This article is part of a series (links below). I would recommend reading the articles in order, starting with “Greenfield Opportunity”, which provides the required framing.

Within this article, I will highlight our proposed Device-as-a-Service (endpoint) architecture, describing our philosophy, key technology decisions, and positioning.

Introduction

As described in the article “Modern IT Ecosystem”, we plan to implement a Zero Trust security model, where we localise and isolate threats through microcore, segmentation, and deep visibility.

This model also extends to the endpoints (e.g. desktops, laptops, tablets, smartphones), which we will treat as a commodity (untrusted). To enable this outcome, our security controls will be layered throughout our end-to-end ecosystem, with solutions being secure by design (secured at the source), whilst complemented by a robust Identity Access Management architecture and a clear “least privilege access” strategy.

As a result, our endpoint architecture can prioritise productivity, delivering a “consumer-like” experience.

For example, it is very common for enterprise endpoints to be laboured with third-party security software, likely running multiple agents. These agents continuously consume system resources (processor and memory), as well as often require kernel-level access, which (ironically) opens a high-risk attack vector.

As an alternative, we plan to leverage the native capabilities of the specific device (no third-party agents), looking to embrace the inbuilt security mechanisms and controls. Not only does this dramatically simplify the architecture, but it also improves the end-user experience, making it comparable to a consumer purchase from Dell, Apple, etc.

This approach supports our goal of making our ecosystem device-agnostic, where any endpoint (e.g. Windows, macOS, Linux, ChromeOS, iOS, Android) can be consumed with minimum effort. We feel this is an important architecture tenant, enabling the rapid growth of connected devices (e.g. Sensors) and new forms of Human-Computer Interaction (e.g. Mixed Reality Headsets).

Considering our security model and device-agnostic strategy, you might assume that we would be targeting “Bring Your Own Device (BYOD)”. Over the past decade, BYOD has become a popular trend, however, the true value is often reduced/lost due to the inherent complexities regarding security, privacy, and local law. As a result, many respected analysts have rebranded BYOD as “Bring Your Own Disaster”.

Therefore, we have decided to target a “Choose Your Own Device (CYOD)” strategy, where the enterprise retains ownership of the device itself (clear separation between personal and business), but still provides flexibility for employees to personalise their experience.

Device-as-a-Service

As previously stated, we see the endpoint as a commodity. As a result, we plan to treat the processes (e.g. provisioning, lifecycle, break-fix) supporting the endpoint “as-a-Service”. The “as-a-Service” paradigm is well established within software (e.g. SaaS, Public Cloud), but is more complex when physical hardware is involved.

Thankfully, the major personal computer providers (e.g. Dell, Lenovo) all offer Device-as-a-Service and/or PC-as-a-Service capabilities, where they aim to combine hardware, software, lifecycle, break-fix, and financing in one all-encompassing service.

In this scenario, we simply provide our required specification (e.g. hardware, software) and configuration (e.g. settings, policies), with all other logistics being managed by the personal computer provider. The high-level diagram below outlines the process.

Device-as-a-Service

A key enabler of this process is the ability to configure the builds at the point of use. Historically, enterprise businesses would have to create and maintain a build (image), which would include a specific version of the operating system, as well as all base drivers, configuration and software. The provisioning and maintenance of this build (or builds) could be frustratingly complex, as well as resource-intensive and time-consuming.

With Windows 10, Microsoft introduced a new capability known as Windows AutoPilot, which removes the need to manage a traditional build, allowing devices to be automatically configured upon delivery.

Windows AutoPilot

Windows Autopilot is a capability that can be used to pre-configure, provision, repurpose and recover devices. It was designed to simplify the end-to-end device lifecycle management process and can be leveraged by certified personal computer providers.

Windows Autopilot uses an OEM-optimised version of Windows 10, which comes pre-installed on the device. This removes the need for the enterprise to create and maintain a custom build (image).

At the point of deployment, instead of re-imaging the device, the OEM-optimised version of Windows 10 is transformed into a “business-ready” state. This includes the required configuration (e.g. settings, policies) and software (e.g. Office 365, Chrome).

Post-deployment, Windows Autopilot can be used to re-purpose the device by leveraging “Windows Autopilot Reset” or to support break-fix events.

As the name suggests, Windows AutoPilot is a Windows-only feature (targeting Windows 10). Recognising our greenfield opportunity, we anticipate that 98% of our endpoints will be running Windows 10, with the remaining devices using a combination of macOS (1%) and Linux (1%).

Microsoft Intune, SCCM and JAMF

Microsoft Intune is a unified endpoint management solution, covering Windows, macOS, iOS and Android. Intune will be our primary endpoint management solution, used to automate provisioning, policy management, application delivery, and updates.

Unfortunately, Intune is not yet feature-complete, especially when targeting legacy operating systems, as well as macOS and Linux. To ensure end-to-end compatibility, Microsoft System Center Configuration Manager (SCCM) and JAMF Pro will be utilised to compliment Intune.

