IBM Technical Exchange India Security User Group

 View Only

Windows 11/10 Management with IBM MaaS360

By Lekha Shindhe S posted Wed October 27, 2021 11:52 PM


Sub Topic – Win 11/10 Endpoint Enrollment

Today as I write this Blog, it takes me back to the days when IT Support has/had a unit of people sitting around a stack of laptop rigorously working while the other side had additional set of people waiting for their laptops/endpoints to be ready to kick start their work. Well, I must say it was quite a task! Back in the days PC/Laptop Mgmt. was a colossal task, but not anymore.

With customers and users now adopting/preferring/learning latest market trends & technologies, Endpoint Management has evolved hugely. Some of the trends that we see in the market today are BYO(Laptop), Work from Anywhere (Pandemic!!!!!), Zero Trust etc. These Trends has and will continue to influence IT, they are now keen to streamline the Endpoint Mgmt. Process & most importantly the laptop provisioning process. Effort is in the right direction because it makes the life of both the IT admins and the user hassle free. After All, “Change is the only Constant” Isn’t it?  (RIP Traditional Tools)

I do agree like any change, this change will not be an easy one either and is a Large Project requiring significant efforts but that’s where Modern Technologies like IBM MaaS360 can help you all.

However, to start managing the endpoints, we need to essentially Onboard the Endpoints (Most Typically a Windows 10 & very soon Windows 11) Yes, you heard it right we offer same day support for Win 11! Refer this Blog by my colleague for more details.

Onboarding is the very first step required! Onboarding, Enrolling, Registering are all words which can be used interchangeably. Definition: The process of making the endpoint officially approved for corporate usage. Successfully enrolled endpoints from there on is enabled to access corporate resources like email, wi-fi, apps etc. It's Worthy to note that “not one size fits all” but fear not IBM MaaS360 offers Multiple Endpoint Enrollment mechanisms. Depending upon the requirements customers can choose the enrolment method, This Blog elaborates on some of the options which our MaaS360 customers can explore/asses.

(Do note enrolment options is not limited to the ones mentioned here, intention is to talk about the most widely discussed methods across our customer base. More details refer our Official Documentation Link)

  • Browser Based Enrollment

What is This?
  • In this method, Microsoft Edge browser is leveraged to initiate the endpoint enrolment to MaaS360. Typically, the registration link (sent by admin) is accessed on the Edge browser which then invokes the enrolment Wizard, the user is now presented with options. Successful completion of the Wizard results in successful device registration.
Use Case
  • Customers looking to run “Bring Your Own (BYO)” programs
  • Most Preferred option for BYO programs as it supports Home Edition
  • Supports all editions of Windows 10, including Home
  • High BYO adoption as Home Edition is supported
  • Enrollment process is High Touch (i.e., requires full user intervention)
  • Requires Admin Permissions
  • Dependency on Edge Browser to invoke the enrolment

  • Client Based Enrollment

What is This
  • Using "Work Access” feature of Microsoft Windows, intended users can register their endpoint to MaaS360 & access work resources seamlessly.  After successfully connecting with corporate credentials through Work Access - organisation can apply company policies to the endpoint. Users give the organisation some control over the endpoint so it can be remotely managed and secured.
Use Case
  • Bring Your Own (BYO) programs
  • Optionally for Corp Owned Endpoints if domain joining is not a criterion (very rare scenario)
  • This method is an alternative to joining endpoints to a domain. Domain-joining is intended for corporate owned devices, while devices owned by employees can use "Work Access" options instead.
  • Flexible for BYO Programs
  • Enrollment process is High Touch (i.e., requires full intervention from user)
  • Requires Admin Permissions
  • Doesn’t support Home Edition

  • Out of Box Experience Enrollment

What is this?
  • OOBE is a native feature of Windows 10, which essentially performs the initial hardware & software configuration. When customers turn on their Windows 10 laptop for the first time, they will see the Windows Out of Box Experience (OOBE) Wizard. This wizard includes multiple screens like Language, Cortana, License Agreement, Privacy Settings, etc. Once the OOBE Wizard is completed it automatically initiates the MDM enrolment process on the endpoint to MaaS360.
Use Case
  • Typically, useful in Corporate Owned Endpoints
  • Azure AD Domain join is required
  • Customers using Azure AD and has no On-premises AD presence
  • Cloud First Customers
  • Seamless Enrollment, Self-Explanatory for the end users
  • On-premises infrastructure/resource is not a pre-requisite
  • Requires Azure AD P2 License
  • Supports only Azure AD Domain Join
  • Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) is not supported

  • Auto Pilot Enrollment

What is this?
  • Windows Autopilot service is a collection of technologies to Simplify and automate Windows Out of Box Experience (OOBE experience). Typically, when a new device is procured, there is a need to image the endpoint to ensure it's as per Corporate Standards. (Remember “Golden Image”) But with Autopilot, the imaging process is eliminated, instead an OEM installed Windows OS will be leveraged to make the endpoint corporate compliant. This Happens OTA, a good internet connectivity suffices!!!
Use Case
  • Typically, useful in corporate owned devices where the following is required
  • Pre-Configuring New Devices
  • Making the endpoint corporate complaint OTA, anytime, anywhere
  • Seamless Endpoint Lifecycle management which includes configuring, recovering, repurposing, and resetting the endpoints is an Absolute essential
  • NO more Golden Image
  • Customised Enrollment Wizard
  • Seamless User Experience, LOW touch
  • Supports Corporate Branding
  • Supports both Azure AD Join and Hybrid Domain Join
  • Requires Azure AD P2 License

What Next???  Each to its Own, choose your Preferred option from the matrix given below and be ready to say, “RIP traditional tools”!!!

Enrollment Reference Matrix:

Should you have questions please write back to us or contact your Account Manager.