5 ( 11 )

If you have been following the SCCM community for the past months, you’ve been hearing a lot about comanagement, cloud management gateway, cloud distribution point and Intune. You may also hear that SCCM is dying and that Intune is your only path in the near future to manage your company devices. The good news is that SCCM is not dead, in fact, it’s been rolling out new features quarterly in the past 3 years thanks to the new servicing model and the product group is not slowing down. The bad news is that… well, there’s no bad news… but as a sysadmin, you have a steep learning curve if you’ve not been following the “sccm intune modern management” storm from past months.

You may wonder why would I want to go to Intune in the first place. By using only SCCM you are not exploiting 100% of the features you can manage on Windows 10 and mostly on mobile devices.

Using Intune, you can:

Manage the mobile devices to access company data

Manage the mobile apps

Protect your company information

Ensure devices and apps are compliant

Use Autopilot to deploy your Windows 10 machines

Manage the device outside of the company network

And what’s great about modern management is that it’s not an on/off switch. Using SCCM Comanagement, you can go at your own pace and decide which workload is managed by which tool. (SCCM or Intune)

If you’re the SCCM administrator and you’ve been asked to start looking at Intune by your management, look no further, this post will wrap it up. We’ll try to guide you in the right direction in order to start with Intune and modern management.

SCCM CoManagement

Since SCCM 1710, Comanagement has been introduced. Microsoft wants your devices enrolled in Intune and Comanagement will help you through making the transition. Since 1802, Microsoft is pushing comanagement using the Just4Clicks tag all over their platform to promote it.

But what is comanagement? Comanagement is simply a new SCCM functionality that let you control your workflow between Intune and SCCM. When enabled, you can decide which workload goes to Intune and which one goes to SCCM. Simple as that.

Right from the start, you can benefit from Conditional Access at no cost and operational downtime. It’s really a no-brainer here, just enable it if you’re on SCCM 1710+.

Read our related post if you’re ready to enable comanagement in your environment. (Hint: Intune is required so keep reading first).

Intune Portal

Intune is a cloud-based service that lets you manage your device. It supports Windows and a variety of mobile devices.

Everything is done from the Intune web portal which is now part of the Azure Portal. If you don’t have an Intune portal yet, you can sign in for a 30-day trial.

Once your portal is setup :

Go to the Azure Portal

Click All Services on the top left

In the filter box, enter Intune

Click the Star icon to add it to your favourite. You can select Microsoft Intune or Intune, it’s the same

Select Intune from the list

The Microsoft Intune portal open in the central pane

Your Intune portal is now ready to manage devices but there’s still more step to do before enrolling.

sccm intune modern management – Set the MDM Authority

Before choosing the MDM Authority, read the Microsoft Documentation to understand the key concept. In our post, the MDM Authority will be set to Intune in order to use SCCM Comanagement.

If you never used Intune before :

You must set the MDM Authority to Intune. (Hint: To use SCCM Comanagement, the MDM authority must be set to Intune)

If you were using Intune Hybrid with SCCM

You will need to change the MDM Authority to Intune.

Create Users and assign licences

Before enrolling devices, we need to create users. Users will use these credentials to connect to Intune. For our test, we will create users manually in our Azure Active Directory domain but you could use Azure AD Connect to sync your existing accounts. This will be a topic for another post…

In the Azure portal

Select All services / Intune

/ In the Intune pane, select Users

On the All Users page, click New user on the top

Enter information for the user, such as Name and User name.

Important Info The domain name portion of the user name must be : The initial default domain name (.onmicrosoft.com)

Your verified, non-federated domain name (systemcenterdudes.com)

Under Profile, complete user information

Under Properties, you can see that the source of authority is Azure AD

Under Groups, choose a group to add the user to. If you don’t have any group, skip this step and do not add the user to a group. In our example, we are adding it to the All Intune User group

Under Directory Role, we will select User as this is a test user and we don’t want to give more rights to this user to our Azure tenant

The password cannot be changed. Save the user password so that you can use it to sign in to a test device. The user will have to change this password.

At the bottom of the User pane, select Create

Your user will be listed in All Users.

Intune License Assignment

We now need to assign the user with a license that includes Intune before enrollment.

Important Info You can assign a license by users or you can use groups to assign your license more effectively

Click on the user that you just created

Click on Licenses at the left

Click on Assign on the top to assign a license

Under Products, The available licenses are listed. We will select our EMS E5 license which includes Intune.

In the Assignment Options, ensure that Intune is ON

Once configured, at the bottom, click on Assign

Create a Device Policy

Before enrolling a device using this user, it’s best practice to create a basic device policy.

In our example, we will create a basic security setting which will allow monitoring iOS device compliance. We will check Jailbroken devices, check for an OS version and require a password policy.

In the Intune portal

portal Select Device compliance / Policies / Create Policy

Enter a Policy Name and a Description

and a For the Platform, select iOS

select In Settings, select Device Health, under Jailbroken devices, select Block

Under Device Properties, in Minimim OS version, enter 11

Under System Security, enter the desired password settings

Once created, the policy must be assigned to a group

Select your policy and select Assignment

In Assign to , select Selected Groups , click on Select groups to include and select your group and click Select at the bottom

, select , click on and select your group and click at the bottom Click Save to save your assignment

You can also repeat the steps to create a policy for Android and Windows devices.

You are now ready to enroll devices to Intune and begin your modern management journey. We will be covering device enrollment and many other Intune topics in further posts… stay tuned!!

Share this Post

How useful was this post? Click on a star to rate it!







Submit Rating Average rating 5 / 5. Vote count: 11 No votes so far! Be the first to rate this post.