The fantasy of zero-touch, and the reality
If you have ever shipped a fresh MacBook to a new hire in Phoenix, watched them open the box, and stood by while Apple Business Manager handed the device cleanly to your Jamf or Kandji tenant, FileVault-encrypted before the coffee was cold, then congratulations. You have seen zero-touch provisioning work the way the marketing promised. It feels like the future arriving on schedule.
The other 60% of the time, it does not work the first try. Welcome to deploying remote IT in 2026.
What zero-touch actually looks like in practice
The three big stories, all real, all imperfect:
- Apple Business Manager + Jamf or Kandji. The most polished of the bunch. If your reseller is enrolled in ABM and serial numbers flow correctly, it is genuinely close to magic. The failure modes are usually upstream: a serial number that never flowed, a reseller who shipped before pushing, or a user who clicked "set up for personal" before signing in.
- Windows Autopilot with Microsoft Intune. The story is good. The reality is one driver mismatch away from a one-hour rebuild. Pre-provisioned Autopilot helps. Dell, HP, and Lenovo all ship Autopilot-registered devices direct to users. Test each OEM separately, do not assume.
- Google Zero-Touch for ChromeOS and Android. The cleanest of the three, for what it covers. The catch is that it covers what it covers. Great for Chromebook fleets, irrelevant for everything else.
If your IT lead has been doing this for a while, ask them about the time a zero-touch device showed up at a user's house and refused to enroll because the OEM had drop-shipped it before registering the serial number with Autopilot. The fix involves a phone call with the user, screen-share permission, a hardware-hash export, and a quiet apology. This happens more often than vendors will tell you.
Build the deployment around the day you cannot be there
Remote-first deployment is mostly a discipline problem. The order that works:
- Pick one MDM and commit. Intune for Microsoft-heavy shops, Jamf or Kandji for Apple-heavy shops, and pick. Running two MDMs because someone wanted a Mac is how you end up with policies that drift in opposite directions.
- Push every device through the MDM before the user touches it. Even if zero-touch is configured, a five-minute pre-stage at the reseller or in your office prevents the bad day. Many resellers (CDW, Insight, regional Dell partners) will do this for a small fee. Pay it.
- Encrypt by default. BitLocker on Windows, FileVault on Mac, enforced through MDM, with recovery keys escrowed somewhere you can actually find them at 11 p.m. when a laptop is locked out.
- Phishing-resistant MFA on identity, day one. Microsoft Entra ID Conditional Access or Okta with FIDO2 keys for admins. SMS codes are not MFA, they are 2007 cosplay.
- Ship a spare. Keep one pre-provisioned spare laptop per ten users on the shelf. When a hard drive dies in Toledo, overnighting an already-enrolled replacement beats trying to ship-and-provision under pressure.
The boring stuff that actually saves you
Two more things people skip:
- Documented offboarding. The day someone leaves, you need a checklist that covers MDM lock, identity revocation, return shipping label, and data preservation. If this lives in someone's head, it does not exist.
- A real return-shipping process. Most companies under 100 people do not have one. They should. Pre-paid prepaid Pelican-ready shipping kits with the laptop sound excessive until you spend three weeks chasing a former employee for a $1,800 ThinkPad.
None of this is exciting. None of it pitches well at a board meeting. It is also the difference between a remote workforce that runs quietly and one that consumes IT's calendar with one-off provisioning fires every week.
If you are standing up a remote-first IT operation or cleaning one up, Syncritech does this kind of MDM and provisioning work for SMBs in our region.
