Fully Configured & Raring To Go: Work-Ready Devices Shipped to Remote Workers

Topics in this article

Dell has a significant consumer business, where a device is ordered and shipped to the home through our logistics chain. However, our commercial customers have typically ordered multiple devices to a single address. Now, these commercial customers are increasingly keen to send devices directly to the user and the technologies have evolved to a point that, when combined appropriately, they support this. This has become even more important as customers respond to government enforced work from home orders.

Until recently, there was a clear split between fixed office or campus-based workers, who were served by bulk device deliveries, and remote or highly mobile personnel who benefited from home deliveries. In that sense, ship to home was a “nice to have” offering, because in most cases the sales people or remote workers could be encouraged to come in to the office to pick up their new device once every three years (dependent on the refresh policy).

That was until mass shelter at home instructions forced a rethink of the way people worked. With huge numbers of people currently in some form of lockdown and working from home, IT departments have been challenged with keeping the business running despite the disruption. I have been involved in conversations helping big corporates plan for scenarios where the user’s device fails while they are working from home and the offices are closed. This gets particularly tricky for those with applications that are still not Windows 10 compatible.

Time passes, humans adapt and the way we work together adjusts to the new normal. With so many people trying working from home, some of the barriers to its adoption have been removed. 451 Research finds approximately 40% of organizations expect expanded work from home policies to remain in place long-term or permanently.

Jeff Clarke wrote (14th May 2020) a post The New Normal: Perspectives on What’s to Come and How We’ll Adapt in which he states that Dell’s pulse survey among customer predicts that 40% will shift to a more robust work from home environment. Going further, he predicts that 50% of the professional workforce, those whose roles is predominantly working on a PC, will work remotely in the future. This shift will bring many benefits. Not only in terms of reduced carbon footprint resulting from less travel but also widening talent pools by enabling people to participate irrespective of their proximity to an office.

All these factors suggest that finding a robust and efficient solution to providing devices to home based users is more important now than it has ever been. Like our customers, Dell is able to pivot rapidly to address the new normal and this post describes the challenges we addressed to help our customers in the initial surge of activity and the ways that we can work together to embed this new approach into our response to the new normal.

Addressing Privacy Concerns Regarding Ship to Home

Orders requiring a home delivery service will need to be placed individually, not in bulk, as each delivery will be made to a specific user’s home address. Some customers have raised questions as to how comfortable their users will be in disclosing their home address to a third party such as Dell.

In response, I would argue that the world has looked to online shopping in a way never previously imagined. The demand for these services has increased to the point where thousands of new jobs have been created in the logistics chains to cope. Is it likely therefore, that someone who buys their groceries online would be unhappy with their employer’s IT vendor knowing their home address to enable them to ship a new laptop to them? The data must be handled according to the prevailing legislation. However, any vendor addressing consumer purchases will already have this covered.

The Scenario

The remainder of this post discusses how technologies available today, or in the very near future, will enable Dell to image a device for your users and ship it directly to their home. For the purposes of this post, I have assumed that the user credentials are homed in their employer’s on premises Active Directory, as this is the typical scenario for our customers

Traditional or On Premises Management Tools

Connected Configuration

Connected Configuration is Dell’s provisioning service, typically based on Microsoft Endpoint Manager Configuration Manager (MEMCM). The service relies on a virtual private network (VPN) connection between a customer MEMCM Distribution Point server in our regional configuration centres which are integrated into our logistics chain. This allows us to build devices as though we are part of the customer’s capability which, because of the VPN, we, in effect, are.

Using this approach, our customers can build a device, including all required applications and join the device to the domain, before it leaves the configuration centre on the last leg of its journey.  The customer is in complete control of the level of the build and the security of the process throughout.

Once the device arrives at its destination, its new owner can unbox it and it is ready for them to use, or at least it is, if they are on their corporate network. Whilst the device has joined the domain in the configuration centre, the user has never authenticated to that device before. We often forget when logging into a device outside of the office environment, that this is only possible due to cached credentials. When the user logs on to the device for the first time, the device authenticates their credentials with a domain controller, and, if successful, stores, or caches, those credentials for use in the future. This process is repeated every time the user changes their password.

For the device to be useful, a way will need to be found to enable the user to log on to the device for the first time connected to the corporate network. The obvious path is to use a VPN to connect the device, thereby providing access to the domain controller. However, most VPN clients are configured to only be accessible once the user has authenticated, leaving us with a quandary.

