Recommended workflow

This topic describes a recommended workflow for migrating to KACE Cloud from another MDM solution.

1. Connect KACE Cloud to OS vendor systems

Connecting KACE Cloud with the operating systems vendor systems that your organization supports is the first step in the migration process. For each OS vendor, there are steps that you need to take:.

Apple

For personal device enrollments, no special configuration needs to be done. Enrollment can proceed immediately through your organization’s enrollment URL.

For company-owned devices that will use automated enrollment, you will need to connect KACE Cloud with Apple Business Manager or Apple School Manager. The process of doing that can be found here: About the Apple Device Enrollment Program.

Google

Before enrolling any Android devices, you will need to create a new or connect to an existing Managed Google Play Organization. Note that a Managed Google Play organization can only be connected to one MDM vendor at a time. To complete this task, follow the instructions here: Android EMM: Link your Google Play organization with KACE Cloud.

When your MDM subscription is linked to a Managed Google Play organization, you can then begin enrolling personal (work profile) devices.

For company-owned devices that use automated enrollment, you need to connect KACE Cloud with either Google’s Zero-Touch Enrollment program (for eligible Android Enterprise devices) or Samsung’s Knox Enrollment program (only for Samsung devices).

Google Zero-Touch Enrollment instructions can be found here: Configuring Android Zero-Touch enrollment in KACE Cloud.

Samsung Knox Enrollment instructions can be found here: Configuring Samsung Knox device enrollment.

Microsoft

For personal Microsoft Windows devices, you can proceed to enroll without any special configuration using your organization’s enrollment URL. However, you may want to read through these general instructions before proceeding: Enrolling Windows devices.

For company-owned devices that will use automated enrollment or will be joined to an Azure AD domain, you need to first configure KACE Cloud and Microsoft Azure AD to work together. Those instructions can be found here: Manually connect Azure AD and KACE Cloud.

Note that connecting Azure AD to KACE Cloud also results in Single-Sign-On (SSO) through Azure AD being configured as well.

2. Configure Single Sign-On

While not technically required, it is highly recommended that you configure SSO in KACE Cloud. This significantly improves the experience for both you and your end-users. With SSO configured, every authenticated user has an account automatically created in MDM and linked to their SSO credentials – there is nothing you need to do.

While you can also configure additional groups to enable certain users to automatically be granted the Device Administrator role, this is not necessary since the role can be granted to a user after they attempt to authenticate with the product the first time.

For instructions on configuring SSO, see this document: Configuring Single Sign-On.

3. Configure your MDM library

KACE Cloud offers a large number of configurations that you can create and deploy to devices that you manage. While not everything needs to be set up at once, it is useful to set up a few basic ones to prepare.

Set up basic configuration profiles

We highly recommend considering the certificates, Wi-Fi networks, VPN configurations and Apps that your end-users need. Each of these can be configured in the Library screen of KACE Cloud.

See these sections for information on setting up the various configurations: Managing devices and Configuring and applying Library settings.

Define labels to target devices or users

Labels are a critical link in the management systems in KACE Cloud. They enable you to target devices and users through MDM’s policy management feature. The first step in effective policy management is figuring out how you will be applying the policies and defining the labels accordingly. For information on labels, see Using labels to group similar items.

Define policies

Policy management is at the core of our automated approach to device management. When you define a policy, you select a collection of configurations that you want applied to a particular target (using labels). KACE Cloud will use the inventory process to ensure that those devices are configured and remain compliant with the policies as you’ve defined them.

For detailed information on setting up policies, see Using policies to manage device configurations

4. Prepare for roll-out

Now that you have your configurations and policies defined, you can begin testing the various scenarios that your end users may experience and adjust the settings until you are comfortable with the process.

As you test, you need to develop a communication plan for your end users. Here are some things to consider:

  • Do you want to roll out the product to all users at once or take a phased approach?
  • What types of devices do you support?
  • Do you want to handle the roll-out of mobile and desktop OS’s separately?
  • Do you have an internal web site where you can publish help information?
  • Do you have a help desk system that you want to configure for end-user enrollment issues?
  • Do you have company-owned devices that are used as personal devices by end users?

5. Review additional considerations

Here are some additional items to consider that can make life a little easier:

  • Consider using the LDAP Sync utility to synchronize user accounts and attributes from an on-premise Active Directory domain. This is helpful for getting accounts into the system before users log in for the first time. It can also synchronize user attributes as custom fields that can be used in smart labels and as configuration variables. This can be downloaded from the main Settings page in KACE Cloud.
  • For Apple iOS apps, purchase the licenses (even for free apps) through the Apps and Content section of Apple Business Manager to enable silent deployment of the apps to the devices without the need for an Apple ID. While importing from the App Store in the Library is a great way to get started, users get prompted to install the app and are required to sign in with an Apple ID on the device. Purchasing the apps through ABM and syncing them with MDM results in more apps being deployed successfully.
  • Use the Pre-enroll Devices option to preconfigure discovered devices and devices thatare not yet enrolled. Change the filter on the Devices tab to show Discovered devices, then assign labels or users to the devices so they get the right policies as soon as they enroll.