Categories
Intune

Android for task-workers

dedicated device

Let’s get technical again, it’s been a while.

Android has some rather good benefits for task-workers/front-line workers, especially if the device is shared. Not only is the price-point of the device better, the user experience is quite simple.

There are today two ways of doing this, either dedicated device or the newly released dedicated device with Azure AD Shared Device which is still in preview. In this post I will try to cover both, but the device will not be set into kiosk mode.

How to configure

Decision points

Before you start, there are a few things you need to decide upon:

  • What applications do I need?
  • What is allowed on the device?
  • Is it multi app device or not?
  • How will the device be enrolled?

Using dedicated devices, you can either just enroll the device as a “normal” device but without the user affinity, or you can deploy a single-app or multi-app kiosk where you define what applications can be used. This post will describe how to do the “normal device” setup without user affinity.

The Intune parts…

Enable enrollment

First step is to enable the possibility enable dedicated device enrollment. I’m assuming that you have already setup the Managed Google Play, otherwise you need to do that first by following the wizard.

In the Microsoft Endpoint Manager admin centre (https://endpoint.microsoft.com), navigate to Devices > Enroll devices > Android and select the “Corporate-owned dedicated devices”

Click on “Create profile” to create a new profile.

Give your profile a name and select what token type you want to use. Today, there are two to choose from. The default profile for dedicated devices and the preview profile for Azure AD Shared Devices (which you can read all about here). In this example we will use the preview feature, but you can today just as well use the default if you are not keen on using preview features.

Enrollment tokens for dedicated devices can only be valid for 90 days, so make a note of the expiration date and create a reminder to renew it. If you miss to do so, you won’t be able to enroll new devices.

When you are done, hit next two times and then create. Your enrollment token for dedicated devices is now created!

To view the token, click on it in the list and go to “Token” in the left menu. When you press “Show more” the token will be displayed.

This will later be used when a device is enrolled.

Creating a device group

Now we need a device group to be able to target our settings and applications.

In the MEM admin centre, go to Groups and select “New group”. Leave the group type to “Security” and give the group a name. Select “Dynamic Device” as membership type.

Now it’s time to create our very simple membership rule. Set property to “enrollmentProfileName”, operator to “Equals” and the value to the name of the enrollment token we created in the previous step.

Or you can just use this string and replace the [ENROLLMENT TOKEN NAME] with the name of your token.

(device.enrollmentProfileName -eq "[ENROLLMENT TOKEN NAME]")

You can of course build more complex rules if you like, but for the basic setup this is the only thing we need.

Setting device restrictions

For shared devices, there are a few settings that might be good to create. In opposite of how I usually create configuration profiles for personal devices, I tend to have one profile containing most settings for share devices, defining that it’s a shared device and doing some minor restrictions.

When creating a new profile, go to Devices > Android > Configuration Profiles and click “Create profile”. Select Android Enterprise as Platform and make sure use the profile type under “Fully managed, Dedicated, and Corporate-Owned Work Profile” when creating configuration profiles.

In this example I will only create a simple restriction profile with a few settings.

Since its a shared device which we don’t really know how it will be used, how updates are applied might be something you need to take in mind. It’s possible to set it to a maintenance windows to adopt to your business.

This profile will also set a PIN-code which will not be set during the enrollment due to that the general idea with a dedicate device is that it’s a kiosk and does not require a PIN. That is not however what the reality looks like every time.

If you are creating SCEP profiles, make sure that you create SCEP certificates which are device based and not user based since your device will not have a logged-on user so to speak.

Assign the profiles you have created to the device group we created earlier.

Applications

When it comes to applications, this is where it will vary a lot depending on your needs.

The important part here is to remember to assign the applications with a device centric approach and not a user centric. Use the group we created earlier or any other device group you have which contains the devices.

For shared or dedicated devices, you might also want to remove a few applications, not only distribute.

The easiest way of doing this for Google Play store applications is to simply add it from you Managed Google Play store and assign your dedicated device group to uninstall the application.

Some vendors, for example Samsung, pre-load their devices with some system applications which for Samsung also includes a separate app store. However, these are usually removed when putting a device into fully managed or dedicated mode, but if you are using e.g. Samsung Knox you will need to look into turning of these applications.

Enroll the device

Now it’s time to enroll the device!

Start up your device and tap the first screen repeatedly to launch the QR scanner.

