.. Reminder for header structure:
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. meta::
  :description: Enhancing your productivity with WAPT
  :keywords: WAPT, documentation, productivity, use cases, ideas

.. _wapt_ghosting_hosts:

################################################
Simplifying the deployement of your workstations
################################################

Many companies and administrations include software and configurations in the OS images they deploy on their fleets of machines.

But from now on this is no longer the recommended method for several reasons :

* Each time you make a new image, you waste a lot of time installing software and configuring it. You are very limited in the user configurations that you will be able to include in your image.

* Each time you make a new image, you will have to keep track of the changes in a text document, a spreadsheet, or a change management tool.

* OS editors (notably Microsoft) advise the use of raw ISO images and their parameterization in post-install.

* Finally, if you introduce in your image security configurations, network configurations, or configurations to limit the intrusion of telemetry, these configurations can disrupt the normal functioning of WAPT, it will complicate future diagnostics.

**With WAPT this is no longer necessary**

***************
Recommendations
***************

Tranquil IT recommends:

* To make only one raw image per OS type with `MDT <https://docs.microsoft.com/en-us/mem/configmgr/mdt/>`_, `Fog <https://fogproject.org/>`_ (win10, win2016, etc) or :ref:`WAPT WADS <wapt_wads>` without any configuration or software. **Put only the system drivers** you need for your image deployment in the MDT or Fog directories provided for this purpose;

* To create as many Organizational Units as you have machine types in the *CN=Computers* OU (ex: *standard_laptop*, *hardened_laptop*, *workstations*, *servers*, etc) in your Active Directory;

* To configure your Active Directory to distribute the WAPT Agent by GPO to the different Host Organizational Units; This way, you can opt for fine grained configurations of your :file:`waptagent.ini` for the hosts attached to each OU.

.. hint::

  To save you time, you can base your security configuration strategy on security WAPT packages already available in the `WAPT Store <https://wapt.tranquil.it/>`_, you will only need to complete them according to your Organization's specific security requirements.

* To create in the *CN=Computers* OU as many Organizational Units as there are types of computer usage in your organization (*accounting*, *point_of_sale*, *engineering*, *sedentary_sales*, etc).

* To create generic WAPT packages of your software applications with their associated configurations.


Deployment scenario
-------------------

* You receive or the IT manager at the remote site receives a new machine in its box.

* You configure the machine's MAC address in DHCP so that it gets the right system image  and is positioned in the right Organizational Unit at the end of the deployement process.
  
* The expected system image is downloaded on the machine in masked time, the machine is placed in the right Organizational Unit.

* The WAPT agent registers the machine with the WAPT server, it appears in the WAPT console.

* The WAPT agent detects that it is in an Organizational Unit that requires a particular software set and a particular security configuration.

* The WAPT Agent downloads and executes software packages and security configuration packages in hidden time; the WAPT Agent automatically removes delegated rights that are rendered useless
  after joining the domain to prevent them from being subsequently exploited in an unauthorized manner.

* Either by group of machines or machine by machine, you finalize the configuration of the machines by assigning specific WAPT packets to them.

.. hint::

  If you want, you can even leave the final configuration step to your users by configuring WAPT self-service for them (printer configurations, special software needs, etc).