Microsoft patents a way to secure devices shipped to remote workers

Microsoft has filed a patent application for a method of locking ownership of a device to a specific user or organization at the point of manufacture, and then shipping the device directly to the end user without requiring any additional configuration by the IT administrator. The patent, titled “Secure Device Deployment”, aims to address the security and efficiency challenges posed by the increasing trend of work-at-home or teleworking scenarios, where devices such as computers or mobile devices need to be delivered to remote locations and enrolled into an organization’s network.

According to the patent application, the method involves providing information to the original equipment manufacturer (OEM) during the ordering process that can be used to lock the device to a particular user identity and an identity provider. The identity provider can be a service that can validate the user identity upon powering on of the device, such as an identity and access management (IAM) service, a commercial email provider, or a college email system. The information can be stored as an ownership marker on the device, such as storing it to the firmware of the device. The device can then be shipped directly to the end user without requiring any intermediate steps by the organization or the IT administrator.

The patent application states that this method can prevent the potential security risk of having devices that are automatically provisioned with software, configuration settings, and policies upon powering on at the end point, as shipments can often be misdelivered, stolen, or otherwise lost. In such cases, the device may end up in the hands of a malicious actor, who can potentially gain access to the organization’s network based on the automatic provisioning of policies and settings. To avoid this, the device can be maintained in a “bricked” state, where the device only accepts a user identity input, and other operating system operations are restricted, until a validation ticket is received from the identity provider. Thus, the device can be automatically secured without requiring the IT administrator to take any proactive steps to mark the device as stolen or lost.

The patent application also states that this method can improve the efficiency of device deployment, as the device can be shipped directly from the OEM to the end user without requiring any additional involvement by the organization or the IT administrator. This can reduce the downtime before the end user receives the device, as the device does not need to be preconfigured by the IT administrator in order to ensure that the device is locked to the particular end user. Furthermore, the device can be automatically configured according to a deployment profile that may be stored on an IAM service or on the device itself, such that the device can perform any necessary setup procedures according to the deployment profile or configuration profile. The deployment profile can specify various settings for the device, such as mobile device management policy settings, default languages, keyboard settings, personal assistant settings, and device management policies.

The patent application also provides some example use scenarios for the method, such as providing a device to a new employee at a remote location, or providing a device to an individual customer, such as a parent purchasing a laptop for a child who is away at college. In both cases, the device can be locked to a user identity and an identity provider during the purchasing process, and then shipped directly to the end user. Upon validation of the user identity by the identity provider, the device can be automatically configured according to a deployment profile that may be customized for the user or the device.