Scribd
Upload
16 views14 pages

It End User Device Build Book Template

Uploaded by

Sanders Chacon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
16 views14 pages

It End User Device Build Book Template

Uploaded by

Sanders Chacon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 14

End-User Device Build Book Template

Introduction: How to Use Template


The purpose of this document is to define the standard build for supported devices and platforms. It describes the
provisioning packages that can be applied to each supported platform, the management tools and settings that will
be applied by the management tool (e.g. MDM controls or group policy), and the apps that can be downloaded by
each user group.
You can have either one build book that includes all supported devices and platforms or a separate build book for
each device and platform.
To use this template, simply replace the text in dark grey with information customized to your organization. When
complete, delete all introductory or example text and convert all remaining text to black prior to distribution.

Company Logo

End-User Device Build Book

Last revised: MM/DD/YY

1
Info-Tech Research Group
Contents
Introduction: How to Use Template............................................................................................................................. 1
Revision History................................................................................................................................................... 2
1 Introduction.......................................................................................................................................................... 3
1.1 Build Book Owners and Contacts............................................................................................................... 3
2 Supported Device Offerings................................................................................................................................. 3
2.1 Standard Device Models............................................................................................................................. 3
2.2 User Groups................................................................................................................................................ 4
3 Gold Image Contents........................................................................................................................................... 5
4 Provisioning Packages........................................................................................................................................ 6
4.1 Windows 10................................................................................................................................................ 6
4.1.1 CSPs for All Corporate-Owned Windows 10 Devices.............................................................................6
4.1.2 CSPs for BYOD....................................................................................................................................... 8
4.2 Android........................................................................................................................................................ 9
4.2.1 Android Managed Configurations............................................................................................................ 9
4.3 Chrome OS............................................................................................................................................... 10
4.3.1 Chrome OS........................................................................................................................................... 10
4.4 iOS and iPadOS........................................................................................................................................ 11
4.4.1 Apple Configuration Payload................................................................................................................. 11
5 Application Provisioning..................................................................................................................................... 12
5.1 Windows App Offerings............................................................................................................................. 12
6 Patch and Update Rings.................................................................................................................................... 13

Revision History

Version Change Author(s) Date of Change


1.0 Initial Draft

2
Info-Tech Research Group
1 Introduction
This build book provides the standard technical settings for the different end-user device offerings.

1.1 Build Book Owners and Contacts


Primary Backup
Team Responsibilities
Contact Contact
Desktop  Manage Intune, ConfigMgr, Jamf Pro, and other
Engineering device management tools
Team Lead  Maintain the App Store
Hardware Person 1 Person 2  Maintain record of provisioned hardware and
Asset [email protected] [email protected] software assets
Manager m
Service  Manage workflows for end-user onboarding,
Desk offboarding, and lateral transfers including pipeline
Manager handoffs to Asset Management
IT Security  Define requirements for device management
Team settings

2 Supported Device Offerings


2.1 Standard Device Models
Update this table with your standard device models.

Mobile Standard Mac Standard Mobile Power User


Make & model Lenovo ThinkPad T15 MacBook Pro 16” Lenovo ThinkPad P17
Operating Windows 10 Pro 64 Mac OSX Windows 10 Pro 64
system
Display 15.6” 16” 17.3”
Memory 8 GB 16 GB 32 GB

Processor Intel i5 – 10210U Intel i7 Intel i7 – 10750H Processor


Processor
Drive 256 GB SSD 512 GB SSD 1 TB SSD

Warranty 3 years 1 year + 2 extended 3 years

3
Info-Tech Research Group
2.2 User Groups

Research, Corporate
Sales IT Executives
Advisory, Services
Consulting
Onsite
Rep Technician HR
Research
Outside & Advisory
Sales
Infra &
Inside Ops
Sales Developer Marketing
Security
App Dev
IT
Strategy Engineer Finance
PMO
Field Reps
Outside
Strategy
Sales
Office
Inside
Sales
Consulting Facilities

Executive
Services

4
Info-Tech Research Group
3 Gold Image Contents
A unique gold image is required for each supported Windows 10 make and model that will not be provisioned using
Autopilot. Gold images are not applied to devices that will be provisioned with Microsoft Autopilot. Once all devices
have been migrated from ConfigMgr to Intune and Autopilot, the gold images will be retired.

