Foothill Solutions · Restaurant365 Engagement · Device Operations

R365 Fleet Re-Enrollment into the Client Domain

Collect every R365 device, wipe it clean, and re-enroll it into the client’s managed domain (Intune or Jamf). One technician, working desk to desk — scheduled by mission and trio so no team ever goes fully dark. This is the working draft; swap in the real daily presence list and the schedule re-flows.

Prepared by IT Department Scope 176 R365 employees Crew 1 technician Daily cap 25 devices Status Draft v4

176

Devices total

~146

Macs (M4/M5)

~30

Windows PCs

25/day

Daily cap

Missions

~3wks

Full rollout

Read this first

Assumptions this plan is built on

Every number below is an estimate, not a measured fact. Treat them as the starting dial settings — we re-measure on the first few real devices and adjust. If any assumption is wrong, the timeline shifts, so they’re stated up front to be challenged.

Crew1 technician, working desk to desk, keeping several unattended wipes running at once.

Daily cap25 devices/day — the sustainable solo number.

Mac time~15 min hands-on each — 5 min to kick off the erase + ~10 min to step through setup & verify enrollment. Erase itself runs ~20 min unattended.

Windows time~23 min hands-on each — 8 min to start the reinstall + ~15 min to join the domain & enroll. Reinstall runs ~42 min unattended.

Apple enrollment~10 min to step through Setup Assistant and confirm the device lands in the MDM. Real time depends on the MDM’s app/profile payload — more apps & policies push longer. Confirm against the actual Jamf/Intune config.

Windows enrollment~15 min to Entra-join and complete Intune enrollment. Real time depends on the Intune app/policy payload — a heavy software set stretches it well past 15 min. Confirm against the actual config.

Pre-stagingEvery device is already in the client’s Apple Business Manager / Autopilot and released from any prior MDM before its scheduled day.

SchedulingDriven by daily office presence and by mission + trio — never take a whole team or mission down at once.

Device mix~30 of 176 are Windows PCs; the remaining ~146 are Macs (M4/M5). Device type per employee is known and drives each day’s mix.

Network & accessStable office Wi-Fi and on-site access to the admin consoles (ABM, Jamf/Intune, Autopilot) throughout the day.

The parallel idea

How one technician clears a floor in parallel

The trick isn’t working faster — it’s never standing idle. A wipe is mostly unattended time. You kick one device off, walk to the next desk and start that one, then circle back to finish the first when it lands on the setup screen. Your hands — not the clock — are the bottleneck, which is exactly why the daily number is capped.

Where your time actually goes, per device

MAC · 35m

5m ~20m erase — unattended ~10m enroll

WIN · 65m

8m ~42m reinstall — unattended ~15m enroll

Solid teal = you’re hands-on. Hatched = the device works alone while you’re at another desk. Stack the hatched stretches across many devices and the day collapses to roughly the sum of your hands-on minutes.

What a 25-device day costs you

Mac — hands-on each5 min kickoff + 10 min enroll	15 min
Windows — hands-on each8 min kickoff + 15 min enroll	23 min
A typical day — 21 Mac + 4 PChands-on only, wipes overlap	~6.8 hrs
With walking between desksa full day, with a small buffer	~7.5–8 hrs

Why 25 and not more: a 25-device day already runs about 7.5–8 hours hands-on. Anything past that leaves no buffer for a stuck reinstall or a no-show desk. If a day’s presence is heavier than 25, roll the overflow to the next office day rather than stretching the technician past a full shift.

Per-device runbook

Two lanes, one outcome: a clean device on the client domain

Macs use Erase All Content & Settings (fast, firmware-clean on Apple Silicon). Windows gets a full format and reinstall. Both finish by auto-enrolling into the client’s MDM — which works only if the device is pre-staged in the client’s Apple Business Manager / Autopilot first (see pre-flight below).

Apple · M4 / M5 Erase All Content & Settings → ADE re-enroll

35min / unit

Back up & confirm hands-on
Verify iCloud/OneDrive sync is current. Erase is irreversible — nothing local survives.
Sign out of Apple ID & Find My
Settings → Apple ID → Sign Out. Clears Activation Lock so the device isn’t bricked after erase.
Trigger Erase All Content & Settings
Settings → General → Transfer or Reset → Erase. Then walk to the next desk. unattended ~20m
Enroll & verify at setup ~10m hands-on
On Wi-Fi the device pulls the client’s ADE profile and enrolls into Jamf/Intune. Step through setup and wait for profiles/apps to land.
Confirm & hand back
Device shows in the MDM console as managed/compliant. Log it.

