Resources

Firstbase and MDMs: Elevated Global Equipment Management

Written by Admin | Aug 26, 2024 9:04:07 PM

Keeping any workforce productive is no small feat. But for distributed companies, with staff all over the country or world, it’s exponentially harder to equip people with secure, compliant devices. 

For IT departments, scaling comes with unavoidable growing pains. Every time teams add headcount, they expand their risk of security breaches and lost devices. For distributed teams, IT teams generally don’t even see a device before it’s sent out to an employee. Mobile Device Management (MDM) software is critical for keeping distributed organizations secure. And for forward-thinking IT leaders, it’s the bare minimum. 

MDMs are a crucial security foundation for all organizations. But MDMs are not the only component required to ensure company device compliance and security. 

IT leaders and security leaders alike want to reduce risk, minimize device loss, and create better employee experiences. In other words, leaders are looking for an end-to-end solution for managing the equipment lifecycle—designed to maintain the physical security and logistics of your team’s equipment. 

How Firstbase Fits With MDMs: Overview of IT Logistics

Mobile Device Management (MDM) systems are a non-negotiable part of the modern IT tech stack. MDMs allow companies to lock employee devices or wipe them of data, remotely. They’re often mandatory, especially in sectors that work with sensitive data like healthcare and finance. MDM lapses can cause serious compliance issues that carry crippling penalties and fines.

On the surface, MDMs have a simple purpose: to control who can access sensitive data. But administering MDMs at scale gets complex, and fast. 

MDMs all have one critical limitation: they only work when they are deployed on a device. 

Meaning: if the MDM hasn’t been properly deployed onto the device, the MDM becomes useless. This may seem obvious, but it is one of the biggest challenges that distributed workforces have created for companies. In today’s world, HR is hiring employees across a diverse number of locations and in most cases, IT teams are not in every location that there are employees, meaning quite frequently IT teams are never even touching a device before it is being sent to an employee. 

MDM providers as a result are working diligently to design easier methods to deploy their products onto devices. These methods include sending an enrollment link directly to an employee to enroll their device, manually deploying the MDM through .ppkg or .xml files, or the most ideal method, zero-touch deployment where the MDM is registered to a business’s Apple Business Manager or Microsoft Entra ID and therefore deployed through Microsoft Autopilot. 

This is where Firstbase comes in

Firstbase is a cloud platform and physical infrastructure engine for procuring, enrolling, shipping, tracking, and managing corporate devices. Firstbase makes it simple to get MDM software on every device before employees receive any hardware—then track those devices with more clarity throughout their lifecycle. 

In the United States, Firstbase offers in-house manual imaging through our device configuration service. Our physical operations engine also extends globally, through our network of global procurement partners. We track assets that MDMs can’t (like keyboards) and offer visibility into lifecycle stages that MDMs can’t see (like end-of-life). 

By managing and tracking IT hardware and logistics from a centralized platform, Firstbase elevates MDMs’ functionality. Wherever your people need to be working, Firstbase gets them the devices they need—while keeping IT operations efficient, compliant, and secure. 

Firstbase is compatible with any MDM vendor. But zero-touch is always easiest for companies, so we give a particular stamp of approval to solutions that make that possible. 

We’ll come back to zero-touch later. First, let’s take a look at the employee equipment lifecycle—and how MDMs simplify it.

MDMs and the Employee Equipment Lifecycle

Every IT leader knows the stages of the employee equipment lifecycle. The process of provisioning, managing, and maintaining end-user devices and software is complex — especially for a workforce all over the world.

The employee equipment lifecycle’s basic stages are: 

⦁ Procurement

⦁ Deployment

⦁ Maintenance and upgrades

⦁ Decommissioning or disposal

However, these four stages don’t inherently capture the more nuanced parts of the equipment lifecycle. Four particular use cases — procurement planning, imaging, security, and retrieval — all come to mind because they all become infinitely easier with MDM software and Firstbase.

Procurement Planning

Procurement involves: 

⦁ Identifying devices needed 

⦁ Forecasting required inventory levels 

⦁ Choosing suppliers or resellers

⦁ Negotiating cost per unit 

Firstbase has built a network of over 150+ reseller and distribution partners that enable customers to get local pricing and ensure devices are Autopilot enrolled (or extract Hash IDs) or ABM-registered. We handle vendor communication and ensure you comply with local regulations, no matter how many regions you operate in. 

