ZTD devices are preconfigured with the necessary policies, settings and applications before they are released to the employee – ZTD minimizes the need for human interaction during set up.
Light-touch deployment is a partially automated system, which requires some intervention from IT administrators or the end user/employee. Some settings are preconfigured, but employees are required to answer a few prompts or go through a guided setup wizard.
Zero Touch Deployment in MDM: Requirements & How
Zero-touch deployment is an effective way for enterprises to bind large-scale devices to their organizations and further automatic configuration. How can it be used? The logistics & transportation sector can give an example.
A freight service company will equip truck drivers with tablet devices, like Samsung or iPad. When the number of fleets reaches over 1000, the touchless deployment method is able to streamline the process and makes out-of-the-box possible.
Zero-touch deployment has been applied in various operating systems - Android, Windows, and iOS. Although systems have different names for the no-touch deployment, functions are similar. In this article, we will introduce its meaning and how to set it up in the three common OS.
- Part 1 : What is Zero-touch deployment?
- Part 2 : What are the requirements for utilizing zero touch deployment?
- Part 3 : How to set up zero-touch deployment? (Android/iOS/Windows)
- Compare ZTD in different systems
- How to start zero-touch deployment for Android?
- How to start zero-touch deployment for iOS?
- How to start zero-touch deployment for Windows?
- Part 4 : Devices compatible with zero-touch deployment
- Part 5 : Concerns about zero-touch deployment
- Part 6 : FAQs
Part 1: What is Zero-touch deployment?
Zero-touch deployment (ZTD) is a process where devices issued to employees are preconfigured to download corporate software, apps, settings, and policies when first turned on. Depending on the network environment, for instance, Wi-Fi, it requires zero intervention from the IT department of a company and functions as a self-setup automated workflow.
If you have a high-volume deployment strategy for enterprise devices (COBO & COPE), zero-touch deployment is the best option to put into effect.
Learn More : COBO (Corporate-Owned, Business Only) usually refers to devices running only a single app or multiple apps. COPE (Corporate-Owned, Personally Enabled) refers to devices provided by an organization that allows work and personal use.
Source: BYOD/COPE/CYOD/COBO, Which One Is Right for Your Business?
Source: BYOD/COPE/CYOD/COBO, Which One Is Right for Your Business?
Technologies behind zero-touch deployment
Here are a few of the core technologies that make Zero Touch Deployment possible:
- Cloud Computing - helps deliver configuration files over the air and enables remote provisioning.
- Internet of Things (IoT) - enables devices to send, receive, and exchange data, and further connect with different endpoints.
- Software Defined Networking (SDN) - provides centralized control of network and delivers automated and on-demand network services to applications.
- Virtualization - creates virtual resources such as servers, storage devices, networks, etc.
Reasons of using zero touch deployment
Characterized by automation, zero touch deployment streamlines the process of configuring a large number of company devices such as smartphones, tablets, laptops, and computers. In addition to efficiency, there are more benefits to using this deployment method.
- 1. Consistent and standardized configurations
- 2. Loss prevention even device factory reset
- 3. Simplified onboarding for new employees
- 4. Better control over user access to company resources
- 5. Easy update settings and management
Part 2: What are the requirements for utilizing zero touch deployment?
Zero touch deployment requires a combination of a portal, software, physical devices and network to be implemented.
Zero Touch Deployment Requirements:
- Compatible devices: only supported devices can be deployed via the zero-touch method. You need to buy from eligible manufacturers, distributors, or resellers.
- Account for zero touch deployment portal: this is given by the device provider you work with. You need to log into the portal to set up specific device configurations (i.e. access restrictions, apps) and bind your MDM/EMM provider.
- MDM/EMM solution: you will need a device management solution for monitoring and managing in a centralized system. Besides, you can copy the configuration parameter/iframe in the admin console.
- Network: both setting zero-touch portal, device management solution and device startup for downloading preset apps need to be done in a networked environment.
Part 3: How to set up zero-touch deployment?(Android/iOS/Windows)
Simply put, the process of implementing zero-touch deployment goes in this way:
- 1) Purchase devices that support ZTD;
- 2) Log into the zero-touch portal using the account from the device seller.
