02-02-2024 04:29 PM - edited 02-29-2024 08:07 AM
This is an edited transcript of the 12.5.2024 IT Hour
Hari Rawoola, Product Manager, JumpCloud
I just want to introduce one of my friends who I met about a year ago at a bar. Meet John. He was a bit frustrated with a lot of stuff and then I got to know he is also an IT guy and he's frustrated for various reasons and one among that is his office stuff. Especially about getting the devices up and running, handing it over to the employees, and making work happen.
When we look at his typical day at work, right, a small portion of the work that he does at the office is to set up user accounts and then enroll the devices, assign them to the right groups, add some policies, configuration, make sure everything is going as per the use case. Every device is up and running. He just lives in the platform and makes sure everything is going smoothly by looking at insights. If there's a problem, he looks into it, troubleshoots it and gets a solution to that. This is his day-to-day activity. And when he was explaining his problem to me, he said, “Hey Hari, one of the problems I have is that I spend most of my time just enrolling devices, especially Windows devices.” And that was one key takeaway from our discussion that day and we have been thinking about it.
We have a great team here at JumpCloud and we have been thinking about what we can do? It's not just John's problem. It's IT’s problem. So we wanted to solve this problem globally, not just make my friend John happy, but also the rest of the IT admins, so that we could automate a lot of this stuff. That's when we said, “Okay, the problem admins have with provisioning new Windows devices, let's look at this problem.”
So when we look at this problem of provisioning, each device may take several minutes to an hour. In this era, time is money and when there's no time, there's no money and we just cannot waste hours just configuring the device. Now if one device is going to take such a long period of time, imagine if there's a set of devices to be configured. That's going to be a nightmare, and we cannot just leave the problem out there and start focusing on the other things.
So we just wanted to address this. Before provisioning the device, there are some manual configurations and that can be tedious and time-consuming too. Not only was my friend John spending much of his time configuring the device, but he was also spending time configuring other things before and after provisioning the device. That’s tedious and time consuming. It delays getting devices to the users and thereby affects productivity which is a big, big concern to any organization.
It’s not just that. It’s directly proportional to security as well because we are all humans. John is human. Every IT admin is a human. So during this set of processes, there could be some inconsistency, or there could be some settings that could be configured incorrectly, and that could leave a device open to vulnerability. Anybody can get into the device and start playing around with the data.
So bottom line, these are a set of problems that IT admins are facing today while provisioning new Windows devices, not just my friend John. So what are we trying to do now? We came up with a solution called Windows Lite Touch Deployment and for the tech-savvy who understand Windows jargon, it's a provisioning package, ppkg in short. So we came up with a pretty simplified solution for the admins out there.
So you guys just configure a source file which you can download from the Admin Portal, and you’ll have to use an approved Microsoft third party tool to create and export a ppkg.
Now what is a provisioning package? It’s a collection of settings. It could be as small as a peripheral setting like bluetooth all the way to certificate deployments to applications. Everything can be configured within this provisioning package in the tool called Windows Configuration Designer, which is a very user-friendly tool.
All you have to do is import the source file that we provide in the Admin Portal and add the specific settings into that source file to create a provisioning package. Now this provisioning package just needs to be pushed to a flash drive and that’s it. You could have one or many flash drives with this powerful provisioning package. It can live up to 90 days or for 500 device enrollments. We’ll talk about why we have this validation but once you have this flash drive, all an IT Admin has to do is unbox a new device, power it on, and connect the USB stick. The Windows OS is very intelligent. “Oh there’s a USB stick, I need to show some screens.” And that’s when it says, “Oh it’s a provisioning package” and everything is automated from there. Boom.
Now within this automation the admin can choose to create a local account with a certain username and passcode. Or it could automate a lot of stuff by connecting to Directory logins. So everything is automated. Now we’re looking at bringing the time down from hours to minutes with this provisioning package. That’s what we’re providing. Now here’s the flow.
Now this flash drive can be used to set up devices, which is nothing but the Out Of The Box Experience (OOBE). So what we’re trying to do is bring the setup time down from an hour to two minutes. The whole process shouldn’t take more than 15 minutes and that’s the wow factor. When I discussed this process with my friend John he was pretty happy.
Security
Let’s go back to the expiration and validation I talked about. Why have we done that? Let’s look at an example. Hari works at JumpCloud, he’s an admin and he manages devices. He’s got a flash drive with a provisioning package but it got into the hands of someone untrustworthy. That person could use that flash drive to set up devices. But this is proprietary to JumpCloud. So there is a validation and a revocation that can happen, which is a separate process. We’ll have a ton of training material around that.
The most important thing is all the security settings can be configured right at runtime, which means the device is now being secured right from the starting point itself, not after the provisioning, enrolling, etc. It's being secured right from the starting point, and every organization would love that factor. Also there’s no human error because there’s no manual configuration for each device, meaning every device is equally secured.
Scalability and ROI
Next you can deploy a larger set of Windows endpoints quickly and easily. Like I said, time is money, and we are saving a ton of time and effort over here. This is going to improve the experience. Once the admin creates the provisioning package, they can use it for a pretty good duration of time and a pretty good number of devices without human intervention. It also means improved ROI with deployments going from an hour to two minutes. Which means larger deployments don’t have to be nightmares.
So when can IT admins like my friend John start using this? We have a release plan in two phases. Phase one goes live mid Jan so it’ll be available for all IT Admins. In this phase, remember every provisioning package has a shelf life of 90 days or 500 device enrollments, whichever comes first, and after that the provisioning package won’t be useful any more.
But how will an admin find out when that happens? In phase one they’ll have to contact JumpCloud support. There will be some Directory Insights pertaining to that but they’ll have to work with support to revoke the provisioning package or they can download a new configuration file and create a new ppkg which will then live on for another 90 days/500 devices.
In phase two, coming at the end of Q1 2024, IT Admins will have a UI where they can control revocation. So if it went into the wrong hands you can say “Let me revoke the provisioning package from the Admin Portal”.
Now let's talk about the deployment strategies.
Q: How is JumpCloud’s Windows Lite Touch Deployment different from the Windows Imaging and Configuration Designer Tool which has been around for a while?
A: Well when you manage it from JumpCloud we provide some secret keys and tokens that are embedded into the provisioning package which our platform can identify. So it installs the agent and gets the MDM service running on the device. Once enrollment is done there’s a set of policies that can be enforced and the device can be managed from JumpCloud.
Other benefits would be the simplicity for less technical admins, no script to run and a clear UI on enrollment. Windows MDM enrollment shows clearly at the UIX for ppkg installation on the device. It’s also where this fits into the broader onboarding story for a user to their JumpCloud managed Windows device. This paired with Self-Service Account Provisioning released in Q4 2023 makes the process even easier. It's a lite touch provisioning from an admin perspective and a zero-touch provisioning from the user perspective.
Q: It does simplify the setup when we have access to the device before we provide it to a user. But we'd still require manual intervention when we drop ship a device to a work from home person.
A:In that case you could create the provisioning package and give it to the vendor, or a service provider to use. Or you could work with our various partners to automate that. There are a few cloud products as well. OSDCloud is one of them. It does involve some scripting and is technical but there is some nice documentation online. Essentially you can have the image built with the provisioning package so all the end user will have to do once they get the machine is to open it up and login and it’ll be up and running.
Microsoft can do whatever they want in the world of Windows. I wish we could do a lot more stuff but they own the operating system. We are just the subscribers. And they’re not big on announcements. They have their insider programs and communities but they’re looking to push features to Intune. We don’t know their rules, we’re just the subscribers.
Thank you all for joining and we’ll see you next week.