Enterprises often provide employees with corporate-owned computing devices, such as laptops, tablets, cell phones, and personal computers. These computing devices typically require an initial setup before being given to an employee. For example, an administrator may need to install a specific operating system and applications on the device. The administrator can also take steps to enroll the computing device with an Enterprise Mobility Management (“EMM”) system before handing the device over to an employee. Without enrollment software installed on the computing device, the device would not be secure and an employee could lose or steal the device and any information on it. Installing the correct software, hardware, drivers, and configurations can be done as part of a device enrollment program (“DEP”).
APPLE has its own DEP for its computing devices. Because APPLE provides its own software and hardware with its computing devices, they are able to easily enroll computing devices. This allows them to track device owners and configurations. However, there is no way for administrators to easily do this for WINDOWS devices or other personal computer (“PC”) devices. Each PC device can include a different combination of hardware and software from multiple vendors. There is no central entity or repository that tracks ownership and configuration information, unlike in the APPLE ecosystem.
As a result, administrators do not know how to boot PC devices into a known golden image. The golden image only works when the device hardware and configurations are the same, which is unlikely in the PC ecosystem. A clean state requires an administrator to wipe each computing device and re-image it. Every time a user installs a new application, an administrator must create another golden image that it can use to re-flash the device. Repeating this for every department and enterprise division (human resources, sales, etc.) becomes time-consuming.
Additionally, outside of the APPLE ecosystem, there is no easy way for an original equipment manufacturer (“OEM”) device supplier (also called a vendor) to load a custom company image onto user devices at the time they ship from the OEM. The user device configurations constantly evolve and it is impractical for an OEM to track the evolution. Therefore, the cumbersome task of individual user device setup falls to the enterprise. Multiplied by the number of employees in a workforce, the initial setup can be a major drain on company resources. These setup steps are repeated when a computing device malfunctions or is assigned to a new employee, or when an employee upgrades to a new device. Therefore, large organizations require additional IT manpower for provisioning employee devices, increasing the organization's overall costs. The setup process also produces delays in providing employees with new computing devices, which lowers the overall efficiency of the company's workforce.
Enterprises wishing to enroll the computing device into an EMM system must further manually configure each device. It generally is not feasible for the OEM to customize its operating system (“OS”) image to include management features of the EMM system. This is because EMM functionality can vary, even between different employees in the same EMM system. EMM software is constantly changing, and expecting an OEM manufacturer to replace its OS image with each change would be unrealistic. Therefore, individual device configuration is currently required.
This can require user login into an OS prior to enrollment in the EMM. This gives a user opportunity to circumvent management policies, which are not yet installed in the non-enrolled device.
Trusted boot processes are also very fragmented across different providers of PC devices. Secure boot is one such process supported by WINDOWS, using hash encryption to ensure a secure version of WINDOWS with a particular BIOS version is loaded on the computing device. Each provider can attempt to specify the BIOS and software versions. In the PC ecosystem, there is no single trusted source to cause computing devices to boot with the right OS and software configurations for different enterprises or groups.
For similar reasons, device ownership is equally impossible to track. Each OEM hardware supplier (LENOVO, DELL, etc.) has different standards and sells through different channels, such as direct to enterprises and through stores like BEST BUY. There is no current way to track who bought the device from whom, who owns it, or configuration details after purchase. This is different from the APPLE ecosystem, where there is generally only one source for the computing devices. With a single source, device ownership can be reconstructed from a serial number and a receipt.
In the fragmented PC ecosystem, recovering PC device configurations is also very difficult. Without the ownership or configuration details, it is generally not possible to provide a clean version of the OS, installed software, and drivers. Therefore, Internet recovery has been non-existent for PC devices up to this point.
Consequently, a need exists for a system that provides trusted factory images to load onto user devices running WINDOWS and other non-APPLE operating systems. A need exists for a system where the trusted factory images are customized for different device owners to ensure correct configuration and EMM operation while bypassing piecemeal administrator setup.