If you have been following the SCCM community for the past months, you’ve been hearing a lot about comanagement, cloud management gateway, cloud distribution point, and Intune. You may also hear that SCCM is dying and that Intune is your only path in the near future to manage your company devices. The good news is that SCCM is not dead, in fact, it’s been rolling out new features quarterly in the past 3 years thanks to the new servicing model and the product group is not slowing down. The bad news is that… well, there’s no bad news… but as a sysadmin, you have a steep learning curve if you’ve not been following the “sccm intune modern management” storm from past months. . In this blog post, we will go over the basics to start with Microsoft intune. It supports Windows and a variety of devices.
You may wonder why would I want to go to Intune in the first place. By using only SCCM you are not exploiting 100% of the features you can manage on Windows 10 and mostly on mobile devices.
Using Intune, you can:
- Manage the mobile devices to access company data
- Manage the mobile apps
- Protect your company information
- Ensure devices and apps are compliant
- Use Autopilot to deploy your Windows 10 machines
- Manage the device outside of the company network
And what’s great about modern management is that it’s not an on/off switch. Using SCCM Comanagement, you can go at your own pace and decide which workload is managed by which tool. (SCCM or Intune)
If you’re the SCCM administrator and you’ve been asked to start looking at Intune by your management, look no further, this post will wrap it up. We’ll try to guide you in the right direction in order to start with Microsoft Intune with Intune and modern management.
Since SCCM 1710, Comanagement has been introduced. Microsoft wants your devices enrolled in Intune and Comanagement will help you through making the transition. Since 1802, Microsoft is pushing comanagement using the Just4Clicks tag all over their platform to promote it.
But what is comanagement? Comanagement is simply a new SCCM functionality that let you control your workflow between Intune and SCCM. When enabled, you can decide which workload goes to Intune and which one goes to SCCM. Simple as that.
Right from the start, you can benefit from Conditional Access at no cost and operational downtime. It’s really a no-brainer here, just enable it if you’re on SCCM 1710+.
Read our related post if you’re ready to enable comanagement in your environment. (Hint: Intune is required so keep reading first).
Start with Microsoft Intune – Create your Intune Portal
Microsoft Intune is a cloud-based enterprise mobility management (EMM) solution that allows businesses to manage and secure their devices, apps, and data. It is a powerful tool that can help organizations increase productivity, reduce costs, and improve security. In this blog post, we will go over the basics of how to get started with Microsoft Intune. It supports Windows and a variety of mobile devices.
Everything is done from the Intune web portal which is now part of the Azure Portal. If you don’t have an Intune portal yet, you can sign in for a 30-day trial. We also have a blog post that covers only the portal creation.
Once your portal is setup :
- Go to the Azure Portal
- Click All Services on the top left
- In the filter box, enter Intune
- Click the Star icon to add it to your favourite. You can select Microsoft Intune or Intune, it’s the same
- Select Intune from the list
- The Microsoft Intune portal open in the central pane
Your Intune portal is now ready to manage devices but there’s still more step to do before enrolling.
Start with microsoft intune – Set the MDM Authority
Before choosing the MDM Authority, read the Microsoft Documentation to understand the key concept. In our post, the MDM Authority will be set to Intune in order to use SCCM Comanagement.
- If you never used Intune before :
You must set the MDM Authority to Intune. (Hint: To use SCCM Comanagement, the MDM authority must be set to Intune)
- If you were using Intune Hybrid with SCCM
You will need to change the MDM Authority to Intune.
Create Users and assign licences
Before enrolling devices, we need to create users. Users will use these credentials to connect to Intune. For our test, we will create users manually in our Azure Active Directory domain but you could use Azure AD Connect to sync your existing accounts. This will be a topic for another post…
- In the Azure portal
- Select All services / Intune
- In the Intune pane, select Users
- On the All Users page, click New user on the top
- Enter information for the user, such as Name and User name.
The domain name portion of the user name must be :
- The initial default domain name (.onmicrosoft.com)
- Your verified, non-federated domain name (systemcenterdudes.com)
- Under Profile, complete user information
- Under Properties, you can see that the source of authority is Azure AD
- Under Groups, choose a group to add the user to. If you don’t have any group, skip this step and do not add the user to a group. In our example, we are adding it to the All Intune User group
- Under Directory Role, we will select User as this is a test user and we don’t want to give more rights to this user to our Azure tenant
- The password cannot be changed. Save the user password so that you can use it to sign in to a test device. The user will have to change this password.
- At the bottom of the User pane, select Create
Your user will be listed in All Users.
Intune License Assignment
We now need to assign the user with a license that includes Intune before enrollment.
You can assign a license by users or you can use groups to assign your license more effectively
- Click on the user that you just created
- Click on Licenses at the left
- Click on Assign on the top to assign a license
- Under Products, The available licenses are listed. We will select our EMS E5 license which includes Intune.
- In the Assignment Options, ensure that Intune is ON
- Once configured, at the bottom, click on Assign
Create a Device Policy
Next, you will need to create policies and profiles to manage the devices and apps in your organization. Policies can be used to configure settings such as password complexity, device encryption, and more. Profiles can be used to install apps, configure Wi-Fi settings, and more.
In our example, we will create a basic security setting that will allow monitoring iOS device compliance. We will check Jailbroken devices, check for an OS version, and require a password policy.
- In the Intune portal
- Select Device compliance / Policies / Create Policy
- Enter a Policy Name and a Description
- For the Platform, select iOS
- In Settings, select Device Health, under Jailbroken devices, select Block
- Under Device Properties, in Minimim OS version, enter 11
- Under System Security, enter the desired password settings
- Once created, the policy must be assigned to a group
- Select your policy and select Assignment
- In Assign to, select Selected Groups, click on Select groups to include and select your group and click Select at the bottom
- Click Save to save your assignment
You can also repeat the steps to create a policy for Android and Windows devices.
Start with Microsoft intune – Deploy apps
Once you have created policies and profiles, you can use Intune to deploy apps to your users’ devices. This can be done by creating an app deployment policy and then selecting the apps you want to deploy. You can also use the Intune App Wrapping Tool to wrap apps and make them compatible with Intune.
Monitor and troubleshoot
Finally, you will need to monitor and troubleshoot your Intune environment to ensure that everything is running smoothly. Intune provides a variety of tools for this, including the device and user compliance report, the app usage report, and the device health report. These tools will help you identify and resolve any issues that may arise.
In conclusion, Microsoft Intune is a powerful solution that can help businesses increase productivity, reduce costs, and improve security. By following these steps, you can start with Microsoft intune and begin managing your devices and apps. Remember to keep monitoring and troubleshooting your environment to ensure that everything is running smoothly.