Documentation
Support
In this article
Why secure your provisioning process?Preparing for secure provisioningHow to provision securely
Home
Device Management

Provisioning and distributing devices

Edited

Advice for IT administrators on how to provision and distribute smartphones, tablets and laptops to end users

Provisioning new devices and distributing them to end users efficiently is central to the running of an IT estate. How you choose to implement these processes will have a direct impact on the security of your deployment.

This guidance discusses some of the security aspects of provisioning and gives advice on ways to secure this part of the device lifecycle.

Why secure your provisioning process?

Before your corporate devices can be used by staff, they need to be set up to use the corporate services they need to do their job.

This setup can be done in one of three ways:

  • Manually by end users following instructions (self enrollment)

  • Manually by an administrator

  • Automatically using zero-touch enrollment

Each of these has pros and cons, which you should take into account when developing your provisioning procedures.

There are plenty of opportunities for problems to occur during the provisioning process. For example, you may wish to allow users to enroll their devices into your MDM service themselves, using their corporate username and password. To do this, you will have an internet-connected service that permits single-factor authentication, leaving you vulnerable to credential stuffing and password spraying attacks.

You might also need to distribute devices to users in remote locations, sometimes using untrusted distribution channels. You should be confident that a device intercepted in transit can’t be used to access work data. This is especially important as un-enrolled devices will be particularly difficult to monitor without their enterprise configuration in place.

Preparing for secure provisioning

There are several separate steps we consider part of the provisioning process. You should consider each of these in turn.

Choosing who enrolls the device into mobile device management

Topic

Points to consider

Assigning devices to users

When you buy devices, how will you track who they are assigned to? If an issue is reported with a device (e.g. by protective monitoring) you need the ability to find out who its owner is. You may also have obligations to keep track of corporate assets.

Choosing who enrolls the device into mobile device management

There are essentially three approaches for enrolling devices into MDM:

  • Self enrollment. End users are expected to enroll their device into MDM themselves. This is often used in BYOD deployments. Self-enrollment typically requires users to be given access to enrollment infrastructure via the internet, therefore also exposing this infrastructure to potential attackers. If you do this, multi-factor authentication should be required. This approach also requires users to reliably follow instructions, or be at risk of social engineering attacks that could compromise their new device.

  • Admin enrollment. Trusted administrators are responsible for all the setup work required to prepare devices for use. For large deployments, this can be an onerous process. Admin enrollment can alleviate the issues that arise in self enrollment, but puts the onus on a small number of individuals to do the enrollment process on behalf of a potentially large number of users. With this approach, dedicated provisioning networks can also be used to limit the enrollment infrastructure’s exposure to attackers on the Internet.

  • Zero-touch enrollment. Devices can automatically enroll themselves when users first turn them on, because MDM service details were provided when the device was purchased. Zero-touch enrollment simplifies and automates much admin enrollment, but requires some co-ordination between procurement and device management. There are many advantages to dedicated, zero touch enrollment.

Applying any local configuration to the device

Some devices cannot be completely provisioned automatically and may require manual setup. For example, you may need to configure the firmware settings of your laptops manually.

Your process might need to include steps where trusted administrators can apply settings locally before devices are given to users. If so, you will need to think carefully about how to manage administrative credentials here, as having one re-used password (e.g. a local admin account) across your entire fleet is a bad idea. Tools like LAPS (for Windows) can help with this.

Delivery of the device and credentials to users

You’ll need to get the device and some credentials (for the device itself, or for enrollment) to your users. However you do this, you should ensure that an intercepted device can’t be used to access your data. For example, posting devices with no passcode set is not a secure distribution method, nor is distributing a device and its passcode together.

Send device passwords separately, out of band. Or, let users use their existing credentials (with multi-factor authentication) to enroll themselves when they receive the device. If at any point, their password was transmitted or known to another person, they should be required to change it before they start using the device.

Enrollment into biometric authentication

Biometric authentication set up requires the end user to be present, so this cannot be done remotely. If you are going to allow biometrics, you should provide guidance on how your users can set this up once they receive and start using their device.

Securing the enrollment process and monitoring for issues

Because devices are not yet fully provisioned during enrollment, your protective monitoring solutions may not have full visibility of them. So, you may want to take additional steps to harden the enrollment process, including:

  • Only permitting pre-registered devices to enroll

  • Using multi-factor authentication to enroll

  • Having time-bounded periods during which users can enroll, so that intercepted or lost devices cannot be used

Review our Logging and protective monitoring guidance for further advice.

How to provision securely

When provisioning and distributing devices to users, you should:

  • Use zero-touch enrollment to automate as much of the device provisioning process as possible.

  • Ensure any manual enrollment (such as your MDM service) endpoints are secure, including using authentication.

  • Ensure local accounts on devices have unique credentials per device, including BIOS and local administrator passwords.

  • Use trusted channels such as internal email to distribute device or enrollment credentials to users. Ensure these credentials are changed at first use.

  • Monitor for devices that should have been activated but have not, and/or time limit activation.

  • Many MDMs support placeholder accounts for pre-enrolling devices you expect users to subsequently enroll. You should use these placeholder accounts to ensure that only expected devices are enrolled.