There has been a lot of excitement around ZeroTouch.ai and after looking at it previously for my post comparing package managers, I was lucky enough to be onboarded so I can now check out what else it has to offer.
One thing to note, ZeroTouch can run as a self-contained multi-platform MDM in it’s own right, which whilst it’s really cool, I’m an Intune person and you are no doubt here for Intune posts so I’m going to concentrate on using it as an Intune companion.
If you’re more of a video person, check out the many excellent videos from Steve Weiner here:
https://www.youtube.com/@getrubix
Onboarding
The initial onboarding was a little clunky, needing to manually create app registrations for SSO and config then passing the details to be configured on the back-end. I’m told this is something which is being actively worked on, but at present, you’ll need a good 30-60 minutes to get yourself up and running (and a decent understanding of Entra app registrations). As it uses a custom domain (for example, mine is andrewslab.zerotouch.ai), you also need to verify the domain within Entra.
Supported Devices
This platform supports everything (except Linux which gets little love anywhere sadly). This includes configuration and applications (if you link ABM, it will even handle macOS application deployment).
If you’re running as a full MDM, this also includes Apple Watch should that be of interest.
App Deployment
I’ve covered this extensively in the app packaging post, but the app deployment is equally as impressive as any of the front-runners in the field. You have the option of deploying to Intune, or using the agent on the device to deploy directly (it includes a self-service portal).
Updates are handled natively and the app catalog is massive, including apps packaged by ZeroTouch directly and soon to include Winget, Chocolatey (including private repo) and MS Store.
If that’s not enough you can add your own custom applications, including those pesky multi-file ones.
App editing is real-time, right-click on an Intune app and you can edit anything in realtime.
Did I mention it also includes importing of existing Intune applications? Yep, it will update those as well.
Navigating to Software Tracking will report all apps across the estate as well as any which require updating
Flow
I know this is Steve’s favourite feature (I’m covering mine later on). One of the major drawbacks of Intune is the inability to order app deployment so you’re stuck relying on dependancies, or some very crafty work with the GUIDs.
Using the Flow functionality, you build your own ESPs using ZeroTouch. In Intune, create a very simple ESP which simply deploys the agent and nothing else. This is the one occassion where it’s recommended to use MSI Line of Business as well to get the agent onto the machine earlier in the process.
Once the agent is on, it takes over things, installing the apps requested (Intune or native), in the order requested. It’s not just apps either, oh no, this can push policies and scripts as well. Do you want to push Windows and Driver updates prior to user login? Yep, not an issue.
Machine restarts aren’t an issue, it will take over until everything is finished.
It also looks funky!
Device Monitoring
Thanks to the agent sitting on the device, you have real-time access to pretty much everything, we will start with the monitoring and then move onto the really great bits.
Clicking on a device will show the status of it, location, IP address, encryption status. Then you have tabs to cover app installs, update status (including drivers), update history, even task manager at last check-in.
Your servicedesk can literally grab everything they need from here for the ultimate remote troubleshooting.
Even the picture at the top seems to try and match the device!
Real-Time Access
This leads on to hands-down my favourite part, the information is not read-only reporting. This tool WILL replace your RMM, you can check what’s wrong with a device and then repair it remotely.
That little action button in the top right corner is actually a portal into a magical dimension.
Firstly it can manage itself if you need to give the agent a nudge:
Want to log a user off, lock them out completely, or just give it a rename? Not a problem:
Ever had a user demand an app right now? That’s not a problem, click Install and App, select from your library and within minutes it’s there ready for them.
Now for hands down my favourite features:
Remote Desktop – That’s right, attended or unattended remote access to the device direct from the portal
Remote PS – Sometimes it’s easier to fix things without people even knowing. Introducing PowerShell (or ISE), manage a device remotely all from your web browser. There is very little that can’t be done on modern Windows using PowerShell, this is extremely powerful!
If you spot those little buttons next to the X, they are for remotely uploading and downloading files so you could drop on a file for troubleshooting/repairs and then quickly remove it when finished. Or download logs without spending hours waiting for Intune to generate them.
What if I want to clear the users cache I hear you ask? Easy, run PS as the user (although I found this less reliable)
Policy Management
In my opinion, the policies are probably the weakest aspect of the product, but as I would use it as an Intune companion, this is also the part I’d be least likely to use.
You can create policies, but currently they are restricted to those available in Device Restrictions across platforms, missing Settings Catalog is a little bit limiting.
If using as a full MDM, you can create anything in GPO which will then apply directly to the local group policy on the device. You could do that for Intune as well, but to me, that’s asking for conflicts and troubleshooting will quickly become a nightmare.
There is still one piece of magic in here though, CIS Benchmarks. Each benchmark has been imported and is available to configure and deploy to your devices. They don’t import into Intune, but you could configure them and deploy them here, even just for testing purposes.
You can natively deploy registry keys as well, including a nice UI to configure them which makes a change from having to script them:
Connectors
As mentioned in the app section, to deploy macOS apps you need to connect ZeroTouch to your Apple Business manager instance which is done through the connectors page. In the future, this is also where you will be able to connect to other systems like ServiceNow. If you’re an Okta user, this is also where you configure the connector for SSO.
Asset Management
As you would expect, with the sheer volume of data being collected from your devices, you could use this as an asset management tool for your endpoint devices. As well as devices detected, you can add custom entries as well as populating additional fields for your devices
It’s not as powerful as your dedicated asset management systems like Lansweeper, but it’s definitely a useful addition to the system.
Printers
Nobody wants to have them and we certainly don’t want to manage them, but sadly we still have users so for the time being we are stuck with them!
Fortunately there is a tool which can help with that. Download the MSI and install on any workstation. Install every printer you have on the machine and it will capture the printer details (including the driver) so you can then quickly deploy directly from the ZeroTouch console, very nifty indeed!
Branding and Customizations
There are large parts of the system which are user-facing, ESP and self-service being the main two. It’s important to be able to add your own custom branding. Fortunately this can all be configured, logos, colour schemes, everything you would expect to see in here.
You can also tweak the settings of the client itself and how often it reports back for each of the settings
Security and Reporting
Coming from Intune, when I click Security, I expect to find Bitlocker, AV etc. but that isn’t the case here. This security is around reporting and audit logs.
Firstly you can grab reports on your patch management status along with a pie chart to quickly see the status (no export functionality though which would be a welcome addition).
In my tenant it’s also struggling to detect the Windows version, but they are all running 24H2 so it might be a bit too quick
It has full RBAC so you can create custom permission sets for your different users which is always a useful feature
Entra User Management
Under Management – Azure AD (hopefully due to be renamed) you can view and edit your user details as well as view groups.
There is a button to add members to groups, but I couldn’t get that to work, it might be my tenant, or user error
Cost
The important question and probably make or break for many of you, how much does this cost?
Base price is $4 per user per month, but I’m told there are discounts for larger organizations.
Considering this can replace your RMM, any remote access tools, app management and fix some of the holes in Intune, I would say it’s excellent value for money.
It wouldn’t be fair to compare to Intune Suite as that includes Endpoint Analytics, Device Query and Cloud PKI.
Conclusion
Would I recommend this to my customers and/or buy it myself?
Yes, especially if you need the additional functionality of an RMM.
If you’re just looking for app management, there are cheaper options, but when looking at this as a whole suite, the pricing is very competitive and the time this will save your technicians if well worth it.
As always, any questions, or anything you want me to try, drop it in the comments!
Does ZeroTouch support big installations like Autdesk Revit products?
I haven’t tested myself, but I don’t see any reason why it wouldn’t. I’ll see if I can grab a big installer and test