Select a Wi-Fi network to connect to if you don’t have a cellular connection on the device. Hit next and the device will start to prepare to enroll. Follow the on-screen wizard to get started with the enrollment.

If you are using for example Samung Knox, the experiance will be more streamlined and you won’t be asked some of the choices.

During the enrollment process you will be asked to approve the installation of required applications as a part of the registration process.

Approve installation of apps
Register the device as shared

Once the device is enrolled, you will be presented with the home screen of the device.

Enrollment is complete

Some settings and applications might take a few minutes before they apply, so the device might not be ready to send off to the users just yet. To speed this up, you can access the Intune app on the device and press sync. Make sure that all applications and configuration profiles has been applied to the device before shipping it out!

One thing that is important to keep in mind for this is the licensing. You will most likely require a device license for Intune for these devices since they do not have a user.

Build further on this

Now that you have a dedicated device, you can built on this further using depending on your scenario.

You could for example set up kiosk device, either single- or multi-app using the Managed Home Screen. Using the Managed Home Screen also opens up the possibility to utilize the shared sign in screen mentioned in this post from the Intune team. But I will cover that in a future post instead!

You can also create different enrollment token based on different purposes, you just repeat this guide and create the ones you need for your organization, make sure to give the tokens and groups unique names which makes sense to you.

Categories
Digital Transformation Modern Workplace

A millennial in the workplace – Covid-19 edition

chief sunbathing office

I’ve been struggling quite a lot with how to write this post to make it relevant and adding something to the discussion. I also really want it to be inspiring and not only my opinions and personal thoughts.

The whole Covid-19 has really made me think about remote work and how the “new world” will look post Covid-19. It’s a hard topic to be concreate about since we are in the middle of the change.

I’m positioning this as a part two of the “A millennial in the workplace” post from 2019.

Oh, and the picture to this article is our new Chief Sunbathing Officer who takes her new role very serious.

Work is changing

Let’s face it, the work life is changing and a lot more sudden than most were expecting it to. The Covid-19 pandemic really challenged everyone to push their digital transformation in a much higher speed than some might have intended to. But also, the perception of remote work.

Looking at this year’s Microsoft Ignite, the common dominator was remote work for the workplace area.

When suddenly everyone had to start to work remotely, it wasn’t impossible anymore and we adopted to this situation. Even a lot of areas where it was deemed “not suitable” to work remotely suddenly were left without a choice and managed the situation.

We are still not seeing the end of this, so a lot of things will still change!

So where does this put us?

One thing which tends to pop-up when this is discussed is “when we go back to normal people will be expected to come back to the office”. But what if this is the new normal? Or at least partially a new normal.

Working from home has in my experience often been viewed as something you only do with special reasons, and often with approval from management. Now when Covid-19 is putting everyone in a situation where remote work is kind of then new normal, I’m strongly hoping to see a shift in the culture and mindset around this.

One thing I tend to hear often is the argument that “the employees are not feeling well since they are isolated”, and I completely understand that. Working from home/remotely put new constraints on the social aspect of things, the natural interaction by the coffee machine does not exist in the same way. However, there are also people who feel stressed over the fact that they are expected to show up at an office at a given time every day based on “that’s how it’s always been”. So why adopt everything based on the people who like the office? That doesn’t really cut it in 2020 to be honest and the new policy Microsoft put out regarding their new remote work policy is spot on where “Offer as much flexibility as possible” is somewhat of the message of it. You can read more about it in this brilliant article or go straight to the source.

The world is changing, and we had a shift about one hundred years ago where the eight-hour workday was enforced. After World War II most of the industrialized world had 40 hour works weeks. In Sweden, the 40-hour work week we see today were introduced in the 1950’s and introduced in the labour law in the 1970’s. (Of course, there are more to this from a legal and union perspective, but let’s leave all that). That was 50 years ago.

Choosing where to work

What is the point I’m grasping at?

What I’m getting at is that there will be a before and after Covid-19. We have now proven that remote work is something that works, and we are still productive. So why do we feel the need to enforce everyone to go back to the office?

I’m not saying that we should remove all offices and have everyone working from home. However, it should be up to each one to be trusted in choosing to work where they are the most productive. That could be the office but just as well from home. Or a combination which I believe strongly in based on choosing the office as a workplace and not the expectation “to show up”. Given that we all have a job to do, we are trusted in much more sensitive and important things than where we choose to do our job.

This will put more trust in the employer and increase the sense of being trusted with that I can myself choose how I do my job. The old term “work is not a place, it something you do” fit very well into this context.