Imaging

MDM enrollment is a necessary step for nearly any organization that distributes equipment to workers. Historically, the basic way to install MDMs was through manual imaging, which required IT teams to physically load software onto each device through a ppkg or xml file. Key requirement here is that IT had to have physical access to the device which doesn’t scale well with a distributed workforce. 

This is why MDMs and OEM partnered to design a method for MDMs to be installed and run remotely, a model known as zero-touch. Zero-touch represents significant IT labor savings and is the only completely secure method—when it’s possible. To support zero-touch,, all devices must be either Autopilot or ABM capable, the organization must be operating in the cloud, and the MDM program itself must be zero-touch compatible (Not all MDMs are). 

As a result of the current MDM enrollment nuances and limitations,  Firstbase provides a device configuration service that includes manual imaging in the United States, with planned expansion into the UK, EU, CA, and India. 

Security

Companies face quite a few requirements to be truly compliant and secure. 

Here are a few categories IT leaders are considering: 

⦁ Access Controls

⦁ Asset Management

⦁ Information Security 

⦁ Change Management  

Each category requires companies to effectively articulate processes, tools, and workflows etc…that are being leveraged to meet that category's criteria. 

MDMs and Firstbase work well together to help fill the gaps the other does not solve for in respect to the categories above. 

MDMs allow IT administrators to remotely configure devices with the necessary settings, applications, and security policies. This ensures that new employees have access to the resources they need from day one, monitors the health of the devices while with the employee and diagnosing problems when they arise, and  when the employee departs wiping company data from employee devices and revoking access to corporate resources.

Firstbase provides the physical infrastructure, operations, and logistics related to each part of a device’s lifecycle, wrapping it in a platform that gives IT complete visibility into their hardware location and condition. This ensures devices can be:

⦁ Effectively enrolled into MDMs, 

⦁ Securely stored prior to onboarding an employee, 

⦁ Consistently repaired and refreshed,

⦁ Properly returned, wiped, cleaned, repaired, and (if required) destroyed or recycled with certifications available. 

All of these actions are then tracked in the Firstbase platform via asset histories, allowing complete audit trails of an individual device's lifecycle. By combining MDM and Firstbase, IT teams can establish strong workflows and processes to effectively articulate compliance from device procurement to disposal. ‍

MDM Enrollment Maturity: From Manual Imaging to Zero-Touch

There’s no one right way to get MDM software on your corporate devices. Each organization will need to choose their approach based on: 

⦁ The size and location of their workforce

⦁ Their unique device fleet

⦁ Their IT department’s capacity

⦁ Their required security and compliance requirements

Based on their needs, they can then select the right MDM strategy from the options below. ‍

Baseline: Procurement of Corporate Devices

In some cases, businesses will consider allowing employees to use their own devices or tell employees to purchase a device to eventually be reimbursed by the company. This usually is the case for companies who don’t have procurement partners near employees or don’t have nearby IT resources.  

THIS IS NOT RECOMMENDED.

This model exposes business to a whole variety of future problems. In particular, many consumer grade devices are not capable of being enrolled in ABM or Autopilot or if they are, the process is extremely tedious and manual. So, in remote settings, devices expensed by employees often are not reusable and result in a loss to the business. 

DMs also have to be deployed manually by employees and so at the end of the day, these devices pose more significant security risk to businesses.

To baseline criteria for any device is to ensure the device is business grade, can be enrolled in ABM or AutoPilot, and if possible is registered prior to being sent to the employee. 

In many cases, this is why corporations look for a partner like Firstbase, which is an Apple Authorized reseller in the United States. Through our network of 150 global partners, Firstbase can procure corporate devices pre-enrolled with Autopilot or ABM, or install them remotely via HashID.  

Good: Employee Manually Downloads the MDM 

Most MDM providers have built a method for a corporation’s employees to manually download their product onto employee devices. Generally, employees are sent a link where they are required to walk through a series of steps to download the MDM and give the MDM proper permissions to allow IT to effectively manage the device. For most corporations, this method requires IT to set up calls with every employee to ensure MDMs are properly downloaded. 

This ensures the device is properly managed while with the employee, but does have some limitations. In particular, devices will not be managed during transit from the supplier to the employee, meaning if stolen off a doorstep, the suspect would be able to easily use the device. 

In addition, when devices are retrieved after an employee termination or departure from a company, once the device is wiped for reuse, the MDM will have to be reinstalled on the device.

