kras99 - stock.adobe.com
The Microsoft Intune product family provides plenty of desktop management utilities as an on-premises platform with Configuration Manager, a cloud platform with Microsoft Intune and a bridge from on-premises to the cloud with co-management.
Co-management allows organizations to transition to cloud management at their own pace by combining Configuration Manager and Intune on the same Windows 10 or 11 management plane.
Desktop administrators should familiarize themselves with the Microsoft Configuration Manager setup process to ensure they have a solid grasp of the setup process and the capabilities of this platform.
Setting up a Microsoft Intune deployment with co-management
One of the main benefits of deploying the Microsoft Intune products is that the admin center functions as the single location for many administrative tasks. IT has to set up an Intune tenant to get started with the Microsoft Intune admin center. Even organizations that already use Configuration Manager should set up an Intune tenant to begin the co-management setup process.
The Intune tenant requires at least an Intune subscription for standalone usage. Some alternatives to this license are an Enterprise Mobility + Security (EMS) subscription or a Microsoft 365 subscription. For testing and evaluation purposes, it's also possible to start with a free trial.
The following steps walk through the basics for setting up a new Intune tenant. However, these steps are much more straightforward for organizations that already have a presence in Azure Active Directory (Azure AD).
- Open the Intune setup page and walk through the following four steps, if needed:
- Let's set up your account. This step requires the IT administrator to specify an email address. The setup wizard will recognize if organizations are already using other Microsoft services -- Azure AD in particular -- and the IT administrator can choose to sign in and use that account. An existing account linked to Microsoft services would save the IT administrator from going through the next steps.
- Tell us about yourself. This step requires the IT administrator to specify some personal information and information about the organization. Intune will use this info to create a new account.
- Create your business identity. This step requires the IT admin to specify a domain name to represent the organization. Intune will add that domain name in front of .onmicrosoft.com, and the setup wizard will immediately verify the availability of the domain name. Keep in mind that organizations cannot duplicate an existing domain name. Also, IT admins can adjust this placeholder name to a fully custom domain name at a later point in the setup process. This step also requires the IT administrator to create a username and password for accessing the tenant.
- You're all set. This step doesn't require any additional actions from the IT administrator. Microsoft then creates the tenant, and the IT administrators can use the account they just created to sign in.
- Open the Microsoft Intune admin center portal and sign in with the new username and password.
- Verify the MDM authority in the Microsoft Intune admin center portal by navigating to Tenant administration. The MDM authority should be Microsoft Intune.
- Configure the mentioned custom domain name (optional). This will eventually enable users to enroll devices with an @organizationname.com address instead of an @organizationname.onmicrosoft.com address. This would allow for a single user principal name for all Microsoft 365 services. IT can add a custom domain name via the Microsoft 365 admin center; the first step is to sign in using the previously-created administrative username and password. IT should then navigate to Setup > Domains > Add domain. From there, add the custom domain name and verify the ownership of that domain name.
To start testing with the new Intune tenant, IT administrators have to create user accounts or synchronize user accounts and then provide those accounts with a valid license. Without a license, the users will not be able to enroll devices into Intune.
Integrating Microsoft Intune with existing infrastructure
Organizations moving from a Configuration Manager environment to Microsoft Intune admin center or transitioning management workloads to Intune have two main options. These are tenant attach and co-management.
Tenant attach can connect a Configuration Manager environment to the cloud and the Intune tenant. This allows IT administrators to bring the devices from the on-premises environment to the Microsoft Intune admin center without manually re-enrolling them. From there, IT administrators have a single place to perform the most important management tasks on all enrolled devices within the organization, on premises and in the cloud. Starting with Configuration Manager version 2111, the enablement of tenant attach became a lot easier. When the IT administrator wants to configure tenant attach and co-management, a configuration with default settings can be used. The following steps walk through that process:
- Open the Microsoft Configuration Manager admin console and navigate to Administration > Overview > Cloud services > Cloud Attach.
- In the ribbon on the Home tab, click Configure Cloud Attach to open the Cloud Attach Configuration Wizard.
- On the Cloud attach page, configure the following:
- Azure environment: Select AzurePublicCloud.
- Click Sign-in to sign in with a global administrator account in the tenant and click Yes in the prompt to register an app in Azure AD to authorize the synchronization of data.
- Select Use default settings (recommended).
- Click Next once the configurations are complete.
- On the Summary page, verify the configured settings and click Next.
- On the Completion page, click Close.
Note: To only configure tenant attach, use the Customize settings option on the Cloud attach page.
On the other hand, co-management focuses on fully transitioning device management functions from Configuration Manager to Intune. IT can perform this transition at whatever pace fits the organization, as this method allows admins to easily switch workloads between Configuration Manager and Intune. This way, IT has full control over those workloads and can run devices to the Configuration Manager and Intune clients side by side. The recommended settings in the Cloud Attach Configuration Wizard already made sure that co-management is also enabled.
Note: To only configure co-management, use the Customize settings option on the Cloud attach page.
Once the IT administrator has configured tenant attach and co-management, the whole admin team can view and manage devices under Configuration Manager's control via the Microsoft Intune admin center. It's important to remember that the user account for performing device actions is a synched user object with the required permissions within Configuration Manager and Intune. Besides that, Configuration Manager-enrolled devices still require the infrastructure and the different channels of Configuration Manager for management tasks.
A tour of Microsoft Configuration Manager's functionalities
When an organization uses Microsoft Intune products -- on premises, in the cloud or both -- the IT administrators have many options available for device management. After IT configures co-management and tenant attach, many more features become available in the Microsoft Intune admin center. This includes functionalities for enrolling, configuring and managing devices.
- Device enrollment. For device enrollment, IT administrators can rely on Windows Autopilot to ensure that the device joins with Azure AD, Intune, and, if necessary, Configuration Manager.
- Device configuration profiles. For configuring Intune-managed devices, IT administrators can rely on various configuration profiles. The profiles can cover many subjects such as Wi-Fi, VPNs, certificates, device restrictions and even custom profiles.
- Device compliance profiles. For verifying compliance of Intune-managed devices, IT administrators can use compliance policies to define a minimum baseline that devices should meet. The baseline can focus on subjects such as encryption, app versions and the patch-level of the OS. The devices' compliance status can determine access to company data and resources.
- Device information. For viewing device info, IT administrators have access to the information that Intune and Configuration Manager provide. A lot of useful information about the hardware and the software is available to guide IT's decisions.
- Endpoint security. IT can manage device security for Intune and Configuration Manager-managed devices via different security policies that focus on encryption, antivirus and firewall.
- Apps. IT administrators can take advantage of Intune's many supported app types. This includes the most common app types such as MSI, MSIX, Microsoft Store and Win32 apps.
- Reporting. This is for viewing and verifying information about the devices and deployment statuses for apps, policies and profiles. IT administrators gain insight into devices through the multiple built-in reports with Intune.
- Endpoint analytics. To verify the performance of Intune-managed devices, IT administrators can rely on the information these analytics provide -- numerous insights that even include app crash information. Besides that, Intune can run proactive remediations to address potential issues.