Looking to myself and how I resonate around these things, I’m currently in a situation where I motivate why I go to the office rather than why do I work remotely.

Work-life balance

In my world, this comes down to one thing and that is work life balance. Even though I’m extremely passionate about what I do for a living, living is not only working in my world. There must be time for other things to relax and disconnect. There must be room for flexibility during my day, the sense of owning your own time.

For me, work-life balance is about being able to control and own my own time. During Covid this has been a challenge to manage since working from home means that you never leave your workplace. But for me this is something I’ve learned to deal with. It also breaks up my workday into pieces giving me possibilities to do errands, go to the gym, walk the dog and such things during the day and work a little more focused during late afternoons. For me, late afternoons are where I’m the most productive while before lunch is a less productive period of the day (not to speak of 7:30 until 9:00).

Conclusion

To be honest, I don’t really know what the conclusion of this is since this is more my thoughts on the topic.

The Covid-19 pandemic has proven that remote work is possible, and we are most likely seeing the new “normal”. There will for sure be a before and after Covid-19 and the work life will have to adopt to this.

However, everyone is different. Some need to be at an office surrounded by other people or just can’t work from home. There is also the other group who are more productive remote and do not feel the need for an office in the same sense.

You often see arguments that people need the office to perform and feel well as an argument that we need to get everyone back to the offices. But what about the other group of people who has been thriving during the last couple of months, where the trip to the office was a stressful moment. Are they less important or why are we expecting them to just adopt?

I think the “Offer as much flexibility as possible” quote I mentioned in the middle of this post will play a key part even for companies which are not called Microsoft. People are now seeing that it’s possible to work remote and finding what is working for them. I think they key part as I view this, is to offer a flexibility where I as an employee is trusted with selecting where my office should be. If that is 100% at home, 100% at the office or a mix shouldn’t matter. Work is not a place, it’s something you do.

This will be a cultural shift, not a technical shift. We have proven that our tools allow it, now we just need the corporate culture to allow it. For some, this change will happen fast while for others this will take time.

However, my strong belief is this will be a key element for many companies to hire Millennials and GenZ going forward. Why should I join a company which requires me to come to an office, when the other offers me the flexibility to choose when I go to the office?

These were my thoughts around this whole thing, what do you think?

Categories
Microsoft 365 Modern Workplace

Use your webcam!

hair not on point

We are about a year in to Covid-19 and remote work has been introduced to a whole lot more people. It has also proven that remote work is possible even for people who were really sceptic about the concept pre-covid.

One thing that has really blossomed during this pandemic is remote meetings, using tools such as Microsoft Teams. Many of you were pretty used to having online-meetings even before this pandemic, but not to the extent we see today.

Enhance your meetings

Given that you are by now probably quite used to online meetings, it’s time to take the next step in your meeting experience and turn on that webcam.

For some strange reason, it seems like we in IT are particular hesitant towards using the webcam during meetings. We are the ones that should lead by example, and we probably encourage others to use their webcam during meetings.

By turning on your webcam you will increase the experience not only for you, but for everyone in the meeting. The feeling of presence will increase and getting a face on whom ever is speaking is making it a lot easier to follow along and will decrease the interruptions.

What if your hair is not on point?

My hair is not on point either, but if you are dressed you are good to go! It’s okay to not be comfortable with how you look today, but imaging that you are at the office, then you would meet people non the less.

Also, we are all in the same situation at the moment.

But the room I’m sitting in is such a mess!

If you are using Teams (or Zoom for that matter) you can use custom backgrounds or just blur the background. It’s perfect for situations when your background is not on point. I regularly use it if I’m sitting at a café or such, to not get people walking behind me. One of my favourite background to use is however the Ollivianders store background from Harry Potter.

My point is…

What is the point I’m trying to get at?

Make the effort to show up to meetings using the webcam. I do that all the time. Sometimes I’m the only one with my webcam on, but I leave it on. It also makes others turn on their camera (without asking).

Let’s all make it a custom to turn on that webcam when we join a meeting to increase the experience for everyone!

Categories
Microsoft 365 Modern Workplace

The road to productivity

the road

Since you read my blog, my guess is that you are in the Microsoft ecosystem. That could be running a Windows computer, using Microsoft 365, or administrating 35 000 devices in Microsoft Endpoint Manager.

But let’s talk about Microsoft 365, or Office 365 as we can also call it. Because this post will focus more on productivity tools rather than devices.