⏱

Enrollment time varies: heavier MDM app/policy payloads add minutes at step 4. Re-time on the first few units.

Windows PC Format + reinstall → Autopilot / Entra join

65min / unit

Save BitLocker key & back up hands-on
Record the recovery key and back up data (OneDrive Known Folder Move). Reinstall wipes the disk.
Boot installer / Reset this PC
Bootable USB or Recovery → Reset → Remove everything → clean reinstall. Then move on. unattended ~42m
OOBE → network
At first-run, connect Wi-Fi. Autopilot recognizes the device against the client’s Entra tenant.
Entra join & Intune enroll ~15m hands-on
Device joins the client domain and auto-enrolls into Intune; compliance policies & apps push down.
Confirm & hand back
Entra-joined and Intune-compliant in the console. Log it.

⏱

Enrollment time varies: the app/policy set Intune pushes at step 4 can stretch this well beyond 15 min. Re-time on the first few units.

Before you touch a single device

Pre-flight: the things that turn a 35-minute job into a dead device

Every item below is something that, if skipped, either bricks the hardware or means the device won’t enroll and you have to come back. Knock these out before the office day — most are admin-console work, not desk work.

Apple — M4 / M5

BRICK RISK
Activation Lock. Sign out of Apple ID / Find My first, or have the Activation Lock bypass code from MDM. Erase a locked device and it’s a paperweight until unlocked.
PRE-STAGE
Apple Business Manager. Each Mac must sit in the client’s ABM and be assigned to their MDM for Automated Device Enrollment — that’s what makes it auto-enroll at setup.
PRE-STAGE
Release from old MDM. Unmanage / remove from any FTS or prior tenant so there’s no enrollment conflict.
DATA
Back up first. Erase All Content & Settings is irreversible. Confirm the user’s data is in iCloud/OneDrive.

Windows

DATA LOSS
BitLocker key. Save the recovery key and back up data before formatting. A clean reinstall destroys the volume.
PRE-STAGE
Autopilot registration. Hardware hash must be in the client’s Autopilot / Entra tenant so OOBE pulls the right profile and enrolls into Intune.
PRE-STAGE
Clean stale objects. Remove old Entra/Intune device records to avoid duplicate or non-compliant entries.
MEDIA
Installer ready. Have a current Windows USB / reset image and any required drivers staged before the day.

Scheduling rule

Schedule by mission & trio — never take a team fully down

The 176 R365 staff sit in 12 missions, split into 55 trios (mostly 3-person teams). Each day’s 25 devices are chosen to spread across missions and to take at most one person per trio, so every team keeps at least two members working while their colleague’s laptop is being re-imaged.

🧩

The rule: on any given day, pick ≤ 1 member from each trio and keep the day’s devices spread across as many missions as possible. A trio is never blocked; a mission is never paused.

Mission	People	Trios	Min. days to clear	Notes
Platform	20	7	3	Largest mission — leads each wave
PLG	20	7	3
CV	19	7	3
Modernization	19	7	3
Enterprise	19	7	3
Workforce	18	7	3
Payroll-Growth	16	6	3
AI-Products	15	5	3
Payroll-Compliance	11	4	2
Integrations	10	4	2
DevOps	6	1	6	Single trio — stagger 1/day, don’t block
Data-AI-Platform	3	1	3	Single trio — 1/day max

“Min. days to clear” = if you only respect the one-per-trio rule. DevOps and Data-AI-Platform are each a single trio, so they trickle one person per day — flag them early so they don’t become the long tail.

Sample day · Tuesday

The rolling day — 25 devices, spread across missions

A realistic solo day at the 25-cap. Morning is heavy Mac throughput; a few Windows machines get kicked off before lunch so their 60-minute reinstalls run while you eat. Afternoon finishes the Windows enrollments and the remaining Macs. Every wave pulls from different trios.

08:30–09:00

Staging setup

Log into ABM / Jamf / Intune / Autopilot consoles. Confirm Wi-Fi, labels, USB installers, tracking sheet open. Sanity-check that today’s 25 are pre-staged.

09:00–10:45

Wave 1 MAC ×7WIN ×1 start

Roll Macs across several missions — start, move, circle back to enroll. Kick off one Windows reinstall early so it runs in the background.

10:45–12:30

Wave 2 MAC ×7WIN ×1 finish + 1 start

Continue Macs across fresh trios; return to the morning PC for Entra join + Intune enrollment as it hits OOBE.