Across our ecosystem, the use of SCCM and JAMF should be very limited (less than 5%). As Intune matures, we hope to reduce our reliance on SCCM and JAMF.

Hardware Architecture

As previously stated, we are targeting a “Choose Your Own Device (CYOD)” strategy, partnering with Dell for Device-as-a-Service.

To support the deployment, we have defined a set of user personas (e.g. Office, Sales Representative, etc.) Each persona has been assigned default hardware; however, employees will have the option to update their hardware selection to better support their business requirements.

Initially, we have positioned the following hardware, which will obviously evolve overtime:

Business Laptop

  • Dell Latitude 5400
  • 14” 1920x1080 Non-Touch Display
  • 1.6GHz 4-Core Intel Core i5-8365U (Turbo 4.1GHz)
  • 16GB DDR4 RAM
  • 256GB M.2 PCIe NVMe SSD
  • Intel UHD Graphics 620
  • Intel Dual Band (802.11ac) Wireless + Bluetooth 5.0
  • TPM 2.0 + Windows Hello

2-in-1 Laptop

  • Dell Latitude 7400
  • 12.3”/14” 1920x1280/1920x1080 Touch Display
  • 1.6GHz 4-Core Intel Core i5-8365U (Turbo 4.1GHz)
  • 16GB DDR4 RAM
  • 256GB/512GB M.2 PCIe NVMe SSD
  • Intel UHD Graphics 620
  • Intel Dual Band (802.11ac) Wireless + Bluetooth 5.0
  • TPM 2.0 + Windows Hello

High-Performance Laptop

  • Dell Precision 5540
  • 15” 1920x1080 100% sRGB Non-Touch Display
  • 2.6GHz 6-Core Intel Core i7-9850H (Turbo 4.6GHz)
  • 32GB DDR4 RAM
  • 512GB M.2 PCIe NVMe SSD
  • Intel UHD Graphics 630
  • NVIDIA Quadro T1000 4GB GDDR5 (ISV Certified)
  • Intel Dual Band (802.11ac) Wireless + Bluetooth 5.0
  • TPM 2.0 + Windows Hello

Apple Mac

  • Apple MacBook Pro
  • 13” 2560×1600 P3 Colour Space Non-Touch Display
  • 2.4GHz 4-Core Intel Core i5-8279U (Turbo 4.1GHz)
  • 16GB DDR4 RAM
  • 256GB NVMe SSD
  • Intel Iris Plus Graphics 655
  • 802.11ac Wireless + Bluetooth 5.0
  • Apple T2 + Touch ID

All devices come with a minimum 1920x1080 resolution display, 16GB RAM, NVMe SSD, as well as hardware security and biometric authentication. This provides a very strong foundation, delivering performance, sustainability, and security across the entire range. The High-Performance laptop also includes ISV certified graphics (NVIDIA Quadro T1000), providing support for specialist workloads.

Alongside the laptop range, we also plan to offer two desktop computers (Dell Optiplex 3070 micro and Precision Workstation 3431). The use of desktop computers will be limited, but still a requirement within R&D and Manufacturing. The Precision Workstation 3431 comes equipped with a Xeon Processor, ECC RAM and NVIDIA Quadro Graphics (ISV Certified), making it a very versatile computer, that can support the most demanding workloads.

Finally, regarding mobility, we have positioned the Apple iPhone and Apple iPad Air. At this time, we do not plan to position Google Android as a standard offering, however, this might change as we become more confident in our processes.

Software Architecture

Supported by our E5 licensing from Microsoft, as well as our security approach, we plan to leverage the native capabilities of the specific device (no third-party agents). As a result, our initial client software configuration is incredibly simple.

Windows Desktop/Laptop

Apple Mac

With Microsoft releasing two major operating systems updates per year, we plan to remain one version (six months) behind the current build (e.g. 1903 vs. 19.09). This ensures we remain current but protected against unforeseen bugs via a short stabilisation period. The same philosophy will be applied to macOS, waiting for the release of 10.x.1.

The majority of our applications and services will be cloud-hosted (SaaS, Public Cloud), accessible over the Internet, via a browser or an API. We have positioned Google Chrome as our default browser, complimented by Microsoft Edge (Chromium Edition). Any traditional application that requires installation can be downloaded via the web or through Intune.

Only specialised applications running in the Colocation Data Centre will require direct network connectivity from a local site or client VPN (e.g. Palo Alto Networks Prisma Access).

Conclusion

In conclusion, we are incredibly excited by the prospect of being able to deliver an endpoint architecture that prioritises productivity and user experience, whilst maintaining our high standards regarding Information Security, Privacy and Quality. When combined with modern “self-service” processes for provisioning, lifecycle, and break-fix, we are confident this architecture will help enable our vision of a modern IT ecosystem.