So although this method works, it does put more work on IT teams as they have to help employees to correctly download the MDM onto the device and puts devices at risk in transit. The ideal situation would be to have devices MDM enrolled prior to being sent to employees. The next methods enable companies to do this. 

Better: Manually Configure Devices Prior to Shipment

The next progression is focused on manually downloading MDMs onto devices prior to the devices being sent to employees. 

MDMs can be deployed manually in many ways. One method is IT admins creating admin and employee accounts on each device and then in the admin account downloading and registering the device manually. 

Alternatively, to allow for more efficiency, many MDM providers provide a way to create a file, generally a .ppkg or .xml file, that can then be downloaded onto a golden or thin image. The image then can be used to quickly configure several devices at once, dramatically reducing the time required per device.

(There are of course many other methods to drive efficiency, such as running scripts.)

Any combination of the methods above allow corporations to ensure the devices have all the proper security settings and necessary software download before the employee ever touches the device. Many corporations like this as it creates a more turn key experience for employees when onboarding. 

The only limitation to manual configuring devices is that it requires an IT admin to have physical access to the device, meaning they are also likely to then be responsible to handle all the associated shipping. 

Generally, IT leaders see this as a low-value task that has to be done—and often prefer offloading to a partner to ensure their team is focused on what matters most. 

That’s why Firstbase has invested in Device Configuration Services in the US with plans to expand services in the UK, EU, India, and CA in the next year. Through our Devices Configuration Service, Firstbase can support any combination of the above methods to ensure devices are properly configured prior to shipment. This can be done for new and used devices ensuring corporations can get the most from their assets. 

Best: True Zero-Touch

 In a true zero-touch model, ready-to-use, MDM-enabled devices are shipped directly to employees from suppliers or resellers. This is facilitated through MDMs being able to be registered to either ABM or Entra (Azure) Account. So, when the device is purchased, and corporate registered, MDMs are automatically deployed when the user first turns on the device. 

In addition, many MDMs have robust configuration capabilities including initiating scripts, meaning much if not all of the manual work can be executed by MDMs. This allows for a seamless experience for employees and reduced labor cost associated with manual device configuration.

The other key differentiator is if a device is returned after the departure of an employee, the device can be wiped and because of the connection between ABM or Entra with the MDM, the MDM stays on the device ensuring devices stay secured at all times.  

Because IT staff never need to touch the devices, zero-touch eliminates significant time, cost, and friction. 

This is the preferred method of many customers, as it’s the most scalable model for remote and hybrid companies. Through the Firstbase partner network and warehousing infrastructure, companies can ensure all devices are procured with local pricing and properly registered to their corporate ABM and or Entra accounts. 

How to Find the Right MDM and Make a Buying Decision 

Zero-touch is hands-down the most efficient way to manage IT logistics and MDMs. But it's not the immediate next step for some companies. 

Here are a few questions IT leaders should consider when making an MDM buying decision to ensure they’re ready for zero-touch: 

Are you in the cloud?

In general, if IT operations aren’t in the cloud, zero-touch isn’t an option. Some companies also need to use specific or proprietary on-premise software that can’t be imaged remotely. 

What devices and operating system are you using?

Your device fleet will help determine which is the best MDM option. Some MDMs work only with certain devices. For instance, JAMF and Kandji are only compatible with Apple. Additionally, companies whose devices aren’t registered with Apple Business Manager or Autopilot may not be able to attain zero-touch.

What is your technical and logistical capacity?

Some MDMs are more complex than others. For instance, JAMF is highly customizable but requires more expertise, while Kandji is simpler and comes with less of a learning curve. 

With Firstbase, IT departments can outsource their global equipment management to a trusted partner. Whether they’re short on in-house capacity or simply want to free up IT resources for more strategic tasks, Firstbase can take the logistical lift off of your team. 

Firstbase: Effortlessly Track Every Device From One Platform

Firstbase is the only solution to combine an integrated SaaS platform with a global physical operations engine. From shipping to security to repairs, our platform is built to remove the challenges of IT logistics in today’s remote- and hybrid-first world by streamlining not just your MDM program, but all of your IT operations with a hand from our software and IT experts. 

We work with fast-growing teams of 250 and global teams of 5,000+. Whether you’re just scaling up or you’re well-established, we make it easy to keep all your devices secure—from manual imaging to zero-touch and beyond. ‍

[Get a Live Demo]  [Take a Product Tour]