12:30–13:00

Lunch — devices keep working

Start 1–2 more Windows reinstalls right before stepping away so the unattended ~42m covers the break.

13:00–15:00

Wave 3 MAC ×7WIN ×2 enroll

Finish the post-lunch Windows enrollments; push through the next batch of Macs from remaining missions.

15:00–16:15

Cleanup wave ~2 left

Mop up remaining devices, retries, and any that failed first enrollment. Re-run stuck reinstalls.

16:15–17:00

Wrap & reconcile

Confirm every device today shows managed/compliant in the console. Update the tracker. Flag any incompletes to carry into the next office day.

Live tracker

Tuesday cohort — click a status to advance it

📋

Placeholder cohort. These 25 are drawn across all 12 missions with no more than one person per trio, so the design is complete. Paste your real Tuesday presence list and I’ll regenerate this table with the actual names, missions, trios, devices and counts.

0 / 25 complete · 0 in flight

#	Employee	Mission	Trio	Device	Status

Fallback

Plan BThe swap-pool rotation

If live desk-side setup can’t be trusted on the day — e.g. enrollment needs the US team and the timezone gap blocks real-time coordination, or the parallel flow keeps stalling — switch to a pre-staged swap pool. You decouple the user handover (fast) from the slow, coordination-dependent enrollment (done offline). Cost: ~10 swaps/day instead of 25, but zero live dependency and no team blocked.

Seed the pool

Pre-build 10 spares

Wipe and fully enroll the 10 laptops already in the office into the client domain — done ahead of time, during US hours, so coordination isn’t time-critical.

Swap on the day

Hand out & collect

Give each of 10 employees a ready-to-go laptop and collect their old device on the spot. ~5 min per person, no waiting at the desk.

Re-image returns

Wipe the 10 returned

Re-image and re-enroll the collected devices offline, at your own pace, coordinating with the US team whenever their window opens.

Rotate

They become tomorrow’s pool

The freshly-prepared 10 become the next day’s swap stock for the next 10 employees. Repeat until the fleet is done.

Throughput

~10/day vs 25 — slower, so ~18 working days for 176.

Biggest win

No live US dependency. Enrollment happens offline whenever the coordination window opens.

What it needs

10 spare/loaner units to seed the pool, plus space to stage them.

The full picture

All 176, mission by mission

Total device load per mission. At the sustainable 25 devices/day (Plan A), the fleet clears in roughly seven working days — but those days are gated by who’s physically in the office, so plan on about three calendar weeks following the daily presence rota. (Plan B’s swap pool runs slower but removes the live coordination risk.)

Platform

PLG

Modernization

Enterprise

Workforce

Payroll-Growth

AI-Products

Payroll-Compliance

Integrations

DevOps

Data-AI-Platform

Week 1

Heaviest-presence days

Lead with the big missions (Platform, PLG, CV) on the highest-turnout days. One per trio, ~25/day.

Week 2

Steady throughput

Work down mid-size missions by daily rota. Trickle the single-trio missions (DevOps, Data-AI) so they don’t tail out.

Week 3

Stragglers & remote

Catch rarely-in-office staff, WFH machines, and the Windows tail. Final console reconciliation.

Decisions still needed

Open questions to lock before day one

None of these block drafting the plan, but each one changes the execution. The owner column flags who needs to answer.

Which MDM manages the Macs — Jamf or Intune?

Windows goes to Intune/Autopilot regardless. Macs enroll via ABM either way, but the console you verify in (and the enrollment payload) differs. Lock this so pre-staging targets the right MDM.

CLIENT

Is ABM / Autopilot pre-staging done for all 176, and who owns it?

Devices must be in the client’s ABM/Autopilot and released from any prior MDM before their day, or they won’t auto-enroll. Confirm whether we or the client drive this.

US + CLIENT

Can we enroll independently, or must it happen in the US team’s window?

This is the Plan A vs Plan B decision. If real-time US coordination is required, the timezone gap may force the swap-pool fallback.

US TEAM

Confirm the per-employee Mac/Windows list.

~30 of 176 are Windows; the device type per person is known. Confirm the list so the daily counts and time math are locked.

US TEAM

What’s the daily office-presence rota?

Needed to assign the actual mission/trio cohorts to each weekday.

US TEAM

Do we have 10 spare/loaner units to seed Plan B?

The swap-pool fallback needs ~10 ready devices to start the rotation. Confirm availability and staging space.

US TEAM