Cloud attach allows organizations to use MECM to manage devices that are enrolled in Microsoft Intune, without the need to install the MECM client on the device. This allows organizations to take advantage of the advanced management capabilities of MECM, while still using Intune for device enrollment and basic management tasks
Co-management, on the other hand, allows organizations to use both MECM and Intune to manage the same set of devices. With co-management, organizations can use MECM for traditional device management tasks, such as deploying software and updates, while using Intune for modern management tasks, such as mobile device management and conditional access.
Pre-requisites
• Azure Active Directory Premium
• An Azure Account that is global admin and has got a Microsoft Intune subscription.
• Configure a hybrid Azure AD join using Azure AD Connect
• Configure Client Settings to direct clients to register with Azure AD
• Configure auto-enrollment of devices to Intune.
• Setting up Co-management in MECM
Configure a hybrid Azure AD join using Azure AD Connect
•Use Client Settings to configure Configuration Manager clients to automatically register with Azure AD
•Open the Configuration Manager console and go to: \Administration\Overview\Client Settings.
•Edit the default Client settings and select Cloud Services, set Automatically register new Windows 10 domain joined devices with Azure Active Directory to = Yes. Select OK.
Configure auto-enrollment of devices to Intune.
With automatic enrollment, devices you manage with Configuration Manager automatically enroll with Intune.
Automatic enrollment also lets users enroll their Windows 10 devices to Intune. Devices enroll when a user adds their work account to their personally owned device, or when a corporate-owned device is joined to Azure Active Directory
Sign in to the Azure portal and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.
Configure MDM user scope. Specify one of the following to configure which users’ devices are managed by Microsoft Intune and accept the defaults for the URL values.
•Some: Select the Groups that can automatically enroll their Windows 10 devices
•All: All users can automatically enroll their Windows 10 devices
•None: Disable MDM automatic enrollment
We can select All or specific the group where the devices are part of cloud attach or co-management collection
Setting up Co-management in MECM
Open your MECM console and go to: \Administration\Overview\Cloud Services\Co-management and click on Configure co-management.
Click Sign In.
Sign in with the Intune organizational account (this account has got to have a Enterprise Mobility + Security (EMS) Subscription). It also must have Global Administrator Rights in Azure AD tenant.
Click Yes to accept the Create AAD Application notification.
Select All my devices managed by MECM or select a specific collection. And check Enable Endpoint Analytics for devices uploaded to MECM. Click Next >.
Now select how you want to automatic enroll your devices in Intune:
1.None of your devices.
2.Pilot a collection of devices, In the case of Pilot, you can select which collections to add from your list
3.All of the devices that are managed by MECM.
Now lets select what workloads we want Intune to manage instead of MECM. Slide al of the workloads to the Pilot Intune, so we can assign each workload to different collections.
Once the workload is applied, you can verify it through Microsoft Endpoint Manager admin center, and navigate to Devices > Windows > Windows devices. Click on the device and we can see the information under Co-management.
No comments:
Post a Comment