Managing Windows devices

KACE Cloud allows you to manage Microsoft Windows devices, to ensure they are secure and compliant with your policies, and also to prevent their data from being exposed to unauthorized users. This topic provides high-level instructions that allow you to start managing your MS Windows devices.

Windows device administrators can choose from a number of different enrollment flows largely depending on their domain type:

• Azure AD domains: Cloud-based Azure Active Directory (AD) domains for provisioning users, apps and devices.
• On-prem AD domains: In an on-prem AD domain, user account data is available to internal network users and administrators.
• Hybrid Azure AD domains: A collection of cloud-based Azure AD and on-prem AD domains.

There are several areas of focus as you configure the enrollment of your Windows devices in KACE Cloud: Understanding how different ways to join a domain affect device enrollment, setting your company and personal device enrollment types, setting up Autopilot enrollment (for company devices), and enrolling devices in KACE Cloud.

After completing the steps associated with the desired enrollment path, you have an option to integrate with other enrollment providers and configurations, as required, such as integration with the KACE Systems Management Appliance. Finally, configure your email accounts, device passcodes, and other elements to comply with your organization requirements. You can link these configurations with KACE Cloud Policies to automate applicable processes and ensure your compliance requirements are in place at all times, to prevent any unpredictable issues.

The following procedure summarize the steps for getting started to manage your target devices:

1. Ensure that your devices are supported by KACE Cloud.

   See the list of supported platforms for complete details.

2. Ensure that you have access to KACE Cloud portal.

   When your subscription is provisioned, you will receive two emails from KACE Cloud that allow you to get started. See detailed instructions here.

3. Optional. Add external users from your corporate account, if applicable.

   See LDAP Sync Service and Single-Sign On (SSO).

4. Ensure that the device user accounts are properly configured in KACE Cloud.

   To enable new users to enroll their devices, you must ensure that their user account exists in KACE Cloud, and that the account has the Device User role. See detailed instructions here.

5. Enroll Windows devices by following the appropriate path.  

   The enrollment path you choose depends on your domain type (cloud, on-prem, or hybrid).

     

   Azure AD domains

   1. Automatically connect KACE Cloud and Azure AD.

      With KACE Cloud listed as a cloud-based MDM solution in the Azure AD app gallery, connect KACE Cloud to your Azure AD subscription. See detailed instructions here.

   2. New devices: Use Windows Autopilot to join devices.

      Use Windows Autopilot to set up all set up all configurations on a company-owned device so that the end user only has to open their new device and log in. See this topic for more details.

   3. Existing devices:
      1. Configure manual enrollment to join devices.

         Use the KACE Cloud Windows Manual Enrollment page to elect the method that both company and personal devices will use for manual enrollment. See detailed instructions here.

      2. Enroll Windows devices.

         Provide the end user with enrollment instructions. You can find them in KACE Cloud, in the Enroll Devices view when you select Windows. See detailed instructions here.

   On-prem domains

   1. Create a Windows provisioning package.

      You can use the Windows Configuration Designer to create an encrypted Windows provisioning package (.ppkg).

   2. Deploy newly created provisioning package to managed Windows devices.

      Run the generated .ppkg file on target devices, or use an automated deployment tool such as KACE SMA or KACE SDA.

      See detailed instructions here.

   3. Enroll Windows devices.

      Provide the end user with enrollment instructions. You can find them in KACE Cloud, in the Enroll Devices view when you select Windows. See detailed instructions here.

   Hybrid Azure AD domains

   1. Automatically connect KACE Cloud and Azure AD.

      With KACE Cloud listed as a cloud-based MDM solution in the Azure AD app gallery, connect KACE Cloud to your Azure AD subscription.

   2. New devices:

      • Azure AD domains: Use Windows Autopilot to join devices.

      • On-prem domains: Deploy provisioning packages and enroll Windows devices.

   3. Existing devices: Add target devices to hybrid Azure AD domains.

      When you link Azure AD with an existing on-prem AD domain, you can then integrate KACE Cloud with Azure AD to allow users to sign in to KACE Cloud using their managed Azure AD accounts through the SAML protocol. Next, create an Active Directory group policy and set it up to join existing on-prem devices to KACE Cloud and Azure. Finally, sign in to the device with the Azure AD account. See detailed instructions here.

6. Specify common configuration settings.

   After enrolling your mobile devices, you can create and apply desired configuration changes. KACE Cloud maintains a configuration Library that you can use to create and manage your settings. For example:

   • Email: Email can be configured through an existing user account. The auto deploy option can be checked during the setup process. See Managing email accounts.
   • Device passcodes: Set up passcode defaults by selecting one or more devices under the Devices section, then choosing Passcode Rules in the right panel. Passcode rules can also be applied to one or more devices using a policy. Passcodes can then be managed by editing rule sets in the library. See Managing passcode rules.
   • VPN: There are unique VPN setup processes for the supported device OS types.
   • Wi-Fi: New Wi-Fi configurations can be added in KACE Cloud, then applied directly to a device or devices. The configuration can be added to the Wi-Fi Library for future installation, and the auto deploy option can be checked during the setup process. See Managing Wi-Fi configurations.

   See this topic for more details.

7. Set up default policies.

   KACE Cloud policies allow you to automatically apply desired configurations in your dynamic environment, to enforce your compliance requirements. See this topic for more details.

8. Optional: Finalize your setup by integrating with other configurations.

   If you are already a KACE SMA customer, you can configure the integration between KACE Cloud and KACE SMA. See detailed instructions here.