Initial Setup Tasks for New Organisations

Owned by Kari Mattsson
2017-09-26
3 min read

This section covers the initial tasks that need to be done for a new organisation. It covers both mandatory and optional tasks. Please note that not all organisations require the same setup, as the organisations can differ from each other considerably. Certain configuration tasks must be done before provisioning any devices, while others can be done later as needed. For a simple organisation in a BYOD scenario, with no restrictions or company-provided applications, the default service settings can be fine as they are.

The tasks are presented in a rough logical execution order:

 Set Up StepRequiredDescriptionInstructions
1Organisation unitsOptionalYou may want to define basic user groups, such as technical support and management, as well as office locations. Organisation units help in entering contact information for users, as well as selecting different groups of users for management purposes.Organisation Units
2Name policiesRequiredName policies define allowed user account and device IDs that are needed for creating new users and devices with custom IDs. Configuring the name policies is not needed if random or name based IDs are used.Name Policies
3Account templatesRequired

User accounts are created using templates, so you need to define templates before creating any user accounts, including manager accounts.

  • Configure organisation units (optionally associated default contact information)
  • Configure portal UI defaults (language, time zone, etc.)
  • Configure service features (data synchronisation, shared files)
  • Configure permissions (install applications, lock/wipe/locate, change contact info, etc.)
  • Configure file synchronisation quotas
  • Etc.
Account Templates 
4Manager accountsOptionalYou typically need to set up additional managers who can administer the organisation. If you have a service desk that handles device provisioning, you may need to set up device installer accounts.Manager Accounts
5

Certificate authority

OptionalA certificate authority is needed for certain security features, such as VPN tunnels and WPA2 WiFi authentication. This enables making such configuration in device templates (see below).Certificate Authority
6WSDM Clients and Company HubOptionalInstead of using the default (system-wide) WSDM client or Company Hub, you may need to set up different ones for your organisation. This is necessary only in rare cases.Configuring WSDM Clients and Company Hub
7Managed Google PlayOptionalManaged Google Play allows creating a custom Google Play store with a restricted selection of apps. It can be set up for work managed devices, as described in Introduction to Android EMM. This involves registering an "enterprise" in Google Play. It must be set up before configuring device templates to enable it and before any Android devices are provisioned.Google Play
8Samsung KNOXOptionalSet up keys and licenses for Samsung KNOX devices. This enables additional functionalities for Samsung devices, but is not needed if standard Android features are sufficient.

Setting up Samsung KNOX

9Apple VPPOptionalVPP or Volume Purchase Program is an enterprise purchase option for the Apple App Store for apps and other contentVolume Purchase Programme (VPP)
10Apple DEPOptionalDEP or Device Enrollment Program is an easy way to enroll iOS devicesDevice Enrollment Program
11AET configurationOptionalApplication enrollment tokens (AETs) are needed for distributing applications to certain Windows phonesAET Configuration
12Device groupsOptionalDevice groups allow filtering and limiting operations and compliance rules to different groups of devices, according to departments, job roles, location, etc. They can be set in device configuration or templates.Device Groups
13Compliance rulesOptionalCompliance rules allow actively tracking that devices belonging to particular device groups comply to the rules. Different device platforms support different sets of rules, such as whether the device is encrypted or that certain applications are installed or not.Device Compliance
14Device templatesRequired

Once all basic device-related settings are done, define templates for all the types of devices that are to be used in the organisation.

  • Configure device groups
  • Configure synchronisation settings
  • Configure restriction and device policies
  • Configure the lock screen
  • Configure kiosk devices
  • Configure connectivity to company WiFi/WLAN networks and VPNs, as well as roaming
  • Configure password policies and device encryption
  • Configure location services, monitoring, and geofencing
  • Configure Managed Google Play (an "enterprise" must have been registered as mentioned above). See Setting Up Managed Google Play.
  • For Android work managed devices, you need to configure which default applications to enable (see Enabling Hidden Applications in Android)
  • Etc.
Device Templates
15LDAP or Active DirectoryOptionalSet up connectivity to LDAP or Active DirectoryLDAP and Active Directory Integration
16Import existing users and devicesOptionalIf you have existing users and devices, you may choose to batch-import them.Import Accounts
17Enable self-service setupOptionalYou can allow users to register themselves and their devices in the service.Setting up Self-Service Setup for Device Owners

If the organisation is following a BYOD policy with many different kinds of devices, you probably need to configure all device types. With a more limited policy with only company-issued devices, you only need to configure those devices.