Transitioning to modern tools

My hope is that you are already today using the Office 365 suite, which could be Outlook, Word, Excel, and PowerPoint. I hope all of you are already made the transition over to Teams or have at least planned what your journey will look like moving away from Skype for Business. But Office 365 contains so much more than just these six usual suspects. Office 365 is a suite packed with a lot of different productivity and collaboration tools.

What you can access depends of course on what licenses you have bought, but you will have a tool for basically every situation.

File sharing – OneDrive for Business. Collaboration – SharePoint. Project management – Projects. Kanban boards – Planner. Corporate videos – Stream. Big all company meetings – Teams Live Event. Note taking – OneNote. Digital whiteboards – Whiteboard. Personal to-do lists – To Do.

You get the point. There are a lot of often unknown and unused potential in your Office 365 suite. Microsoft provides a bunch of modern tools which becomes disposable for you and your users when you adopt Office 365, providing you with modern tools from the same eco system.

Spread awareness

I way to often stumble across customers, friends and even co-workers who are not aware of the power of Office 365. Instead they turn to well-known consumer products, e.g. Trello or DropBox which lives completely outside the corporate sphere. Not only does corporate data live in a place you don’t control, the free-to-use service does usually only apply for consumer usage, which means that you could be asked to pay for a corporate license for your rouge users.

Historically, these have been quite common as a solution on the problem that the employer does not provide sufficient tools. But that is no longer the case if you have the Microsoft 365 services. The problem might be that your users does not know this yet. Or simply doesn’t care, that is absolutely a possibility as well.

Since you are already paying for the Office 365 suite and Microsoft 365 services, you should really encourage your users to do and use the right things. Spread awareness about all the great tools that they have at their disposal!

Conclusion

If you have spent the time and money to move to Office 365, make sure that you make the most out of it. You invested a lot in the transition, but that doesn’t mean that the work stops there. The Microsoft services are constantly evolving, and you need make sure you keep up in some way or another and keep deploying new tools and services to your users.

Another aspect of this is securing your corporate data. If you use tools within the product suite you have decided to work with, this applies not only to the Microsoft world, the data will live in a place which you control and govern. If you start using other services, especially consumer services, that data might not be yours anymore and you can’t apply retention policies and data leak prevention policies to that service nor data. This is a big problem when your corporate data lives on places it shouldn’t. However, that’s a completely different topic which I could dedicate a complete post to.

But I hope you get where I’m coming from and there are a few takeaways from this.

  1. Make the most of the productivity suite you have bought
  2. Don’t use consumer versions for corporate use
  3. Protect the data by keeping it within the corporate sphere

Given the development Microsoft have done with the Office 365 suite the last couple of years, most of the tools you need for productivity can be found there. Make sure you tell your users and make the most of the investment you have already made!

And to be clear, I’m not saying that you shouldn’t go buy other productivty tools. But before you do, make sure you don’t already have what your users are asking for within your exisiting tools.

Categories
Digital Transformation Intune Tips & Tricks

Recovery in a world without OSD

bluescreen

One of the big issues I hear people talk about when it comes to utilizing an image- and OSD less approach is “What if the hard drive breaks and we need to reinstall the machine?”. This is based on that assumption that we need to create a custom image with the drivers and such for recovery purpose. Disks do break, so this is a real problem.

However…

You probably bought that computer from one of the big computer manufacturers out there meaning that they thought of this.

In this article I will post many bold and naive statements, which you might not agree with. I understand that, but we also need to challenge how we have done things for the last 15 years. I’m not saying this is the whole truth, but I want to challenge the way you operate!

Disk failure

What happens when a consumer computer breaks down? Your typical home user does not have a Windows Deployment Services server running in their home network.

Most of the big manufacturers provides you with a new, fresh image created for your computer from their website, often using their recovery tool. The process to obtain the recovery image is a bit different based on which manufacturer, but it’s an uncomplicated way to recover a broken machine without the need to creating custom images.

Making use of what has already been created (and probably covered by the support commitment) should make sense. If someone else that we know and trust already created this, why shouldn’t we utilize it?

At least Microsoft, Lenovo, Dell and HP offers this service in one way or another.

A second option to this, but less ideal, is to use a generic Windows 10 image downloaded from Microsoft (or your Microsoft Volume Licensing Service Centre). The device will be missing all drivers to start with, but that is usually addressed using either the Windows Update feature or the driver update tool for that particular vendor (which you should consider using anyways to keep your drivers up to date on all your machines).

