Managing Registered Devices

Registered Devices are the devices that are enrolled in KACE Cloud through an agent using a unique process involving token-based authentication. These do not use the MDM protocol. This approach facilitates device management beyond the conventional methods, offering greater flexibility to organizations.

Reasons to opt for Registered Devices

Organizations opt for registering devices for various reasons:

  1. Compatibility with External MDM Providers
    The compatibility with external Mobile Device Management (MDM) providers such as Microsoft Intune allows organizations to leverage the strengths of different providers while still benefiting from specific functionalities unique to KACE Cloud like patching.
  2. Support for Windows Servers
    Registering devices also opens the door for organizations using Windows Servers, as traditional MDM enrollments may not support these. Registered devices allow seamless patching on Windows Servers, expanding the scope of device management.
  3. Cost Efficiency
    This serves as a cost-effective option if organizations only require limited functionalities, such as patching and app management. Traditional MDM licensing might provide more functionalities than necessary.

With KACE Cloud, you can manage your organization's Registered devices and ensure they are secure and compliant with your policies, and prevent their data from being exposed to unauthorized users. This topic provides high-level instructions that allow you to start managing your Registered devices.

The device administrators can choose any one method from the following methods to register a device:

  • Manual registration
  • Third Party Agent deployment
  • Enrollment through Group policy

The following procedure summarize the steps for getting started to register your target devices:

  1. Ensure that your devices are supported by KACE Cloud

    See the list of Supported platforms for complete details.

  2. Ensure that you have access to KACE Cloud portal.

    When your subscription is provisioned, you will receive two emails from KACE Cloud that allow you to get started. See detailed instructions here.

  3. Optional. Add external users from your corporate account, if applicable.

    See LDAP Sync Service and Single-Sign On (SSO).

  4. Ensure that the device user accounts are properly configured in KACE Cloud.

    To enable new users to enroll their devices, you must ensure that their user account exists in KACE Cloud, and that the account has the Device User role.

  5. Enroll the Registered devices by choosing the appropriate method.This involves obtaining a registration token and installing the corresponding agent on the target device. This token serves as the key for enrolling devices and can be created through the KACE Cloud admin interface. Administrators can distribute the token and installer to end users or utilize other MDM providers or use Group Policy to streamline the process.
    Manual Registration
    • Create a Token: Create a token from admin portal.
    • Download Agent Installer: Obtain agent installer from the admin portal or by using the enrollment URL built with the following syntax:
      • https://yoursubdomain.enroll.kacecloud.com/register
      • https://yoursubdomain.enroll.westeurope.kacecloud.com/register (for westeurope data centers only)

      • NOTE: In the enrollment URL, ensure you replace yoursubdomain with your tenant specific details.

    • Install Agent: Use the installer package (.pkg for macOS or .msi for Windows) to install the agent on the target device. Enter token only if prompted.
      Click here to learn the different ways to transfer a token to the agent.
    • Verify Installation: Ensure the installation command completes without errors or error codes to confirm a successful agent installation.
    • Confirm Registration State: Verify that the device is in the expected registration state for the specific tenant associated with the provided token. The agent communicates with the KACE Cloud server, either automatically enrolling or awaiting administrator approval based on configured settings.
    • Check Enrollment Status: Examine the log data in `register.log` located in the following directories:
      • Windows: C:\ProgramData\Quest\KACECloud\logs\register.log
      • macOS: /Library/Application Support/Quest/KACECloud/data/logs/register.log
    Third Party Agent Deployment

    NOTE: We do not have direct control over the distribution KACE Cloud agent within third-party products. The outlined steps below are for information only; we do not guarantee or influence deployment procedures.

    We have VMware Workspace One and Microsoft Intune as an example to demonstrate the deployment process. Before you begin, download the agent installer file and copy the token value.

