KACE Cloud Mobile Device Manager – Enrollment Types

[MUSIC PLAYING] Hi. My name is James Rico. I'm a Sales Engineer with Quest Software. I work with the KACE line of products. So as an admin, you have many types of devices. You have mobile devices to manage today. Some are company-owned. Some are personal-owned. And the question becomes, how can you effectively manage those endpoints? And to be able to manage them, you have to be able to initially connect to them. So today, we're going to talk about the different enrollment methods for mobile devices as it pertains to our KACE Cloud MDM. So there's really two main distinctions between the types of management you'll do against mobile devices. There's BYOD, or bring your own device, and there's company-owned. That's really the main dividing line between the two. You also may hear the terms supervised versus non-supervised out there. But basically, it means if it's a BYOD device, it's typically non-supervised. And company-owned devices are typically supervised. So you can think of it as a spectrum of controls. So you have the least amount of control with a personal-owned device. And you have the most amount of control with a company-owned device. So let's talk about Android device management. So there's a number of styles of management for Android devices. First we're going to talk about the work profile. This is typically for the bring your own device mode of management. And what's going to happen is, when you enroll that device, the customer's already probably-- the end user's already using the device. But you want to be able to have some control or management to be able to secure your company's data and give the user access to the tools they need to do their job. So they'll typically click on an enrollment URL and then walk through. And we'll put a profile on that endpoint. So they'll have a link. They'll enter their work email. They'll enter their passcode. And they'll accept the terms and conditions. And a profile will be installed on the device. There's also another type of enrollment for Android called COPE, or Company-Owned Personally Enabled device. And what that is, it's a device, it's company owned. But it gives the user enough freedom of choice on the device that they can use it as a personal device also. So your company buys the device. It has enough controls around security, application and configuration management, but also leaves it open for the user where they can manage that device on their own to use for their personal business. Then the next one we have is a fully managed device. So similar to COPE, it is a company-owned device, but it's fully managed. So that means anything and everything an admin wouldn't want to log down on that, you could. You might use that for something like a device that's in kiosk mode or like a handheld scanner that's based on Android where you want full control over that endpoint and how it acts. It's geared for enterprise. And then there's Android Zero Touch, so that is a method of enrolling Android devices where you buy your phones through a partner that's registered for Zero Touch. And they have a specific set of devices that meet the Zero Touch requirement. So from that, you can buy your phones from a reseller. They can be directly shipped to an end user. The end user can log in and start using that device. And that profile and all the things you can figure will automatically drop on that endpoint, allowing it to be managing it going forward. So that's the options for enrollment around Android. Let's next talk about our iOS and Apple devices. So for Apple, there's a couple ways to get a device enrolled. There's Apple Device Enrollment Program. And so you would use that in conjunction with Apple School Manager or Apple Business Manager. And basically, when you buy a device, the serial number is linked to that account. There's also a method for uploading an existing device's serial numbers into Apple Business Manager to use with DEP. But it's the same type scenario as Android Zero Touch, but it's for Apple devices. So you could ship somebody a device. It's going to be in a factory reset state. So they would connect to a network, authenticate. And you would configure what they would authenticate against. So again, usually it's a company email, password. And you would have built a DEP enrollment profile that determines kind of the out-of-box experience for an Apple or iOS device. So the user would go through all that. And again, at that time, the device is fully managed with KACE Cloud MDM. Kind of the second method of doing that is for devices that are already in use. You have the same capability as a BYOD device. So you can send somebody a link. They can click on the link. They can authenticate. And a profile will drop on that device as well as any of the configurations or applications you configure. Apple, iOS devices, Apple TV, those are all things you can configure and manage, either a manual enrollment or a Zero Touch-type enrollment, which Apple calls DEP. Next we'll take a look at Windows and how that is handled. So Windows device enrollment, there's a couple of methods to do that. One is, if you have Azure AD and have access to AutoPilot, you can configure AutoPilot to redirect any Windows device that's Windows 10 or Windows 11 to be managed by KACE. So you would upload the serial numbers for those devices in your Microsoft account. When a user gets a device, again, they'll connect to the network. And they'll be prompted to authenticate. And any of the things you configured in KACE Cloud MDM for your Windows device would get applied to that endpoint. And you'd be managing it from the get-go. And a second way to do that is a manual