Resetting the device

If you for some reason need to reset a computer, there is no need to use an external media source to re-install Windows 10. This is built into the operating system, just like on your phone.

In Windows 10, instead of injecting your custom image, you simply reset the computer. Depending on where you are coming at it from, you might have to do it in different approaches.

Microsoft have documented this process very well here, so I won’t dig into it further on a how-to level.

Conclusion

I’m going to make a bold statement that many of you might not agree with. But operating systems deployment and creating custom images are a thing of the past. It will still be around for years to come since change does not happen overnight, and most companies have invested heavily in this. But it will start to fade away as more and more companies dare to trust the OEMs that their images are good enough. This will not solve data-loss at all, but it will bring the device back up and running which is often just as important for the user. Creating a custom image is an artform, but soon that artform needs to evolve into something else. There is a shift happening and we need to find other approaches to the old problems when we use new tools.

Today, this will not fit all scenarios. But if you look at the big picture, this could probably cover 80-90% of your user-base. Heck, you could have your users replace disks them self and then recover the operating system (imagine that!).

I’ve tried this with several different types of machines and manufacturers, and it works really well. You can even reset a custom image using the built-in reset feature. The result, however, can be a bit strange if you have removed a lot of the built-in apps etc. But the machine will still work and the user might not notice (especially if you make sure to deploy the needed apps to the end-user using Intune).

Combine this with the power of Office 365 and the cloud for storing your documents and work and you will have a pretty sweet setup where the device isn’t that important anymore.

Do explore the different possibilities in using standardized recovery media, but I’m not saying it will solve all your problems but it will take away some headache and hours spent on creating and maintaining custom images.

Categories
Digital Transformation Modern Workplace

Providing a modern workplace

This is a topic I’ve covered in some earlier article from the aspect of how we did it at my former employer. This time my idea is to cover this in a broader and more generic sense.

Living in 2020, IT is more than ever a big part and an enormous influence on your work environment and how productive you are.

IT is shifting from being a “technical” topic to be more of an HR topic, since it influences so many parts of your employment, a poor IT experience will heavily influence how happy you are with your employer. However, IT are still the ones responsible for it.

From talking with friends, peers, former co-workers, and customers there are a few things that tends to come back when it comes to IT in bigger organizations. And that is the lack of trust in that end-users knows what tools they need to perform their work and expects to get tools that support them in their daily work. There are of course exceptions to this but speaking in general terms I’m guessing that you don’t ask IT what tools you need to do your job; you ask your peers. Well unless you work in IT, then I guess you would ask IT… You get the point!

Users has diverse needs

We need to start considering our computers and mobile devices as tools, not “toys” in lack of better words.

If you think about it, if you were left one day at work without a computer and/or mobile device, would you be productive? Probably not. This means that these are crucial tools for our work since you are doing your business through them. Giving you something that is not fit for purpose would eventually be a bad investment, or not the correct tool. Still, computers and mobile devices are rarely considered business critical from an IT Service Management perspective.

If you think about it, your company spends a lot of time finding the right machinery, servers etc. for your business needs, but what about that computer you spend your day in front of doing business? Was that selected based on what your needs are or where you given the “corporate computer”?

Trying to stick to a “one size fits all” setup is deemed to fail eventually in a modern workplace. I have different needs for my computer/phone than people working as e.g. a communications professional. Also, a manager has different needs than the peers in their team.

I’m not saying that you should buy all the shiny things people points at and don’t standardize. What I’m saying is be smart in what you are buying. You have a diverse team with diverse needs, make sure you can full fill them!

For whom are IT working?

One thing that is extremely important, but sometimes forgotten, is for WHOM IT exist.

IT does not exist to provide IT with work tasks. IT exists to enable the employees of the company with tools fit for their needs to do their job in the best feasible way.

This is something we shall never forget. This is important. This is the sole purpose of an IT department. To be a support function to the core business.

At the same time, end-users need to understand that there is reason behind why things are done in a certain way. If they don’t know, it’s time to tell them!

Set goals and visions

To combat this, listen to what your end-users wants and communicate with them. Set clear roadmaps and vision for where you should be in let’s say five years. This will give you a goal to work towards and a roadmap to share.

By listening to your end-users, I’m not saying that they should dictate your every move. Be coherent in what their pain-points are and strive to minimize them. Thas how you can add real value and build trust in the organization.