    For VMware Workspace One
    1. Windows:
      • Navigate to Resources: Access the VMware Workspace One console and locate the section for native applications.
      • Upload Agent Installer: Add the KACE Cloud agent installer (.msi file) to the VMware Workspace One environment.
      • Configure Deployment options: Specify deployment options, accept defaults, and edit the install command to include a Token argument with token data.
      • Save and Assign: Save the configurations and assign the new application to desired Windows devices already part of VMware Workspace One, facilitating registration into KACE Cloud.
    2. macOS:
      • Navigate to Native Apps: Access the VMware Workspace One console and locate the section for native applications.
      • Upload Agent Package: Add the KACE Cloud agent package to the VMware Workspace One environment.
      • Configure Full Software Management: Select Full Software Management, accepting defaults in the Details tab.
      • Configure Scripts: Add a pre-install script to handle token data. Assign the new application to desired macOS devices that are already part of VMware Workspace One, facilitating registration into KACE Cloud.

    See detailed instructions here.

    For Microsoft Intune
    1. Windows:
      • Navigate to Apps: Access the Microsoft Intune console and locate the section for all applications.
      • Upload Agent Installer: Add the KACE Cloud agent installer (.msi file) to the Microsoft Intune environment, providing necessary app information and custom command line arguments.
      • Assign Application: Assign the new application to desired Windows devices that is already a part of Microsoft Intune, facilitating registration into KACE Cloud.
    2. macOS
      • Navigate to Apps: Access the Microsoft Intune console and locate the section for all applications.
      • Upload Agent Installer: Add the KACE Cloud agent installer (.pkg file) to the Microsoft Intune environment, providing necessary app information and an install script to handle token data.
      • Assign Application: Assign the new application to desired macOS devices already part of Microsoft Intune, facilitating registration into KACE Cloud.

    See detailed instructions here.

    Group Policy Deployment
    Prerequisites

    Before proceeding with device enrollment, ensure the following prerequisites are met:

    • Network Share Location: You must have a network share location accessible to all targeted devices. This location will host the installation and configuration files needed for enrollment.
    • Active Directory Group: You must have an Active Directory group ready for targeting devices. This group helps specify which devices will receive the enrollment settings.

    Device Enrollment Steps

    Follow these steps to enroll devices through Group Policy:

    1. Check Existing Network Share

    • Verify if the network share is already present. If not, you need to create one.
    • Ensure that the Network Share has read permissions for users and devices. This ensures that devices can access the necessary files.

    2. Check Existing Active Directory Group

    • Verify if the Active Directory Group is already present. If not, you need to create one.
    • Create an Active Directory group to assign the policy. This group includes all the target devices that should receive the software. Make sure it also grants permission for these devices to read from the network share.

    3. Generating a Transformation File

    Generate a transformation file (.mst file) using an administrative tool like ORCA. This file captures the necessary configuration changes during installation. Follow these steps:
    • Download the administrative tool(e.g., ORCA) using the Windows SDK Installer and install it.
    • Open the tool and load the .msi file that corresponds to the software you are deploying.
    • Create a new transform by adding a row to the Property table, enter ‘TOKEN’, and then add the enrollment token value.
    • Save the transformation file (.mst file) and copy it to the previously created network share, ensuring accessibility for target devices.

    4. Configuring Group Policy

    • Open the Group Policy Management tool on the Active Directory server.
    • Create a new Group Policy Object (GPO) specifically for device enrollment.
    • In the security filtering section, add the Active Directory group containing the target devices.
    • Edit the GPO and navigate to Computer Configuration > Policies > Software Settings > Software Installation.
    • Right-click and choose New> Package, selecting the .msi file from the network share.
    • Advanced settings allow the addition of the .mst file, ensuring the configuration changes are applied during installation.
    Once the Group Policy is configured, it gets applied during the next system restart. Devices automatically receive the enrollment settings. For immediate application, you can run the gpupdate command on target systems.
  6. Specify common configuration settings

    Once a device is registered, it becomes a part of the KACE Cloud system, allowing for specific management actions.

    • Patching - Registered devices benefit from patch management, ensuring the latest updates and security patches are applied systematically.
    • App Management- Administrators can deploy and manage applications on registered devices, providing centralized control over the software landscape.
    • Inventory- Administrator can view and manage the functional information such as device software and hardware details.
  7. Set up default policies.

    KACE Cloud policies allow you to automatically apply desired configurations in your dynamic environment, to enforce your compliance requirements. See this topic for more details.

  8. Optional: Finalize your setup by integrating with other configurations.

    If you are already a KACE SMA customer, you can configure the integration between KACE Cloud and KACE SMA. See detailed instructions here.