Manage Quest Headsets Without Horizon Managed Services: An IT Admin’s Guide

Cut the support tether: replace Horizon managed services for Quest fleets in 2026

Hook: If your organization relied on Horizon managed services to keep Quest headsets inventoryed, provisioned, secured, and updated, Meta’s move in late 2025–early 2026 means you need a replacement runbook now. IT teams face fragmented tools, time-consuming manual steps, and the risk of unmanaged headsets in production environments. This guide gives a hands-on, tested playbook to manage Quest headsets without Horizon managed services—covering inventory, provisioning, policy enforcement, OTA updates, and remote troubleshooting.

Meta announced the discontinuation of Horizon managed services and the standalone Workrooms app (Workrooms closed Feb 16, 2026), driving many organizations to adopt alternative fleet management strategies.

Executive summary — what to do first (inverted pyramid)

Start by discovering all headsets and locking down network access. Next, choose a management architecture (MDM + Android Enterprise where possible). Build a baseline image and policies, then deploy in controlled waves with an OTA update strategy and runbooks for remote troubleshooting. Treat the first 30–60 days as an intensive stabilization window: inventory, enroll, secure, update, and iterate.

Why replace Horizon managed services now (2026 context)

By early 2026 the enterprise VR landscape shifted. Vendors consolidated offerings, Meta scaled back Reality Labs and discontinued Horizon managed services and Workrooms—forcing IT teams to manage Quest fleets directly or via third-party tooling. At the same time, edge AI and cross-device workflows increased the need for tighter device security, zero-trust network segmentation, and automated fleet controls. That makes a structured replacement plan essential.

Overview: The replacement architecture

A practical stack that works for most organizations:

• MDM that supports Android Enterprise (Microsoft Intune, VMware Workspace ONE, SOTI, Ivanti/ManageEngine, or similar).
• Device enrollment via Android Zero‑Touch / Android for Work (AFW) or authenticated ADB provisioning for small-batch devices.
• CI/CD and GitOps for device configs (policies in source control).
• OTA management orchestrated by MDM, with staged rollouts and telemetry monitoring.
• Remote support tools (casting, WebRTC-based remote assistance, and ADB over network for logs and fixes).
• CMDB / ITSM integration for audit trails and lifecycle events.

1) Inventory: know what you have immediately

Before you change anything, discover every Quest device in scope.

Actions

1. Run a network scan for known management ports (ADB 5555, mDNS for casting) on the corporate VLANs where headsets are used.
2. Collect serial numbers and device IDs. If you have physical access, affix barcode or QR stickers and record each serial into your CMDB.
3. Use a discovery script (example below) to collect device properties over ADB when available:

# Example: collect basic device info via ADB
adb devices
adb -s 192.168.1.23:5555 shell getprop ro.serialno
adb -s 192.168.1.23:5555 shell getprop ro.build.version.release
adb -s 192.168.1.23:5555 shell pm list packages
  

Deliverable

Create a CSV with columns: device_name, serial, model, ip_address, last_seen, assigned_user, location, enrollment_state. Import this into your CMDB and inventory dashboard.

2) Choose an enrollment path (scale matters)

Pick the fastest, most repeatable enrollment strategy for your fleet size.

Small fleets (<50 devices)

• Use authenticated ADB provisioning or manual enrollment flows if devices are physically available.
• Enable Developer Mode only during provisioning and disable afterward.

Medium to large fleets (>50 devices)

• Use Android Zero‑Touch / Android Enterprise (AFW). Register devices with your reseller and bind them to your MDM customer account for automated enrollment.
• Preconfigure Wi‑Fi, certificates (SCEP or PKI), and device restrictions in MDM templates.

Enrollment checklist

1. Create an MDM tenant or enroll devices under an existing one.
2. Define an Enrollment Profile: device name template, ownership (company-owned), user assignment rules, initial policies.
3. Test enroll 2–5 devices to validate profiles before mass enrollment.

3) Policy enforcement: the baseline you must apply

Secure every headset with a minimal policy that reduces attack surface and preserves usability.