I far to often hear “those people at IT have no idea what they are doing”. That shouldn’t be true. We should be the best at providing the services for OUR users. We should be the ones knowing their needs and strive to meet them.

Categories
Microsoft 365 Modern Workplace

Key take-aways from Ignite 2020

ignite-recap

Ignite 2020 was a bit different from previous Ignite to say non the less. Instead of having an in-person event in New Orleans, the experience this year was a 100% digital.

It was as always, a bit overwhelming with a lot of interesting sessions, but you didn’t have to walk between sessions. Oh, and the coffee was really good this year!

Looking at what was covered from the modern workplace at Ignite this year there was one common theme. Remote working and the new normal that Covid-19 creates. There was a lot of talk about how the world has changed the playing field for remote work and that we might never go back completely to how it was before. Something that I find very intriguing since this is an areas I’m passionate about.

If you would only watch two of the sessions from Ignite 2020, I would really recommend that you watch Satya Nadella’s keynote on Building Digital Resilience and Jared Spataro’s keynote on The Future of Work. Those two were really good!

This was a year for refinements from device management. New options for what you can do during Windows Autopilot and Co-management/tenant attach. A lot of new things which will help a lot of companies on the road to transition from traditional management to modern management! If you want to geek out, here are all the Endpoint Manager related sessions, all the Teams sessions and all the Office 365 sessions.

Microsoft Tunnel

On of the things that really cought my eye on an early stage was Microsoft Tunnel, which is a Microsoft VPN solution without the need for any third party licenses. I think this will be very beneficial for scenarios where you are utilizing Microsoft solutions for VPN for Windows and don’t want to invest in additional services for your mobile devices.

Microsoft Tunnel is in public preview and is available on iOS and Android. You can read all about it here.

Microsoft Edge

Microsoft has been pushing the new Edge for a while now, and for a good reason too!

It’s a really good browser, built on Chromium but with Microsoft integrations. I’ve been using this browser since it first came out, and it’s really good now.

Microsoft is pushing it even more now and was also highlighting the Internet Explorer compatibility mode.

BUT the big thing for Ignite was Application Management for Edge on Windows 10 which brings the Application Protection Policy features from the mobile platforms to the desktop Edge browser. This means that you can manage just the application instead of the whole device. Additionally, Microsoft Edge will support the new Microsoft Endpoint Data Loss Prevention (DLP) service which will be launched in October from day one.

There were a bunch of other improvements to Edge presented as well, you can read all about it here.

Microsoft Teams

If you think there were a lot of new improvements introduced for Microsoft Endpoint Manager, it was nothing compared to Microsoft Teams.

It’s becoming increasingly clear that Microsoft Teams should not be considered a product, it’s a platform.

There were so many new things ranging from power platform and low-code solution for automated workflows to improved meeting experiences and wellbeing.

A few of the highlights that caught my attention were:

  • Breakout sessions
  • Custom layouts and new together scenes
  • Wellbeing and productivity insights
  • Improved first-line workers functionallity

You can read more in details here.

Categories
Digital Transformation Modern Workplace

What is Windows Autopilot – management edition

There are A LOT of misconceptions what Windows Autopilot is. Today I will try to sort those misconceptions out.

You have already heard a lot of different presentations about Windows Autopilot, why you should use it and why it’s so great. Because of that, I’ll leave most of those things out. This wont a technical post about what Windows Autopilot is, this will be more of the management edition of this.

Windows Autopilot – the concept

The basic theory behind Windows Autopilot is to streamline and take away time-consuming phases in the setup process of a corporate computer.

In the “traditional world” you would need to be on the corporate network and press F12 on the computer to initiate the installation of your custom image, that your IT-guys built. This custom image of Windows contains all your customizations, drivers and settings are pushed through Group Policy Objects, also called GPO. Many companies requires the computer to be “known” before it’s installed and you do what is called a pre-stage where you create the computer account in the active directory (AD) and assign group memberships. This process can take from an hour up to a few hours based on your connection and size of image (it’s usually pretty big).

In the world of Windows Autopilot, you take advantage of that the hardware manufacturer has already put a Windows 10 installation on the computer, with drivers installed from the factory (this is actually how computers are shipped even if you don’t use Windows Autopilot). Your vendor/partner/IT-department registers the computer hardware ID, which is unique to each computer, with your Microsoft tenant. Computer can also be joined to Azure AD groups based on this hardware ID.

