If you have been following the SCCM community for the past months, you’ve been hearing a lot about comanagement, cloud management gateway, cloud distribution point and Intune. You may also hear that SCCM is dying and that Intune is your only path in the near future to manage your company devices. The good news is that SCCM is not dead, in fact, it’s been rolling out new features quarterly in the past 3 years thanks to the new servicing model and the product group is not slowing down. The bad news is that… well, there’s no bad news… but as a sysadmin, you have a steep learning curve if you’ve not been following the “modern management” storm from past months.
You may wonder why would I want to go to Intune in the first place. By using only SCCM you are not exploiting 100% of the features you can manage on Windows 10 and mostly on mobile devices.
Using Intune, you can:
- Manage the mobile devices to access company data
- Manage the mobile apps
- Protect your company information
- Ensure devices and apps are compliant
- Use Autopilot to deploy your Windows 10 machines
- Manage the device outside of the company network
And what’s great about modern management is that it’s not an on/off switch. Using SCCM Comanagement, you can go at your own pace and decide which workload is managed by which tool. (SCCM or Intune)
If you’re the SCCM administrator and you’ve been asked to start looking at Intune by your management, look no further, this post will wrap it up. We’ll try to guide you in the right direction in order to start with Intune and modern management.
Since SCCM 1710, Comanagement has been introduced. Microsoft wants your devices enrolled in Intune and Comanagement will help you through making the transition. Since 1802, Microsoft is pushing comanagement using the Just4Clicks tag all over their platform to promote it.
But what is comanagement? Comanagement is simply a new SCCM functionality that let you control your workflow between Intune and SCCM. When enabled, you can decide which workload goes to Intune and which one goes to SCCM. Simple as that.
Right from the start, you can benefit from Conditional Access at no cost and operational downtime. It’s really a no-brainer here, just enable it if you’re on SCCM 1710+.
Read our related post if you’re ready to enable comanagement in your environment. (Hint: Intune is required so keep reading first).
Intune is a cloud-based service that lets you manage your device. It supports Windows and a variety of mobile devices.
Once your portal is setup :
- Go to the Azure Portal
- Click All Services on the top left
- In the filter box, enter Intune
- Click the Star icon to add it to your favourite. You can select Microsoft Intune or Intune, it’s the same
- Select Intune from the list
- The Microsoft Intune portal open in the central pane
Your Intune portal is now ready to manage devices but there’s still more step to do before enrolling.
sccm intune modern management – Set the MDM Authority
Before choosing the MDM Authority, read the Microsoft Documentation to understand the key concept. In our post, the MDM Authority will be set to Intune in order to use SCCM Comanagement.
- If you never used Intune before :
You must set the MDM Authority to Intune. (Hint: To use SCCM Comanagement, the MDM authority must be set to Intune)
- If you were using Intune Hybrid with SCCM
You will need to change the MDM Authority to Intune.
Create Users and assign licences
Before enrolling devices, we need to create users. Users will use these credentials to connect to Intune. For our test, we will create users manually in our Azure Active Directory domain but you could use Azure AD Connect to sync your existing accounts. This will be a topic for another post…
- In the Azure portal
- Select All services / Intune
- In the Intune pane, select Users
- On the All Users page, click New user on the top
- Enter information for the user, such as Name and User name.
The domain name portion of the user name must be :
- The initial default domain name (.onmicrosoft.com)
- Your verified, non-federated domain name (systemcenterdudes.com)
- Under Profile, complete user information
- Under Properties, you can see that the source of authority is Azure AD
- Under Groups, choose a group to add the user to. If you don’t have any group, skip this step and do not add the user to a group. In our example, we are adding it to the All Intune User group
- Under Directory Role, we will select User as this is a test user and we don’t want to give more rights to this user to our Azure tenant
- The password cannot be changed. Save the user password so that you can use it to sign in to a test device. The user will have to change this password.
- At the bottom of the User pane, select Create
Your user will be listed in All Users.
Intune License Assignment
We now need to assign the user with a license that includes Intune before enrollment.
You can assign a license by users or you can use groups to assign your license more effectively
- Click on the user that you just created
- Click on Licenses at the left
- Click on Assign on the top to assign a license
- Under Products, The available licenses are listed. We will select our EMS E5 license which includes Intune.
- In the Assignment Options, ensure that Intune is ON
- Once configured, at the bottom, click on Assign
Create a Device Policy
Before enrolling a device using this user, it’s best practice to create a basic device policy.
In our example, we will create a basic security setting which will allow monitoring iOS device compliance. We will check Jailbroken devices, check for an OS version and require a password policy.
- In the Intune portal
- Select Device compliance / Policies / Create Policy
- Enter a Policy Name and a Description
- For the Platform, select iOS
- In Settings, select Device Health, under Jailbroken devices, select Block
- Under Device Properties, in Minimim OS version, enter 11
- Under System Security, enter the desired password settings
- Once created, the policy must be assigned to a group
- Select your policy and select Assignment
- In Assign to, select Selected Groups, click on Select groups to include and select your group and click Select at the bottom
- Click Save to save your assignment
You can also repeat the steps to create a policy for Android and Windows devices.
You are now ready to enroll devices to Intune and begin your modern management journey. We will be covering device enrollment and many other Intune topics in further posts… stay tuned!!
Share this Post
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.