Four Methods for Enabling Work from Home Scenarios

There are four ways that have been discussed to address working from home scenarios, two of which are recommended and two which are riskier. The fact that they have been considered reflects the demands of the current situation. Each list is ordered with the recommended option at the top.

  1. Configure current VPN client to allow user to instantiate the tunnel before logging on. The technology exists to allow the VPN client to auto logon based on certificates distributed during provisioning. However, in most cases the security team will require the user to authenticate to the VPN solution first. Once the tunnel is up, the user logs on as normal and all is well. This is a one-time process that can be documented and, using Dell’s drop in the box service, the document can be added to the shipping carton as an extension to the Connected Configuration service.
  2. Allow the user to log on locally to the device, bring up the VPN, switch user and authenticate with their domain credentials. This is a more complicated version of the first option and relies on providing the user with access to a local account on their new device. One way to realise this is to use Microsoft’s Local Administrator Password Solution (LAPS) to generate a local administrator account password for the device and manage it. The user will then be directed to phone in to the helpdesk, be provided with the LAPS password to enable them to login, bring up the VPN etc. This is clearly a complex solution which can be assisted by documentation supplied via the Dell drop in the box service. LAPS is a recommended approach for managing the local administrator passwords in your estate and this is a novel use of its capabilities.

If the options above are too challenging in your environment, some customers have considered these riskier measures. These are not recommended approaches:

  1. If you do not use LAPS but perhaps set all machines to have the same complex local admin password, you could help the users with it. You should change it on all machines in your estate after each use to maintain a level of security. Our recommendation would be to replace this with LAPS as soon as you can.
  2. Ship the device to an office that is open, have an engineer log on to the device on behalf of the user, then ship it to the user. This approach requires that the engineer impersonates the user, however briefly. It jeopardises the reliability of your accounting data, meaning that your security team cannot trust the event log data to see who was responsible for the activity and therefore should be avoided wherever possible.

Cloud Hosted Tools

Dell has seen significant customer interest in the use of cloud hosted tools such as Microsoft’s Intune and VMware’s Workspace ONE to provision systems and has created services to enable our customers to integrate these within our logistics chain. These services are an evolution of the Connected Configuration solution described above.

As these are relatively new services, I will briefly describe them below, before looking at the way each can be used to enable a ship to home service and any challenges that remain with the technologies.

Intune Cloud Provisioning

This service based on Windows Autopilot White Glove enables us to provision devices in our configuration centres up to the point where it is ready to be shipped to the user. The following is based on the expectation that you have chosen to use Hybrid Azure AD Join to enable devices to use the Autopilot White Glove process but be added as members of the on premises domain. This approach is typically used by customers whose environment is still biased towards on premises authentication i.e. their users authenticate using AD accounts.

To be clear, despite the name, Hybrid Azure AD join does not mean that the device is a member of both Azure AD and on premises AD – it is a binary choice. Devices joined through this process are members of the on premises AD, but they register themselves with Azure AD to allow users to access additional Azure AD benefits such as single sign on. Likewise, the user will sign in with their on premises AD account, even if you have enabled user principal name (UPN) logon to make it look like they are using their Azure AD credentials.

As part of this overall service, Dell will:

  • Register the device with Intune
  • Customers can target applications to the device via Intune and, if there is a user assigned to the device, it is also possible to install user targeted Win32 device-context applications.
  • Install Dell’s Generic Windows 10 Image – without unwanted applications but including Dell device specific drivers. Customers can select from N-2 versions to enable them to manage the pace at which they introduce new versions of Windows 10 into their environment
  • Trigger the Autopilot White Glove process to provision the device.
  • Ship the device

During the Autopilot White Glove process, an offline domain join blob and computer account is created for the device in your on premises Active Directory by the Intune Connector for Active Directory. This means that the computer account is created by the service account that the connector is running under. When the user gets to the relevant step in the Autopilot process, they will simply be authenticating themselves. The device will use the information passed during the Autopilot White Glove phase to connect to its computer account. The offline domain join process was first introduced in Windows Server 2008 R2 and it has been adapted for this current use.

Building devices in this way means that devices are ready for the user to sign in to, enabling them to complete the process. If they receive the device when on the corporate network, this is fine. The device can communicate with a domain controller and the Hybrid Azure AD Join process will walk them through the remaining activities.

