Device Enrolment via Group Policy

This page contains screenshots from Disco ICT v1 and will be updated shortly.

This guide can be used to trigger Disco Device Enrolment. This may assist organisations who are migrating to Disco, or be required to enforce Device Profile configuration changes, or deploy new Device Certificates.

This document is intended to provide a basic guide only - each environment will be different and the reader may choose to implement certain details differently or in accordance with existing policies.

 1:

1Acquire the Disco Client Bootstrapper from the Enrolment Configuration page.
 2:

2Create or use an existing Network Share to host the Disco Client Bootstrapper.

As these devices will already be connected to the network when the bootstrapper runs, it is not necessary to include any certificates or wireless profiles for the bootstrapper to use.

As shown here, you may choose to use the NETLOGON share mirrored by all Domain Controllers which may provide a basic form of load-balancing if accessed using the Fully-Qualified Domain Name as the share host.
 3:

3aWithin the Group Policy Management console, create a new Group Policy Object.

NOTE: You may use an existing policy; however this does make testing the changes difficult and can negatively impact on existing clients.
In this guide, the policy will be named 'Disco - Device Enrolment'

3b
 4:

4Edit the policy, and browse to:

  • Computer Configuration
  • Preferences
  • Control Panel Settings

Right-click:
Scheduled Tasks

Select:
New > Immediate Task (Windows Vista and later)

For more information on Group Policy Scheduled Immediate Tasks see:
http://technet.microsoft.com/en-us/library/dd851779
 5:

5Enter the Task Details

Name:
Disco Bootstrapper - {Timestamp}
For example: Disco Bootstrapper - 20120713

Security User Account:
NT Authority\System

Tick: Run with highest privileges
 6:

6Enter the Task Action

Choose the Actions Tab.

Add a new Action, and enter the full network path to the Disco Client Bootstrapper.

For example:
\\{Fully-Qualified-Domain-Name}\NETLOGON\ DiscoBootstrapper\Disco.ClientBootstrapper.exe
 7:

7Set the Task Common Options

Choose the Common Tab.

Tick: Apply once and do not reapply.

Choosing this option instructs Group Policy only to apply this setting (read: run the Disco Client Bootstrapper) once.

Note: If the Bootstrapper fails, due to this setting it will not re-run. Workarounds to this scenario are beyond the scope of this guide, however the reader might want to investigate installing the Bootstrapper rather than simply running it - this will cause the Bootstrapper to run on the next reboot, and each subsequent reboot until it is successful. Alternatively, additional Scheduled Tasks can also be created at a later date to re-trigger the Device Enrolment.

Click OK
 8:

8Verify Task Conditions

Set the Task's Idle and Power conditions in accordance with any existing organisation policies.

With notebooks in mind, take special notice of the Power option:
Start the task only if the computer is on AC power
9:

9Apply the Policy to the appropriate Active Directory Organization Unit/s

Close the Group Policy Management Editor once all changes have been made.

Within the Group Policy Management console, drag the policy from Group Policy Objects onto the relevant Organization Units.

It is often advisable to create a test Organization Unit first, and then (after confirming all settings are applied correctly) a larger scale rollout can be attempted.