When the computer is launched the first time, the user will be greeted with “Welcome to Contoso” and then asked to sign in. When sign in is completed, the computer is registered in Microsoft Intune and settings and customizations are applied.

This process is A LOT faster than traditional OS-deployment. The entire process and the computer are ready to use in 30-60 minutes (based on connectivity). All traffic is routed through the internet during setup and any connectivity to the corporate infrastructure can be routed through VPN if needed.

If you do the math, you can deploy a whole lot of more computer for a lower cost using Windows Autopilot.

Windows Autopilot – the reality

This sounds pretty neat huh?

But what is Windows Autopilot? Is it a completely new tool? Will it replace Microsoft Intune? What will my IT-technicians do, they spend 80% of the time installing computers today?

Without getting to technical about this, Windows Autopilot is a new name on a bunch of things that has been around for a while. And some new features.

Windows Autopilot is utilizing a lot of different technologies and should be viewed more as a workflow or a process rather than a technical feature. It combines the power of Azure AD, Microsoft Intune, and Microsoft Store for Business to provide a streamlined process for installing new computers. That’s about it.

This means that Windows Autopilot is nothing else than an automated and standardized process of setting up computers for your company.

However, from a technical point of view, there is a lot more things going on though. But this is the simple version.

Key take-away

The key take-away, and the thing to consider, around Windows Autopilot is if you need all the fancy switches and total customization you have with the traditional approach. Or would a lighter weight management do the trick for you? It probably will…

There are of course some if’s and but’s around this, but in general there aren’t that much. Your users could get their computer delivered straight to them and set them up by login in, given that they have internet access at their location.

There are options to prepare the computer for the user by having a technician do half the registration and setup to then re-seal the computer and ship it off to the user, if you want to minimize the amount of work being done by the end-user. This way, initial setup will be shorter for the end-user.

If you view Windows Autopilot as an automated process to setup computers in your organization and not a technology, things get a lot easier. With that said, it won’t suite all your special situations for computers, but you will cover most cases for office-based work!

Categories
Digital Transformation

Expectation management and communications

expectations

Before we get started, I’m in no way pretending to be a communications professional. These are just my experiences and learnings down the road.

Let’s face it, and we all know this. In general, we in IT are not great in end-user communication and expectation management. We live and breathe technology, and somewhere we sometimes forget that someone is supposed to use our fancy-best-of-breed-solution.

Okay, a bit over generalizing but if you have worked in IT, I think you might recognize this. We often forget about the end-user and we fail to tell them about all the wonderful things we do, but also what they can expect from us.

I will try to provide you with a high-level view, to help YOU take the decisions what to do and why, not really the HOW in this post.

Now that we have managed the expectations, let’s get into this.

Expectations management

Since you are reading this, I assume that you are in some way involved in the end-user service area and are either providing or helping to provide services to end users. You are operating in the layer where most users interact.

But what have you promised your end users? What are they buying from you? Do they know or are they just “paying the bill”? This is something that varies between organizations, depending on size, location, culture, and previous structures of the IT department.

But what are you selling to your end users? Are they just buy “a computer” or are there more services attached like deskside support and a helpdesk?

There are a lot of questions related to this, and hence one of the themes for this post.

What do your users THINK that they are buying and what are you delivering?

This is the most important part which is also the trickiest one. To set an expectation with your users (which are your customers) on what they will receive buying the service from you. It might be that you are the only one that are allowed to provide this service within you organization, or that you are the preferred one but they could operate it them self or turn to a third party to provide this.

None the less, making it clear for the end users on what to expect from your service is increasingly important. Especially since enabling new services is three clicks and a credit card away…

What value are you adding to the equation?

End-user communications

Enter end-user communications. This is a hard area and there is a reason that organizations hire communications professionals. They might not know all about fancy IT stuff (that’s not why they were hired), but you can make sure that they know all about getting your message out there!

From my experience by working in the end-user area, this is something that is super important but also, very often forgotten about. We tend to update something we consider as small, but it might have huge end-user impact. If we don’t successfully inform our users about this, we might cause unnecessary frustrations. Even though we need to adopt an Evergreen mindset, we need to make sure that our users know what’s going on. Keep them in the loop.

I’m no communications expert, but I’ve seen and delivered the outcome from projects where there were a lot of end-user communications and less communication. What do you think where the most successful, in the aspect of user adoption?

Yes, the projects where extensive end-user communications were performed.