Mobile Standard User Mobile Power User


Make and Model Lenovo ThinkPad P17 Lenovo ThinkPad P17
OS and Version Windows 10 Pro 64 21H1 Windows 10 Pro 64 21H1
Applications Microsoft Office Microsoft Office
Configuration Settings

5
Info-Tech Research Group
4 Provisioning Packages
4.1 Windows 10
List of packages:

All Sales All Research All Corporate Finance IT Executives


Services (Minus
Finance)
Applications Word Word Word Word Word Word
Excel Excel Excel Excel Excel Excel
PowerPoint PowerPoint PowerPoint PowerPoint PowerPoint PowerPoint
Outlook Outlook Outlook Outlook Outlook Outlook
OneNote OneNote OneNote OneNote OneNote OneNote
Teams Teams Teams Teams Teams Teams
Visio
Publisher
Additional Uninstall these Uninstall these Uninstall these Uninstall these Uninstall these Uninstall these
Steps vendor apps: vendor apps: vendor apps: vendor apps: vendor apps: vendor apps:
Performed  Lenovo  Lenovo  Lenovo  Lenovo  Lenovo  Lenovo
During Setup Smile Smile Smile Smile Smile Smile
Dock Dock Dock Dock Dock Dock
 Lenovo  Lenovo  Lenovo  Lenovo  Lenovo  Lenovo
Idea Idea Idea Idea Idea Idea
Notes Notes Notes Notes Notes Notes
 Power2  Power2G  Power2G  Power2G  Power2G  Power2G
Go o o o o o
 Other Other Bloatware Other Bloatware Other Bloatware Other Bloatware Other Bloatware
Bloatwa
re

6
Info-Tech Research Group
4.1.1 CSPs for All Corporate-Owned Windows 10 Devices
This sample list of CSPs and values is based on the Microsoft Baseline that was published December 2020. It is not exhaustive or complete.
Review the recommendations within the Microsoft Baseline, the checklists referenced by NIST in the National Checklist Program, and your own
security requirements to determine which CSPs are right for your build.

CSP Category CSP Value Explanation


App Runtime Microsoft accounts optional for Enabled Recommended by Microsoft
Windows Store apps Baseline

App Management Block app installations with Enabled Recommended by Microsoft


elevated privileges Baseline
Block user control over Enabled
installations

Block game DVR (desktops) Enabled


BitLocker Removable drive policy AES- CBC 256-bit Recommended by Microsoft
Baseline
Data Protection Block direct memory access Enabled Recommended by Microsoft
Baseline
Device Lock Required password: Alphanumeric/6-digit pin Company standard

Block simple password Yes


File Explorer Block data execution prevention Disabled Recommended by Microsoft
Baseline
Firewall Firewall profile: Inbound connections blocked Recommended by Microsoft
Outbound connections required Baseline
Inbound notifications blocked
Firewall enabled
MS Defender Adobe Reader child processes Block More Information
MS Security Guide Apply UAC restrictions to local Enabled Recommended by Microsoft
accounts on network logon Baseline
Power Require password/pin on wake Enabled Recommended by Microsoft
Baseline
Remote Desktop Services Block password saving Enabled Recommended by Microsoft
Baseline
Remote Management Client unencrypted traffic Disabled Recommended by Microsoft
Baseline
System System boot start driver Recommended by Microsoft

7
Info-Tech Research Group
CSP Category CSP Value Explanation
initialization Baseline
Wi-Fi Block automatically connecting Enabled Recommended by Microsoft
to Wi-Fi hotspots Baseline

Block internet sharing Enabled


Windows Connection Block connection to non-domain Disabled
Manager networks

4.1.2 CSPs for BYOD


These CSPs come from the Microsoft Baseline that was published in December 2020. You must refresh this list of CSPs and values to suit your
requirements, and you must also revisit the list of CSPs that are enforceable on Windows 10 Home Edition. Microsoft may have changed the
CSPs within the baseline and/or CSPs that are enforceable on Windows 10 Home edition.

