How to start your Modern Management journey as an SCCM Administrator

Benoit LecoursSCCMLeave a Comment

If you have been following the SCCM community for the past months, you’ve been hearing a lot about comanagement, cloud management gateway, cloud distribution point and Intune. You may also hear that SCCM is dying and that Intune is your only path in the near future to manage your company devices. The good news is that SCCM is not dead, in fact, it’s been rolling out new features quarterly in the past 3 years thanks to the new servicing model and the product group is not slowing down. The bad news is that… well, there’s no bad news… but as a sysadmin, you have a steep learning curve if you’ve not been following the “modern management” storm from past months.

You may wonder why would I want to go to Intune in the first place. By using only SCCM you are not exploiting 100% of the features you can manage on Windows 10 and mostly on mobile devices.

Using Intune, you can:

  • Manage the mobile devices to access company data
  • Manage the mobile apps
  • Protect your company information
  • Ensure devices and apps are compliant
  • Use Autopilot to deploy your Windows 10 machines
  • Manage the device outside of the company network

And what’s great about modern management is that it’s not an on/off switch. Using SCCM Comanagement, you can go at your own pace and decide which workload is managed by which tool. (SCCM or Intune)

If you’re the SCCM administrator and you’ve been asked to start looking at Intune by your management, look no further, this post will wrap it up. We’ll try to guide you in the right direction in order to start with Intune and modern management.

SCCM CoManagement

Since SCCM 1710, Comanagement has been introduced. Microsoft wants your devices enrolled in Intune and Comanagement will help you through making the transition. Since 1802, Microsoft is pushing comanagement using the Just4Clicks tag all over their platform to promote it.

But what is comanagement? Comanagement is simply a new SCCM functionality that let you control your workflow between Intune and SCCM. When enabled, you can decide which workload goes to Intune and which one goes to SCCM. Simple as that.

sccm intune modern management

Right from the start, you can benefit from Conditional Access at no cost and operational downtime. It’s really a no-brainer here, just enable it if you’re on SCCM 1710+.

Read our related post if you’re ready to enable comanagement in your environment. (Hint: Intune is required so keep reading first).

Intune Portal

Intune is a cloud-based service that lets you manage your device. It supports Windows and a variety of mobile devices.

Everything is done from the Intune web portal which is now part of the Azure Portal. If you don’t have an Intune portal yet, you can sign in for a 30-day trial.

Once your portal is setup :

sccm intune modern management

  • In the filter box, enter Intune
  • Click the Star icon to add it to your favourite. You can select Microsoft Intune or Intune, it’s the same

sccm intune modern management

  • Select Intune from the list

sccm intune modern management

  • The Microsoft Intune portal open in the central pane

sccm intune modern management

Your Intune portal is now ready to manage devices but there’s still more step to do before enrolling.

sccm intune modern management – Set the MDM Authority

Before choosing the MDM Authority, read the Microsoft Documentation to understand the key concept. In our post, the MDM Authority will be set to Intune in order to use SCCM Comanagement.

  • If you never used Intune before :

You must set the MDM Authority to Intune. (Hint: To use SCCM Comanagement, the MDM authority must be set to Intune)

  • If you were using Intune Hybrid with SCCM

You will need to change the MDM Authority to Intune.

Create Users and assign licences

Before enrolling devices, we need to create users. Users will use these credentials to connect to Intune. For our test, we will create users manually in our Azure Active Directory domain but you could use Azure AD Connect to sync your existing accounts. This will be a topic for another post…

  • In the Azure portal
  • Select All services / Intune
  • In the Intune pane, select Users

sccm intune modern management

  • On the All Users page, click New user on the top

sccm intune modern management

  • Enter information for the user, such as Name and User name.
Important Info

The domain name portion of the user name must be :

  • The initial default domain name (.onmicrosoft.com)
  • Your verified, non-federated domain name (systemcenterdudes.com)
  • Under Profile, complete user information

sccm intune modern management

  • Under Properties, you can see that the source of authority is Azure AD

sccm intune modern management

  • Under Groups, choose a group to add the user to. If you don’t have any group, skip this step and do not add the user to a group. In our example, we are adding it to the All Intune User group

sccm intune modern management

  • Under Directory Rolewe will select User as this is a test user and we don’t want to give more rights to this user to our Azure tenant

sccm intune modern management

  • The password cannot be changed. Save the user password so that you can use it to sign in to a test device. The user will have to change this password.
  • At the bottom of the User pane, select Create

sccm intune modern management

Your user will be listed in All Users. 

Intune License Assignment

We now need to assign the user with a license that includes Intune before enrollment.

Important Info

You can assign a license by users or you can use groups to assign your license more effectively

  • Click on the user that you just created

sccm intune modern management

  • Click on Licenses at the left

sccm intune modern management

  • Click on Assign on the top to assign a license

sccm intune modern management

  • Under Products, The available licenses are listed. We will select our EMS E5 license which includes Intune.

sccm intune modern management

  • In the Assignment Options, ensure that Intune is ON

sccm intune modern management

  • Once configured, at the bottom, click on Assign

sccm intune modern management

Create a Device Policy

Before enrolling a device using this user, it’s best practice to create a basic device policy.

In our example, we will create a basic security setting which will allow monitoring iOS device compliance. We will check Jailbroken devices, check for an OS version and require a password policy.

  • In the Intune portal
  • Select Device compliance / Policies / Create Policy

sccm intune modern management

  • Enter a Policy Name and a Description
  • For the Platform, select iOS
  • In Settings, select Device Health, under Jailbroken devices, select Block

sccm intune modern management

  • Under Device Properties, in Minimim OS version, enter 11

sccm intune modern management

  • Under System Security, enter the desired password settings

sccm intune modern management

  • Once created, the policy must be assigned to a group
  • Select your policy and select Assignment
  • In Assign to, select Selected Groups, click on Select groups to include and select your group and click Select at the bottom
  • Click Save to save your assignment

sccm intune modern management

 

You can also repeat the steps to create a policy for Android and Windows devices.

sccm intune modern management

 

You are now ready to enroll devices to Intune and begin your modern management journey. We will be covering device enrollment and many other Intune topics in further posts… stay tuned!!

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...

Share this Post

 

Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.

Leave a Reply

Your email address will not be published. Required fields are marked *