Minimum viable policy (apply immediately after enrollment)

• Device ownership: set to corporate (no BYOD).
• Disable sideloading: block unknown sources and restrict ADB access.
• Kiosk / single-app mode: if devices are for specific tasks, lock to the app(s) you manage.
• Enforce passcodes: numeric or alphanumeric depending on use-case.
• Network policies: preconfigure Wi‑Fi profiles with enterprise EAP and client certs; disable open Wi‑Fi scans.
• VPN and segmentation: route all headset traffic through a per-device VPN or place headsets on a restricted VLAN with internet-only egress for apps you trust.
• Certificate and key management: use hardware-backed keystore and SCEP or ACME for device certificates.
• Update enforcement: mark critical updates as mandatory for devices in production pools.

Example: minimal Intune JSON profile (pseudocode)

{
  "name": "Quest-Baseline",
  "ownership": "corporate",
  "restrictions": {
    "allowSideloading": false,
    "developerOptions": false,
    "adb": false
  },
  "security": {
    "requirePin": true,
    "pinComplexity": "numeric",
    "minLength": 6
  },
  "network": {
    "wifiProfiles": ["corp-eap-profile"],
    "forceVpn": true
  }
}
  

4) OTA updates: staging, rollout, and rollback

OTA updates are the most disruptive part of managing a VR fleet. Build a controlled update pipeline.

Strategy

1. Test pool: 5–10 devices running production apps.
2. Pilot pool: 20–50 devices in non-critical sites.
3. Production pool: remaining fleet, rolled out by site and function.

Practical rollout steps

1. Provision a test OTA image snapshot in a private repo or use MDM scheduling to delay updates.
2. Push update to test pool, monitor crash rates and app behavior for 48–72 hours.
3. Use analytics (MDM telemetry, app logs) to detect regressions; have an automated rollback trigger if failures exceed threshold (e.g., 3% crash rate increase).
4. Stage to pilot, then to production in site-by-site waves during off-hours.

MDM update controls

Ensure your MDM exposes:

• Remote update initiation and scheduling
• Update status reporting (downloaded, installing, success/failure)
• Mechanism to push a previous build or factory reset devices if necessary

5) Remote troubleshooting: fast, secure, repeatable

Support teams must be able to replicate and fix issues without shipping hardware.

Tools and methods

• Casting + remote assistance: use device casting to a secure console combined with a WebRTC support tool so a technician can see the user experience live.
• ADB over network: enable temporarily for support sessions; require an ephemeral admin token and revoke immediately after.
• Log collection: automate bugreport collection and upload to a secure storage bucket.
• Screenshots & sampling: capture performance counters and background process lists.

Quick runbook: common tasks

1. Get device IP and confirm MDM connectivity.
2. Ask user to initiate a casting session to support console or enable temporary remote mode via MDM.
3. Collect logs (example commands):

# Connect and collect logs
adb connect 192.168.1.23:5555
adb -s 192.168.1.23:5555 shell dumpsys activity > dumpsys-activity.txt
adb -s 192.168.1.23:5555 logcat -d > logcat.txt
adb -s 192.168.1.23:5555 bugreport > bugreport.zip
  

Secure ephemeral ADB workflow

1. Support requests generate one-time tokens in your ITSM system.
2. MDM pushes a policy to allow ADB connections for a limited window (e.g., 15 minutes).
3. After the window, MDM revokes ADB access automatically.

6) Automation and scale: make changes predictable

Manual changes introduce drift. Use automation for baseline enforcement and change management.

Recommendations

• Store policies in Git: use pull requests to change device profiles.
• CI pipeline: validate policy syntax, run a dry-run against a staging MDM tenant, and require approval for production pushes.
• Telemetry-driven rollouts: integrate crash analytics so rollouts pause automatically on regressions.

7) Decommissioning and lifecycle management

Have a reproducible process for returning devices to stock or repurposing them.

1. Initiate decommission in CMDB and ticket the device for wipe.
2. Push a factory reset via MDM and confirm the device booted to setup screen.
3. Clear certificates and disable any VPN profiles.
4. Log the change and update asset records.