However, the working premise of this post is that the user is working from home. The device will be unable to find a domain controller and the Hybrid Azure AD join process will stall until it can find one. Microsoft understands that this is not ideal and is working on a solution. Part of the solution was to enable the use of VPN clients. This was written for Windows 10 2004 but was back ported to the December update to both Windows 10 1903 and 1909. Dell has included this update within our Windows 10 1909 Generic Image.

Devices being provisioned with Autopilot, rather than using Autopilot White Glove, require administrators to set the toggle in Intune for the Autopilot profile to instruct systems to Skip the Domain Connectivity Check thereby allowing the Out of Box Experience (OOBE) to proceed through to the First Sign in Animation (FSIA), at which point the user can invoke the VPN connection. Using Autopilot White Glove, this is not required. The process uses TPM attestation to validate the device. In both scenarios, once the user has connected via the VPN, they will then be able to authenticate against the domain controller and complete the process.

Workspace ONE Cloud Provisioning

This collaboration between two of Dell Technologies’ strategically aligned businesses means that we can build devices within our logistics chain by drawing content from a customer’s Workspace ONE cloud tenant. At the time of writing, this service is in a private preview phase, enabling interested customers to evaluate its suitability.

As part of this overall service, Dell will:

  • Register the device with Workspace ONE
  • Customers can target common operating environment (COE) applications to be deployed at this stage but it is planned to extend this to enable a higher degree of customisation.
  • Install Dell’s Generic Windows 10 Image – without unwanted applications but including Dell device specific drivers. Customers can select from N-2 versions to enable them to manage the pace at which they introduce new versions of Windows 10 into their environment
  • Trigger the Workspace ONE process to provision the device
  • Ship the device

This process currently enables customers to build devices that will be members of an on premises Active Directory domain, the premise of this post. This is achieved by an on premises component, the AirWatch Cloud Connector, which creates the offline domain join blob and the computer account for the device. This is similar in many ways to the process described for Autopilot White Glove above.

As with the Autopilot White Glove based process, the device needs line of sight to a domain controller to authenticate the user at first logon. However, in this scenario, we do not have the complication of the device waiting to find a domain controller. We can therefore proceed directly to the use of a VPN prior to logon, as described in the Connected Configuration section.

Summary

Dell’s integration of our configuration centres within our logistics network means that we are well placed to help our customers with ship to home solutions. Our logistics team have been handling consumer-type single device shipments for years. We recognise that ordering in smaller quantities is less efficient for both you and us, but these are unusual times.

To make life easier, we can work with you to create a catalogue of bundles containing the device plus any required peripherals, that are easy to procure. These bundles can then be packed into a single shipping carton to minimise deliveries. We can also place in the carton documents providing instructions to guide users through your first-time logon processes and contacting your helpdesk to finalise any setup that may be required.

Necessity is the mother of invention and we are gearing our sales teams to assist you with working in this new way. Please understand that we are moving as quickly as we can to adjust to this new normal. If you have any questions, please talk to your sales teams to discuss how we can help you.

About the Author: Colin Sainsbury

Colin joined Dell in 2010 as a Solution Architect before becoming a Solution Principal (technical presales) at Dell Technologies Services. Having shown a keen interest in modern management strategy, in 2020, he took the opportunity to move into the Services Client Product Group to help drive Dell’s efforts in this area. He provides the strategic guidance and technology expertise that organizations need to transform their end user computing environments. The Service Client Product Group is responsible for shaping Dell’s Services Strategy regarding Modern Management and Provisioning as well as helping Dell’s customers adopt Windows 10 and optimize their deployment processes. A significant element of this work is to reduce the time to value when a user receives a device, whether that device is new and provisioned via our configuration centres or re-provisioned via our lifecycle management hubs. Colin has 25 years of experience in the IT industry. He started out as a tier 2 helpdesk analyst for the Computing Centre at Imperial College, London. Shortly after taking this role, he was asked to deploy Microsoft Exchange 4.0 into the College as it began to move from a UNIX SendMail email system. Having gained significant experience by deploying one of the earliest Exchange environments, he moved into Exchange consultancy roles. Three years after that initial implementation, he was working as an Exchange consultant for Compaq. Lady luck intervened once more, and Colin was asked to perform an Exchange upgrade for a branch of the UK Ministry of Defence (MoD). This led Colin to specializing first in MoD engagements, then branching out into the wider Central Government space dealing with several key Government departments. This specialization naturally brought with it an understanding of the security concerns and drivers in these sensitive environments. However, since joining Dell he has used this experience across all industry sectors.
Topics in this article