CSP Category CSP Value Explanation Enforceable on Win10


Home Edition?
App Runtime Microsoft accounts Enabled Recommended by No
optional for Windows Microsoft Baseline
Store apps
App Management Block app installations Enabled Recommended by No
with elevated privileges Enabled Microsoft Baseline
Enabled
Block user control over
installations

Block game DVR


(desktops)
BitLocker Removable drive policy AES- CBC 256-bit Recommended by No
Microsoft Baseline
Data Protection Block direct memory Enabled Recommended by No
access Microsoft Baseline
Device Lock Required password: Alphanumeric/6-digit pin Company standard No

Block simple password Yes

File Explorer Block data execution Disabled Recommended by No


prevention Microsoft Baseline

8
Info-Tech Research Group
CSP Category CSP Value Explanation Enforceable on Win10
Home Edition?
Firewall Firewall profile: Inbound connections Recommended by Yes
blocked Microsoft Baseline
Outbound connections
required
Inbound notifications
blocked
Firewall enabled
MS Defender Adobe Reader child Block More Information Yes
processes
MS Security Guide Apply UAC restrictions to Enabled Recommended by No
local accounts on network Microsoft Baseline
logon
Power Require password/pin on Enabled Recommended by No
wake Microsoft Baseline
Remote Desktop Block password saving Enabled Recommended by No
Services Microsoft Baseline
Remote Management Client unencrypted traffic Disabled Recommended by No
Microsoft Baseline
System System boot start driver Recommended by No
initialization Microsoft Baseline
Wi-Fi Block automatically Disabled Recommended by No
connecting to Wi-Fi Microsoft Baseline
hotspots

Block internet sharing Disabled

9
Info-Tech Research Group
4.2 Android
All Sales All Research All Corporate Finance IT Executives
Services (Minus
Finance)
Applications Outlook Outlook Outlook Outlook Outlook Outlook
Teams Teams Teams Teams Teams Teams

4.2.1 Android Managed Configurations

Managed Configuration Managed Configuration Value Explanation


Category
Google Play Service Status Managed Google On Support Google recommended
Play
App Installation Installation Policy Force Install Service Desk control over app
installation

4.3 Chrome OS
Hot desks (guest access)

Applications Chrome
Teams

4.3.1 Chrome OS
Managed Configuration Managed Configuration Value Explanation
Category
Google Play Service Status Managed Google On Support Google recommended
Play
App Installation Installation Policy Force Install Service Desk control over app
installation

10
Info-Tech Research Group
4.3.2

11
Info-Tech Research Group
4.4 iOS and iPadOS
All Sales All Research All Corporate Finance IT Executives
Services (Minus
Finance)
Applications Outlook
Teams
ITSM mobile app*
Configuration
Service Providers
(CSPs)

4.4.1 Apple Configuration Payload


Payload Category Payload Value Explanation

Modifying passcode Allow changing passcode True Company standard

Passcode policy Passcode configuration and Minimum passcode length: 6 Company standard
standards
Wi-Fi configuration Wi-Fi settings Per user choice Company standard

Lock screen message Lock screen message If lost, return to Company Name Company standard

Block app store Prevents access to unsupervised True Company standard


app store purchases
Siri Block Siri True Company standard

Safari pop-ups Block Safari pop-ups True Company standard

*Tablets are specifically used by mobile service desk staff


*Payload best practices for Apple devices

12
Info-Tech Research Group
5 Application Provisioning
Legend:
 P – Standard, installed locally by default
 S – Standard, available for download from App Store (based on number of licenses)
 RA – Standard, requires authorization from manager
 U – Unavailable for this group
 * – indicates app that has been packaged through mobile application management (MAM)

5.1 Windows App Offerings

Developers
Corporate
Research
All Sales

Services

Finance

Legal
All

All

IT
Word P P P P P P P
Excel
PowerPoint
Outlook
OneNote
Teams
Visio RA S RA RA RA S S
Project U U RA U U RA RA
ERP finance module U U U S U U U

13
Info-Tech Research Group
6 Patch and Update Rings
Ring Pilot Ring Standard #1 Standard #2 Standard #3

User Groups Sales Toronto Sales London Corporate Services Finance


Research London (minus Finance) Sales APAC
IT
Software update 1 day 20 days 30 days 60 days
delay
Minor OS update 1 day 20 days 30 days 60 days
delay
Major OS update 60 days 90 days 120 days 150 days
delay
Security patch Immediate 1 day 2 days 3 days
delay

__________________________________________________

For acceptable use of this template, refer to Info-Tech's Terms of Use. These documents are intended to supply
general information only, not specific professional or personal advice, and are not intended to be used as a
substitute for any kind of professional advice. Use this document either in whole or in part as a basis and guide for
document creation. To customize this document with corporate marks and titles, simply replace the Info-Tech
information in the Header and Footer fields of this document.

14
Info-Tech Research Group

You might also like