Co-Management with ConfigMgr works with endpoints running the Windows 10 Fall Creators Update (1709). This feature provides a bridge from traditional to modern management for IT. It lets IT shops manage a single device simultaneously from both ConfigMgr and an MDM solution such as Microsoft Intune.
What Is Modern Management?
Microsoft has introduced the concept of modern management to describe moving away from traditional management with on-premises infrastructure. Traditionally IT builds and maintains its infrastructure in its own on-premises data center to deliver services like Active Directory (AD). In this scenario, AD handles such things as identity, access to company resources, Exchange for messaging, file services, and applications.
Organizations have been slowly moving more of their services and applications to the cloud with Software-as-a-Service, such as Office 365 with online mail accounts bound to Azure AD.
Modern management is the Microsoft vision for the future of IT, cutting ties from an on-premises Data Center or Active Directory. Instead, modern management leverages cloud services. Azure AD can be used for identity and access management. SaaS solutions handle messaging, security, and other needs. Microsoft moves the IT management workloads into their cloud based services like the Enterprise Mobility + Security (EMS) suite.
What Is Co-Management?
Recognizing that moving from traditional to modern management is a journey for most organizations and not an overnight affair, Microsoft has introduced co-management to enable a bridge between the two. Previously, your endpoint-devices could either be managed by Intune or ConfigMgr, but not both at the same time. Co-management now allows you to manage your devices using both. You can also choose to move specific workloads from ConfigMgr to Intune.
Microsoft has provided the following graphic to demonstrate a practical move to modern Windows 10 management:
Microsoft provided the following graphic to provide a visual of co-management:
Why Should I Use Co-Management?
You may think, “That is great, but I’m happy with my on-premises ConfigMgr solution. Why should I use it?”
Co-management enables organizations to take advantage of the new features and capabilities that Microsoft is investing in their SaaS offerings while allowing each to move at their own pace to modern management. Enterprises can leverage MDM features like conditional access policies, while still using ConfigMgr to deliver more complex software deployments that Intune is not yet capable of. You also gain the ability to perform remote actions like wiping or factory resetting devices remotely through the Intune portal.
Once you have your foot in the door with Intune, if you are licensed for EMS E5 you should take advantage of Advanced Threat Analytics. You can also get analytics for things like Windows Upgrade, and Windows Updates for some great compliance dashboards, even if you are still using ConfigMgr for your patching workflows. The analytics even provides Windows Update data for clients that rarely connect to the environment.
As you become comfortable with the technologies you can determine which workloads make sense to move from traditional to modern management. ConfigMgr provides a simple interface to slide over workloads to modern management for:
- Compliance policies
- Resource access policies
- Windows Updates policies
Another feature Microsoft introduction in 1610 is the Cloud Management Gateway which gives you the capability to clients over the Internet without the complex setup of the Internet Based Client Management (IBCM) and in a more secure way. Throw in a cloud distribution point and you can serve content when the client is out in the wild.
This also lays the foundation for taking advantage of Microsoft AutoPilot, which I will discuss in an upcoming blog.
What is Required
You will need the following to take advantage of co-management:
- ConfigMgr 1710 or later
- Windows 10 version 1709 (Fall Creators Update) or later
- Azure AD (with clients joined to both AD and AAD)
- EMS or Intune license for all users
- Intune subscription (MDM authority in Intune set to Intune)
You will need the following to take advantage of the cloud management gateway:
- Client computers and the site system server running the cloud management gateway connector point.
- Custom SSL certificates from the internal CA – used to encrypt communication from the client computers and authenticate the identity of the cloud management gateway service.
- Azure subscription for cloud services.
- Azure management certificate – used to authenticate Configuration Manager with Azure.
How Do I Set It Up?
After reviewing Microsoft’s online planning documentation, you may also choose to review community articles with step-by-step instructions, but at a high-level the following steps should be followed:
- Upgrade your ConfigMgr environment to 1710
- Upgrade your Windows 10 clients to 1709
- Setup an Azure AD Subscription (if you don’t have one already)
- Setup and configure your Cloud Management Gateway
- Setup and configure your Cloud Distribution Point (Optional – if you want clients to get content over Internet)
- Setup and configure policies (pilot and/or production) to and deploy co-management to existing clients
Do ConfigMgr Alternate Content Providers Work with Co-Management?
Yes. Adaptiva OneSite Anywhere is 100% compatible with on-premises ConfigMgr co-management. You can manage some aspects of endpoints with an MDM solution such as Intune while also leveraging the full power of OneSite Anywhere. To learn more about OneSite Anywhere, the fastest way to distribute content across the enterprise, request a personalized demonstration.