers control, choice, and productivity. It helps manage n-number of devices by enforcing management to protect the organization’s data. Moreover, the program ensures that remote management is intact even after the device is factory reset. Maximizing Android device deployment and productivity gain is an added perk of the program.

Setup flow:

• The flow for Android Zero-Touch Enrollment includes
• Purchase of devices from an authorized reseller
• Creation of the Zero-Touch Enrollment accounts
• Assignment of devices to the customers (organization)
• Creation of UEM profiles by the customers
• Mapping the purchased devices to the configured UEM profile
• End-user (employees) powering on the device.

Samsung Knox Mobile Enrollment:

Samsung Knox Mobile Enrollment (KME) is another bulk enrollment program that works to achieve automated and seamless setup configurations for Samsung devices in a corporate scenario. KME is a not-so-complicated enrollment program that equips organizations with the means to control and manage the Samsung devices deployed in their work environment. Accordingly, it prevents the devices from becoming unsuspecting entry points for security risks. In addition, it automates the process to help organizations save time and money on manual labor.

Features:

• Bulk Enrollment of Samsung devices running Knox version 2.6 or higher with an appropriate UEM solution that supports the Knox Mobile Enrollment program.
• Cloud-based APIs allow businesses to include essential Knox Mobile Enrollment features into their unique interface, giving them a centralized location to manage profiles and resellers.
• Easy management of Samsung devices
• Lost/stolen devices when factory reset will be re-enrolled into the UEM solution
• Restricts enabling/disabling NFC and configuring VPN
• Additionally, it enables deploying a specific firmware version, which is not always the most recent version, thanks to Knox E-FOTA operating on top of KME.

Why Samsung Knox Mobile Enrollment?

Some key features of KME include automated configurations that help streamline the device deployment process in bulk and easy UEM enrollment. And thus, Samsung KME does away with the need to manually enroll devices. The automated process is quick and easy to implement and provides for the automatic re-configuring of devices in case of a factory reset or hard reset.

KME makes the management of Samsung devices a whole lot easier. As soon as the devices are powered up and set up with the network, the UEM configurations are applied. If factory reset, lost or stolen devices will be re-enrolled with the UEM, thus safeguarding the organization against data leak and theft. Thus helping locate and secure lost or stolen devices. Multiple UEM configurations per account can be managed using KME, thus enabling organizations with a complex UEM environment to manage their large fleet of devices with the proper UEM configurations. Depending on its integration with a UEM solution, KME provides various advanced restrictions and functionalities. These include restrictions on Bluetooth, camera, Wi-Fi, and data roaming.

As soon as the devices are powered up and set up with the network, the UEM configurations are applied.

Setup flow:

The entire process for bulk device deployment can be chalked up to a few simple steps:

• Create a Samsung account and a Knox portal account
• Create a UEM profile from the KME portal
• Add the devices to the portal
• Lastly, configure and assign the devices to the UEM profile

Windows Autopilot:

Windows Autopilot is a collection of tools and technologies employed to configure devices for productive use. Predominantly configures Windows PCs or HoloLens 2 devices.

Features:

The features of this bulk deployment method include:

• Operates in cloud-driven, IT-driven, and teacher-driven scenarios
• Additionally, it supports the pre-registration of devices through the program with no extra intervention from the user’s side
• Provides a higher degree of control to the team monitoring the different devices
• IT team can reset, repurpose, and recover the devices with little to no infrastructure
• A steep drop in the time spent by IT admins trying to deploy, manage or retire devices
• Ease of use for all types of end-users

Why Windows Autopilot?

Windows Autopilot has managed to automate the process of adding devices to the Azure active directory using the Hybrid Azure AD join feature. Furthermore, it provides for the automated enrolling of devices into UEM solutions without much user interference. In addition, it provides for the configuration of the BitLocker encryption settings. Thus the applied configurations guide the automated encryption process.

Windows autopilot markets itself on features that include skipping the setup wizard, restricting admin account creation and remote reset. Windows Autopilot takes advantage of the OEM-optimized Windows client when initially deploying new Windows devices. No need to keep up with maintaining custom images and drivers for every device model because this version is preinstalled on the device. It can change the edition of Windows being used to support advanced features. Stolen/lost devices can be reset remotely by the IT team using Windows Autopilot. Additionally, Windows Autopilot allows remotely redeploying the device to some other user.