- 3) Create a configuration profile containing settings and applications that the devices should have;
- 4) Add the parameter that copies from your MDM/EMM provider.
- 5) Apply the configuration file to enterprise devices.
Compare ZTD in different systems
Here's a table of Zero Touch Deployment Requirements for Android, Apple, and Windows. See what you need based on device operating systems.
Android | Apple | Windows | |
|---|---|---|---|
| OS version | All devices running Android 9.0+ | iOS 7.0+ iPadOS MacOS 10.9+ tvOS 10.2+ | Microsoft Surface devices running Windows 10, Windows 11, and Windows Holographic |
| ZTD device vendor/reseller | Android Enterprise device resellers, or others who joined Android Enterprise Recommended Program | Buy from Apple or Apple authorized resellers | Buy from Microsoft or manufacturers listed on Windows Autopilot |
| Portal to register for ZTD | Android/Google Zero-touch Enrollment Portal | Apple Business Manager (ABM) | Microsoft Intune |
| MDM/EMM provider | Android Enterprise Solutions Directory | No official recommendation | Microsoft Intune |
Now, let's start the implementation. You can check the step-by-step guide according to the device's OS.
1 How to start zero-touch deployment for Android?
To start Android zero touch deployment, you should make preparations for an eligible vendor, supported devices, and device management platform.
AirDroid is one of device management solutions in Android's Enterprise Solutions Directory. Here, we use it as a demonstration.
- Step 1.Purchase Android devices.
- You can find supported devices directly in Enterprise Solutions Directory > Devices.
- Step 2.Get a zero-touch account and log into the portal.
- Your reseller will provide you the account. Then go to Android zero-touch enrollment portal and log in.
- Step 3.Log into MDM/EMM admin console.
- As you find your mobile device management/enterprise mobility management provider, you need to create an account and log into AirDroid Business platform.
- Step 4.Bind your Gmail account and create provisioning templates.
- Connect your organization with AirDroid Business so that you can manage the devices in one place. Go to Device > Zero Touch to proceed wiht the connection.
- The Provisioning Template is what you can pre-configure device system settings, apps, or Kiosk Mode for the zero touch devices. Go to Device > Provisioning Templates > +Create template to start.
- Learn more: How to use Provisioning Template
- Step 5.Copy the parameter to Android zero-touch enrollment portal.
- Firstly, you need to create a configurations profile in the zero-touch portal. This profile is used to further apply on those zero-touch devices.
- Click Configurations and complete the following info: name, DPC extras (here is the place to paste the configuration parameter), and company details.
- Step 6.Apply the configuration file to devices.
- Click Device in the zero-touch portal and then enter device IMEI/MEID/serial number.
- Next, choose the configuration file and click Update.
- Step 7.Power on the device and connect to Wi-Fi.
- As the network is connected, app installation and other settings will run automatically.
2 How to start zero-touch deployment for Apple devices?
Apple zero touch deployment needs an account of Apple Business Manager (ABM). It's worth knowing that ABM is a portal for the IT admin to deploy and manage Apple devices centrally. Its capabilities include automatically deploying devices, apps, and also IDs used by employees.
Note : If you're confused by the names of some programs, please don't miss this. Device Enrollment Program (DEP) is now referred to as "Automated Device Enrollment" which is used for enrolling and configuring devices. Volume Purchase Program (VPP) is now called "Apps and Books" in Apple Business Manager that is used to purchase apps and books in volume and distribute them to employees.
Both two of them are integrated into ABM.
Both two of them are integrated into ABM.
Source: developer.apple.com
Now, let's continue setting up.
- Step 1.Buy Apple devices in bulk.
- Apple zero touch deployment is available for iPhone, iPad, Mac, and Apple TV. You can purchase directly from the official website - Apple at Work Enterprise. Just leave your info to contact the Apple Business Team member. Or, you can buy from authorized resellers and cellular carriers.
- After purchase, you will receive the necessary info to continue with subsequent enrollment. For example,
- Apple Customer Number if you buy from Apple officially
- Reseller ID if you buy from an authorized reseller or cellular carrier
- Step 2.Log into Apple Business Manager.
- You need to complete the following info if you're creating an initial account: D-U-N-S Number, country/region, phone number, website, your name and work email, your job title, verification contact information, etc.
