I'm in the same boat as you, and currently figuring out how to get our XP dependent ERP stack up to Win 7. Fortunately I have a similar setup, still not as nice as an apt package manager would be, but for Windows I'd never expected this level of automation.
However with the whole BYoD crap I, and I'm sure you too, get pestered about all the time, I thought I'd share what made my life easier dealing with iPhones and iPads.
To be honest, I haven't seen this level of configuration since blackberry.
(PS, if you or anyone knows of anything like this for Android, I would love to hear about it. That is the last system that is a thorn in my side to support)
Contrast that to when we get a new iPad in. No PXE booting, no easy configuration through the network. No management tools that are worth a tin shit. I have to physically enter all that information in. Can't even swap in a replicated hard drive since it can't be taken apart. Loading from a USB stick? Hahah... No we have to go through the "cloud" for everything.
Check out the Apple iPhone Configuration Utility - About or Windows download page
and any one of the many MDM (mobile device manager) servers for the backend.
You create various "profiles", which are signed and/or encrypted XML files with a .mobileconfig extension.
Think Active Directories Group Policy for iOS.
I've made quite a few of these configs and have them posted on a sub-website on the Intranet, as well as keep handy to forward as email attachments.
On iOS if you click one in a browser or as an attachment, it will display what parts of the system it will change, and if it can be removed, requires a password, or can't be removed (except via factory reset - think company owned devices)
You just click accept, and if you only use required values the entire setup is done. Alternately you can mark some things as user provided (like domain username, and AD password) and you're prompted for those in one screen after confirming to install it.
I have one with our Exchange servers settings (which I admit is so simple to setup this one isn't really needed), two different ones for each VPN endpoint server, one that contains our wireless "guest" network settings as well as how to handle channel hopping and roaming between APs keeping sessions alive over wpa2-enterprise, all of our Sharepoint shared resources that can be linked in, as well as our public contact book.
These are available (in my case, user removable) for any employee to use to better utilize our resources without me having to setup anything.
Further, and at this point I'm probably starting to sound like an ad or something, still..
If we actually had company owned iOS devices, you can go as far as restricting any/all settings apps and extensions, pre-install your own apps, only allow apps on a whitelist to install, or even to not be able to install apps at all.
It can redirect all iCloud services to internal services, or simply disallow them.
iOS can link into active directory (via LDAP), and CalDav / CardDav, and have your x500 certificates installed
You can even do things currently only cellular carriers are privlidged to do, such as put apps or web shortcuts on springboard and not allow them to be removed or even repositioned.
It even lets you reconfigure the cellular radio settings, changing the APN, GRPS, and a proxy that all data communications passes through.
You can reconfigure and push out settings updates over the air as well. About the only thing I don't think you can do is push app installs over the cell network, you have to wait until they are back on the wifi for that.
While I personally have been fortunately enough to never had to touch the blackberry enterprise server, Apple seriously went out of their way to rival BES in what you can do using these policies.
Unfortunately some of the larger MDM servers that handle all three (iOS, BB, Android) are quite overpriced and heavily licensed. Typical enterprise gouging. But at least here you aren't required to even use a MDM server.
You don't need to install anything on the network either, nor have to deal with BES sinking its claws into your exchange server and AD.
The config tool is just a little client app you can run anywhere to generate these mobile config files, which you can then publish where ever is convenient. Though with the signing keys it generates on first use, you'll either need to copy that around or keep the app on your workstation.