Device Enrolment via Group Policy
This page contains screenshots from Disco ICT v1 and will be updated shortly.
This guide can be used to trigger Disco Device Enrolment. This may assist organisations who are migrating to Disco, or be required to enforce Device Profile configuration changes, or deploy new Device Certificates.
This document is intended to provide a basic guide only - each environment will be different and the reader may choose to implement certain details differently or in accordance with existing policies.
Acquire the Disco Client Bootstrapper from the Enrolment Configuration page.
Create or use an existing Network Share to host the Disco Client Bootstrapper.
As these devices will already be connected to the network when the bootstrapper runs, it is not necessary to include any certificates or wireless profiles for the bootstrapper to use.
As shown here, you may choose to use the NETLOGON share mirrored by all Domain Controllers which may provide a basic form of load-balancing if accessed using the Fully-Qualified Domain Name as the share host.
Within the Group Policy Management console, create a new Group Policy Object.
NOTE: You may use an existing policy; however this
does make testing the changes difficult and can negatively impact
on existing clients.
Edit the policy, and browse to:
For more information on Group Policy Scheduled
Immediate Tasks see:
Enter the Task Details
Security User Account:
Tick: Run with highest privileges
Enter the Task Action
Choose the Actions Tab.
Add a new Action, and enter the full network path to the Disco Client Bootstrapper.
Set the Task Common Options
Choose the Common Tab.
Tick: Apply once and do not reapply.
Choosing this option instructs Group Policy only to apply this setting (read: run the Disco Client Bootstrapper) once.
Note: If the Bootstrapper fails, due to this setting it will not re-run. Workarounds to this scenario are beyond the scope of this guide, however the reader might want to investigate installing the Bootstrapper rather than simply running it - this will cause the Bootstrapper to run on the next reboot, and each subsequent reboot until it is successful. Alternatively, additional Scheduled Tasks can also be created at a later date to re-trigger the Device Enrolment.
Verify Task Conditions
Set the Task's Idle and Power conditions in accordance with any existing organisation policies.
With notebooks in mind, take special notice of the
Apply the Policy to the appropriate Active Directory Organization Unit/s
Close the Group Policy Management Editor once all changes have been made.
Within the Group Policy Management console, drag the policy from Group Policy Objects onto the relevant Organization Units.
It is often advisable to create a test Organization Unit first, and then (after confirming all settings are applied correctly) a larger scale rollout can be attempted.