Setup flow:

• The organization can purchase devices from vendors
• Each device has a device ID
• Upload IDs to the Windows Autopilot Deployment services.
• Create deployment profiles and assign them to the devices.
• Ship the devices to the users
• Power the device and connect to the network
• Finally, the device is locked into the UEM

Many UEM solutions have Windows Autopilot on their roadmaps due to the extensive set of features that it offers with a sense of flexibility.

Featured resource

Hexnode Zero Touch Device Management

Start implementing automation into your IT strategies right away with Hexnode's Zero-Touch Device Management solution to swap out time-consuming, repetitive chores with effective, automated ones.

Download datasheet

PPKG enrollment – Another bulk deployment method for Windows:

Windows package provisioning is yet another bulk enrollment method. The provisioning package file is essentially just a bunch of configuration settings grouped in a container equivalent structure, with the file extension “.ppkg.” Any Windows 10 device can create the provisioning package file. The IT admins can then use this file to deploy devices in bulk.

Features:

• One time setup – create a “.ppkg” file and then use the same file to set up all the devices
• Eliminates the tiresome process of imaging for each device
• Set up device even without network connectivity
• Allows for configuring the devices to better manage them

Why go for Windows PPKG enrollment?

The two features that make this particular mode of enrollment so appealing are the one-time setup and the ease with which it facilitates bulk enrollment of devices. Accordingly, the enrollment process is as easy as powering on the device, connecting to a network and installing the .ppkg file. Once done, the device is enrolled into the UEM solution.

Setup flow:

In order to enroll devices using the provisioning package enrollment method the fundamental step remains the creation of a provisioning package file.

• Design and configure provisioning packages using Windows Configuration Designer (WCD).
• Quick device configuration even without network connectivity
• Saves time and avoids the installation of new device images
• Launch Windows Configuration Designer, start a new project and set the project workflow to Provisioning package.
• Customize it to include desired configurations.
• Build the package by clicking on the build option.
• Store the package on some removable media or transfer it to the target devices.
• Double click the package file to install the file and in effect enroll the device into UEM.

ROM based enrollment (Bulk deployment of Android devices):

Read Only Memory or ROM is a non-volatile memory device present in computers and other electronic devices. Certain UEM solutions have provisions for enrolling Android devices by configuring the ROM.

Features:

• Convenient for organizations that partner with OEM vendors – an original equipment manufacturer (OEM) collaborates closely with the seller of a finished product to supply parts for that company’s product
• The policies and restrictions on devices are already in place
• While manufacturing, a configured ROM or Android Firmware is inserted into the device
• Additionally, the pre-programmed Android Firmware grants access and privileges to the UEM solution of choice
• On powering up, the device enrolls into UEM – ensures that the UEM app will act as a normal system app

Why go for ROM based enrollment?

UEM solutions used in tandem with a custom ROM can help maximize the productivity and efficiency of the workforce by exploiting the additional functionalities and restrictions offered. Devices configured with a custom ROM can have apps pushed to them silently. They also have provisions for the silent removal of unwanted apps. So, no unnecessary pop-ups or notifications. This would ensure that the users can better focus as they will have an uninterrupted workflow. Other features like remote power off and reboot and making the UEM app unremovable are also possible using this mode of enrollment.

Setup flow:

The entire enrollment process comes down to three simple steps:

• Begin by setting up the Android Firmware
• Install the configuration file
• Finish the process by flashing the ROM.

To sum it up…

When time is of the essence, bulk device deployment comes in handy to deploy multiple devices quickly. Bulk deployment methods should work in tandem with UEM solutions. However, not all UEM systems can interface quickly with deployment methods. Therefore, asking your UEM providers if their solutions can handle these methods is crucial.

Simply put, companies intending to implement deployment methods in bulk should always consider the kind of device, its OS and version, and its compatibility with the UEM solution. Never forget! Not every deployment method can support all UEM solutions, operating systems, and versions.