8) Example: a 30-day stabilization playbook

1. Days 1–3: Full inventory, network segmentation, emergency blockade of unmanaged devices.
2. Days 4–10: Enroll test pool (5 devices), define baseline policies.
3. Days 11–20: Pilot enrollment (20–50 devices), test OTA update procedure, finalize automation workflows.
4. Days 21–30: Rollout to production in waves, onboard support staff with the remote troubleshooting runbook.

9) Real-world patterns and lessons learned (experience)

From deployments across education, training, and enterprise simulation teams in late 2024–2025, a few patterns emerged:

• Start small and iterate — early enrollment errors scale linearly with device count.
• Network constraints cause more failures than device bugs; dedicate a VLAN for headsets.
• MDM telemetry quality varies — enrich it with local agents or periodic log uploads.
• Users tolerate short maintenance windows for OTA updates if communicated clearly.

10) Security considerations specific to Quest headsets

Headsets are a unique endpoint class: they have sensors, cameras, microphones, and persistent user context. Apply security controls accordingly.

• Privacy zones: enforce camera/mic policies and monitor app permission changes.
• Physical security: tether high-value units and track last-known location in CMDB.
• Credential hygiene: use device certificates and avoid storing long-lived credentials on the headset.
• Attestation: prefer devices where hardware attestation is available for integrity checks.

11) 2026 trends & future-proofing

Looking at late 2025 into 2026, expect three trends to shape VR fleet management:

1. Multi-device management platforms: Organizations will favor MDMs that manage phones, headsets, and wearables from one console.
2. Edge AI processing: More apps will rely on on-device models, requiring new policies for model updates and privacy-aware telemetry.
3. Vendor consolidation: With Meta shifting focus to wearables like Ray‑Ban smart glasses and deprecating services like Horizon managed services, IT will standardize on cross-vendor tooling and open standards (Android Enterprise, WebRTC casting, SCEP/PKI).

12) Advanced strategies

When you’re ready to go beyond baseline management:

• Implement a fleet canary process: push small, instrumented builds to canary devices to validate telemetry and stability.
• Use policy as code with automated policy compliance checks in CI.
• Integrate headset telemetry with your SIEM to correlate device events with network threats.

Actionable checklist — what to do this week

• Inventory: Discover and log every Quest device into CMDB.
• Lockdown: Place headsets on a restricted VLAN and block unmanaged devices.
• MDM: Stand up or validate an MDM tenant that supports Android Enterprise.
• Test: Enroll 2–5 devices and apply a minimal security baseline.
• Runbook: Publish a remote troubleshooting playbook with ADB commands and log collection steps.

Closing — your next move

Replacing Horizon managed services is a multi-week program, but the first steps are straightforward: identify devices, choose an MDM/enrollment approach, apply a secure baseline, and automate OTA updates with staged rollouts. These steps preserve uptime for users and reduce long-term operational costs.

Takeaway: Treat Quest management like any other endpoint class—apply inventory discipline, automated enrollment, layered security, and tested update pipelines. Use ephemeral ADB and secure remote assistance for support, and keep policies in source control for auditability.

Need a ready-to-run checklist and a sample ADB & MDM script bundle you can drop into your environment? Download our free 30‑60 day runbook and automation templates to accelerate the migration from Horizon managed services.

Call to action: Get the runbook, scripts, and policy templates—click to download the “Quest Fleet Management: Horizon Replacement” pack and start your stabilization sprint today.

Related Reading

• Partner Programs and Conflicts: Advising Credit Union Members via Trusts
• Listing Optimization & Revenue Tactics for Boutique Stays in 2026
• Use Raspberry Pi as an Affordable WordPress Lab: Hands-On Setup for Teachers and Students
• Behind the Beauty Stunt: How Athletic Collaborations (Like Rimmel x Red Bull) Drive New Skincare Partnerships
• Spotting Placebo Ventilation Products: How to Tell If a 'Smart Filter' Actually Improves IAQ