- Apple will verify your submitted info. When it passed, you will be able to proceed with the following steps.
- Step 3.Add an Apple Customer Number or a Reseller Number.
- Go to Devices in the sidebar and then click Add.
- Step 4.Add a third-party MDM server.
- Click your name at the bottom. Select Preferences > MDM Server Assignment > Add.
- Next, complete the info for the MDM server and upload the Public Key file provided by your MDM solution to generate a server token.
- Click Download Token. Then, upload the server token to your MDM solution to verify the connection.
3 How to start zero-touch deployment for Windows?
To enable Windows zero touch deployment, the IT staff should be able to access to Azure Active Directory portal and Microsoft Intune. Here are the steps to get started:
- Step 1.Purchase Surface devices.
- To use Microsoft automated deployment, you'd better use its Surface devices. Because those devices are built specifically for zero-touch deployment.
- Except for the official channel, you can buy the devices from authorized Surface resellers. View the reseller list here. More, you should make sure that the resellers sell Windows-Autopilot-registered surface devices.
- As you buy, a CSP will be given. It will connect the serial numbers of the devices with Microsoft so to proceed with the following configuration and management.
- Step 2.Setup Azure and Intune.
- Connect the organization's Azure AD tenant to Intune in order to continue zero touch enrollment for Windows.
- Next, create department profiles with the configurations of applications, policies, and settings for the devices.
- Step 3.Turn on devices and enable the network.
- After the device startup, Microsoft will automatically identify the Device ID. And, the company's tenant will be automatically notified.
- Lastly, Intune takes over the deployment and completes the pre-set configuration.
Part 4: Devices compatible with zero-touch deployment
Android | Apple | Windows |
|---|---|---|
| ● Pixel 7a ● Samsung Galaxy S23+ ● Zebra Technologies TC22 ● Redmi 12 ● OnePlus Nord 3 5G ● Motorola razr 40 ● Nokia XR21 ● Handheld NAUTIZ X81 ● vivo V29 Lite 5G ● OPPO Find N2 Flip ● etc | ● iOS devices with iOS 7 or later ● iPadOS devices ● Mac computers with OS X Mavericks 10.9 or later ● Apple TV devices with tvOS 10.2 or later | ● Surface Pro 9 ●Surface Laptop 5 ● Surface Studio 2+ ● Surface Go 3 ● etc |
Part 5: Concerns about zero-touch deployment
While ZTD has numerous advantages, it also has a few challenges and concerns. Here are a few of them:
Security and privacy – ZTD involves pushing predefined configurations and settings to devices. Ensuring each device receives the correct settings and configurations is crucial. Organizations must take stringent precautions to prevent unauthorized access to devices.
Compatibility and device support – every device cannot support ZTD. Therefore, organizations must ensure they requisition the correct devices supported by their ZTD platform.
Integration with existing systems – ZTD may require integration with an organization’s existing IT infrastructure, such as application management systems, directory services, MDM/EMM solutions, etc.
FAQs
What is the difference between zero-touch and light-touch deployment?
Can zero-touch deployment be used for software updates?
Yes, ZTD can be used for automated software updates. Using the MDM/EMM solution IT administrators can push software updates, security patches etc.
Do I need special hardware or software for zero-touch deployment?
You only need devices compatible to the ZTD platform and EMM/MDM solution the organization opts for. The EMM/MDM solution needs to support the ZTD platform you’ve enrolled with. For Windows, you need an Azure AD tenant to link to you MDM/EMM solution.
Can zero-touch deployment be used in a Bring Your Own Device (BYOD) environment?
ZTD may not be applicable in a BYOD environment for a few reasons:
Device ownership – devices are owned by the employees not the organization, which means they don’t have the authority to preconfigure or enroll these devices in the MDM/EMM solution.
User Consent – employees usually have concerns over giving full control of their personal devices to the organizations.
Device ownership – devices are owned by the employees not the organization, which means they don’t have the authority to preconfigure or enroll these devices in the MDM/EMM solution.
User Consent – employees usually have concerns over giving full control of their personal devices to the organizations.
Was This Page Helpful?
Leave a Reply.