Zero-touch enrollment
Using zero-touch enrollment to automatically provision smartphones, tablets and laptops
Zero-touch automates much of the manual work involved in traditional device enrollment flow. This allows organizations to supply devices directly to users without requiring administrators to manually set up or enroll each device first. Zero-touch enrollment is available in most mobile platforms today, though generally has different names on each.
This guide is aimed at IT admins in organizations with large numbers of devices to distribute to end users. It gives some basic context on zero-touch enrollment and outline good practices, without going into the details of specific platforms.
Why use Zero-touch?
Zero touch cuts down on administrator time required to enroll each device and the likelihood for mistakes, as well as securing unenrolled devices in transit to users. The strength of these benefits grows with the number of devices to deploy.
In some cases, zero-touch enrollment may also provide additional security benefits. For example, on iOS, devices deployed through Apple Business Manager can be prevented from unenrolling from mobile device management by the end user. It also means that wiped devices can't be re-used if lost or stolen, even if activation lock is not enabled.
End-users also benefit by receiving a brand new, boxed device, which hasn't been opened or pre-used by an administrator.
Preparation for Zero-touch
Specific requirements for each zero-touch enrollment program vary, but in general:
You'll need mobile device management (MDM) infrastructure which supports the zero-touch enrollment program you want to use.
You'll need an entirely automated, over-the-air device management process that does not require administrators to manually configure each device.
You'll need to decide how you'll do asset tracking, as your administrators will not be able to label each device before distribution.
How to use Zero-touch
Due to its security and administration benefits, the BCSF strongly recommends that large organizations use zero-touch enrollment programs relevant to their devices.
For Windows devices
If you use MDM management of Windows 10, you should use Windows Autopilot. For traditional Windows domains with Group Policy management, manually re-imaging is likely to continue to be the best approach.
Where you are managing firmware settings on your devices, you may still need to manually configure these options on each device, as a standardized way to do this remotely has not yet been created.
For other devices
Follow the manufacturer guide for the exact process to follow. At a high level, you'll need to:
Register for a zero-touch enrollment programs for your chosen devices.
When you buy new devices, let your supplier know they need to assign the devices to your zero-touch enrollment program account, and provide them with the details
Configure your mobile device management services to automatically enroll new devices provisioned using zero-touch enrollment, including setting up policies to automatically apply to new devices.
You'll need to provide user guidance on steps to take when receiving a new device, as your administrators won't be setting up devices before they reach the end user.
You may also want to:
Try and retrospectively enroll your current fleet of devices into the chosen zero-touch enrollment program so that if they are wiped they can be easily re-enrolled.
Create an exception process for devices that can't be zero-touch enrolled, so they can be added to your mobile device management infrastructure.
More information?
More information on zero-touch enrollment can be found on the various manufacturer websites:
Device type | Program |
|---|---|
Android (excluding Samsung) | |
Chrome OS | |
iOS, macOS | Apple Business Manager (formerly known as the Device Enrollment Program [DEP]) |
Samsung devices | |
Windows |