However, you always need to adopt amount/channels/information to whomever is the target for the change. Some information might only be needed by your support people, other information might be of more value to your end-users.

The go-do / take away

So, what is the takeaway from this?

Try to define your services for your end-users possible and communicate these. A PDF hidden away on a SharePoint site will never be found, putting it on some sort of intranet site might be a better idea to clearly state to your end-users what they can expect by buying the service from you and what value you add to them.

This is of course something that varies between businesses, but defining services is a crucial step to set the expectations right with your users.

I would also really encourage you to reach out to your communications professionals within your business for advice and work together with them. They can really help you get you message out there, making sure that your end-users (customers) understand why things are happening and changing in the way they are. But don’t expect them to do your work for you. You will still need to put in the effort but getting their advice and/or input might change the success rate of your project.

Categories
Intune Modern Workplace

Why managed Android matters

Looking at the Swedish market, most of the companies I meet are managing their devices. These devices are usually iOS/iPadOS devices since, let’s face it, iOS has been superior in the Mobile Device Management segment throughout the years since they have had more settings exposed to MDM than Android. This has however changed over the years and the difference is not at all the same as of let’s say 3-5 years ago.

We can always discuss why platform A is better than platform B, but let’s not get into that. Everyone will have a separate opinion on this.

Looking at where we are today, many companies I meet manage their iPhones and iPads but haven’t really gotten around to Android yet. It’s still in some sense viewed as a secondary platform and not something that is wanted (it’s one more platform to provide end-user support on for one thing).

I fully respect this. However….

Looking back at my previous posts about what tools people to expect to use in the workplace, we are seeing a lot of growing demand for Android devices.

This could be out of personal preferences, the fact that the device is cheaper or the iPhone not being available in the market where the user lives. But this means that dodging the question of Android becomes harder and harder. And the later you get on top of Android, the harder the transition will be since Android is a lot different to manage compared to iOS/iPadOS.

For Android, you have to options depending on your wants and needs. You have Work Profile and Device Owner.

Management methods for Android

You should AT ALL COST avoid using Device Administrator since this is a legacy protocol which will be decommissioned by Google.

In this post I will not cover the dedicated devices method since this is meant for special adoptions and not regular end-users.

Work Profile

Work Profile is the most basic version of Android management and it has the least impact on already existing phones. Your users must download the Company Portal to enroll into Intune. This will create a separate “work sphere” where all corporate data will live.

This is the easiest form of Android management and you can deploy applications, configurations, and compliance policies. The work data will be separated from the personal data, but there are some limitations around management. This is the easiest way to start managing your Android devices without too much user impact.

Device Owner

Device owner or fully managed is the full feathered version of Android management where Intune takes total control of the device. This is more like how the iOS devices would be in a supervised mode. This management method also enabled Google Zero Touch enrollment (or Samsung Knox) for easier user onboarding. But you can of course have your users scan a QR code on first launch.

A huge benefit with this from a corporate perspective is that the user won’t need a Google account to enroll and download corporate applications. They can add a personal Google account, but it’s not needed to use it as a corporate device. Google accounts can otherwise be a hassle for less experienced user.

Company-owned work enabled

This version of Android management is when this blogpost is being written to officially launched, it’s still in preview.

This is however a combination of Work Profile and Device owner management where you as an organization gains full control over the device (giving you more management capabilities) but corporate data and personal data is separated.

This requires a device reset, just as device owner, but the user will get one corporate sphere and one personal sphere. The data is managed in the corporate sphere and left to the end users’ privacy in the personal sphere.

In my view, this will be the more attractive version of Android management overall since you can have a separation between personal and corporate data.

This method works extra smooth if you combine it with Google Zero Touch or Samsung Knox. If you don’t see a possibility to have this in place, you can of course have your users scan a QR code on first launch.

Where should you start?

Start small and start easy. If you have a lot of Android devices today, Work Profile is the best place to start. Having users reset their devices containing photos, apps etc. is not a popular thing to do. You could argue that it’s a corporate device and your users must comply, but this is not an effective way to build trust and getting the devices into management.

If you have just a few devices and looking to introduce Android into your environment, Device owner or the new Corporate-owned work enabled method is the way to go. You will have fresh devices going in and the need for a reset doesn’t exist. Combine this with Google Zero Touch or Samsung Knox and you will have a killer user on-boarding experience!

What are your thoughs on Android and where do you stand today? Comment below!