Our lives have been changed by the challenges we face due to the COVID-19 coronavirus. Long-standing corporate procedures must adapt to these new rules through enhanced technical solutions and changes to processes and policy. Now that new groups of employees are working remotely, the ways that historically worked to enable these former on-premise employees must change. Companies no longer have an easy way to provide centralized services for provisioning personal computers, standardized images, or account registration. Small to midsize companies are looking at ways to allow employees to self-provision without requiring IT involvement to deploy a standard image, setup the machine, and then either ship it to the end user or require personal pick-up of the device.
Self-provisioning has multiple meanings. From self-service identity registration to provisioning of development infrastructure, the key is that you are putting power and control in the hands of the users. Historically, terms like provisioning have been tied to management of user identities, but this now needs to be extended to all the tools used by employees based upon job function. The processes for enabling users to perform these tasks need to be put in place to not only automate self-service provisioning, but also to securely expose these services to the public internet.
Companies like Microsoft and VMWare have solutions that allow companies to remotely deliver standardized installation and configuration of remote devices. Depending on the tool, different capabilities are available for off-network provisioning of computers and laptops, but the key is to allow employees to acquire their own devices and automated the process of configuring those devices with the corporate standardized software and configuration. Cloud-based management allows organizations to configure devices remotely with things like remote updates, install of corporate applications, and configuration of security policies for employee-procured devices.
However, Identity and Access management services need to be in place to support these self-provisioning processes. This includes handling the initial identification of the user, creation and provisioning of user accounts, and securing access to the provisioning systems. These systems can be integrated with solutions that secure authentication with technologies like multi-factor authentication (MFA) and single sign-on (SSO).
The following diagram highlights a sample workflow:
The user acquires a device from a local store (e.g. the Apple Store or Best Buy).
The user enrolls through an public facing site based upon a secure set of factors known only to the user. Enrollment includes things like creation of a password, setting profile data, and management of other security data.
The user is associated with the defined network identity configured for that user (typically in the HR system). That identity is then provisioned into the corporate user repositories. Roles automatically assigned to the user control provisioning targets and infrastructure access. Federated Identity solutions can be leveraged to create a centralized global profile for the users based upon multiple backend repositories.
Once the identity is created the device is enrolled for MFA, prompting the user to create MFA credentials if they do not already exist. MFA is critical for ensuring that access to the provisioning solution is secure.
After the user is fully enrolled and their accounts have been created, the device is configured by the provisioning solution. This includes any required software and updates defined by the corporate standards.
A self-provisioning solution minimizes the need for IT involvement and speeds on-boarding of new users. The solution also simplifies distribution of configuration, corporate applications, and updates without requiring users to come to a central location. Although implementation of such a solution has some inherent complexity to implement, once deployed, users working remotely can be easily managed without the overhead of legacy processes. Keep in mind that an internet connection is required for this solution.