Jump to content


anyweb

Cloud attach - Endpoint Managers silver lining – part 4 Enabling co-management

Recommended Posts

Introduction

This is part 4 in a series of guides about cloud attach in Microsoft Endpoint Manager, with the aim of getting you up and running with all things cloud attach. This part will focus on enabling co-management. This series is co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. Paul is 4 times Enterprise Mobility MVP based in the UK and Niall is 10 times Enterprise Mobility MVP based in Sweden.

In part 1 we configured Azure AD connect to sync accounts from the on premise infrastructure to the cloud. In part 2, we prepared Azure resources for the Cloud Management Gateway, in part 3 we created the cloud management gateway and verified that everything was running smoothly. In this part we will enable co-management. With co-management, you retain your  existing processes for using Configuration Manager to manage PCs in your organization and you gain the additional advantage of being able to transfer workloads to the cloud via Intune.

Below you can find all parts in this series.

 

  • Cloud attach - Endpoint Managers silver lining - part 1 Configuring Azure AD connect
  • Cloud attach - Endpoint Managers silver lining - part 2 Prepare for a Cloud Management Gateway
  • Cloud attach - Endpoint Managers silver lining - part 3 Creating a Cloud Management Gateway
  • Cloud attach - Endpoint Managers silver lining - part 4 Enabling co-management <- you are here
  • Cloud attach - Endpoint Managers silver lining - part 5 Enabling compliance policies workload
  • Cloud attach - Endpoint Managers silver lining - part 6 Enabling conditional access
  • Cloud attach - Endpoint Managers silver lining - part 7 Co-managing Azure AD devices
  • Cloud attach - Endpoint Managers silver lining - part 8 Enabling tenant attach
  • Cloud attach - Endpoint Managers silver lining - part 9 Renewing expiring certificates
  • Cloud attach - Endpoint Managers silver lining - part 10 Using apps with tenant attach

Step 1. Create some pilot collections

In ConfigMgr, create some collections that we'll use for co-management, a suggestion is shown below. We've created an All co-managed devices collection which will contain all the devices we intend to co-manage. Create one collection for each corresponding co-management workload, and limit those collections to the All co-managed devices collection. The following workloads are currently available:

co management collection structure.png

Step 2. Configure co-management

In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Co-management node. Right click and choose Configure co-management in the ribbon to open the Co-management Configuration Wizard.

Configure co-management.png

The co-management configuration wizard will appear, below screenshot is from ConfigMgr version 2010.

co-management configuration wizard.png

On the Subscription page of the wizard, configure the following settings:
        • The Azure environment to use. For example, the Azure Public Cloud or the Azure US Government Cloud.
        • Select Sign In. Sign in as an Azure global administrator

sign in as azure global admin.png
   

signed in.png
Note: By default, the option Upload to Microsoft Endpoint Manager admin center is enabled by default, this is part of tenant attach and we will deal with setting up tenant attach in a later blog post, for now, deselect this option for pure co-management.

upload to mem disabled.png

From the drop down select Pilot as we want to selectively target pilot (beta test) our co-managed devices. Browse to the All co-managed devices collection created in step 1. If you select All then all devices will be enabled for Intune Auto Enrollment and become co-managed. The text in the box below is used when deploying the configuration management client to devices already enrolled in Intune via a line of business app. This text is used as a command line parameter to onboard the targeted devices as co-managed.

 

enable co-management.png

On the Configure workloads screen, keep all the workloads pointing to ConfigMgr for now. We will enroll a client into co-management and then verify the status of that client before and after moving a workload to Pilot. When a workload points to Pilot, you will have to pick a staging collection, use the corresponding collection (from step 1) for that particular workload. You can add one or more devices to that pilot collection in order to test how the workloads behave on those targeted clients. When you move the slider to Intune, this enables that workload for all of your co-managed devices that are present in your All co-managed devices collection.

configure workloads.png

On the staging screen we are not able to select anything since we left all our workloads at ConfigMgr (for now). We will show you how to flip workloads in the next blog post.

configure roll out collections.png

Click next through the Summary and verify you are happy with the choices before proceeding through to the completion of this wizard.

completion.png

 

Step 3. Adding devices to the All co-managed collection

In this step we will review what happens on a client computer before and after it becomes co-managed. On a computer that is not co-managed, open the Configuration Manager client agent. If you look at the Co-management capabilities property it has a value of 1 as in the screenshot below. This means that the client is capable of co-management but no workloads are configured or targeted to this device. The Co-management property beneath that states Disabled and that is because co-management is not currently enabled on this client.

client agent not co managed yet.png

On the same client, open the CoManagementHandler.log in C:\Windows\CCM\Logs and look for the following line.

Co-Management is disabled. Expect MDM_ConfigSetting instance to be deleted.

The workload=1 matches the co-management capabilities property in the ConfigMgr client agent.

client agent not co managed yet.png

On the same device, open a command prompt and type

dsregcmd /status

dsregcmd status.png

This reveals that the client is AzureADjoined = yes. We configured this Azure AD connect to synchronize our devices into Azure in part 1 of this blog series. You can confirm that the device is in Azure AD by checking in https://portal.azure.com under Azure Active Directory devices as per the screenshot below.

intune status of the client.png

 

If you search for the device in the Endpoint Manager console it will not appear at this point as it is currently not enrolled (or managed) in Intune. The screenshot below shows devices in Endpoint

client is not there.png

In ConfigMgr, add this device to the All co-managed devices collection.

added device to all co-managed devices.png

Note about licenses. The user that signs on to the device needs to have an Intune license and an Azure Premium license.

After triggering machine policy on the client the log file reveals the following.

Processing SET for assignment (ScopeId_....)

shortly followed by...

Successfully queued MDM Auto enrollment

 

successfully queued MDM auto enrollment.png

And then you'll see the following text:

Enrolling device to MDM... Try #1 out of 3

Enrolling device to MDM... Try 1 out of 3.png

If it succeeds look for the following:

MDM enrollment succeeded.

MDM enrollment succeeded.png

If you close and then re-open the ConfigMgr client agent, you should now see that it has changed the Co-management property to Enabled.

configmgr client agent is now co-managed.png

and if you open the Endpoint Manager console, you'll find your client and it's listed as Managed by with a value of Co-managed as per the screenshot below.

client is now present in Endpoint Manager.PNG

and if you look at the device in Azure AD devices the MDM authority will show as System Center Configuration Manager.

device in Azure AD after co-management is enabled.PNG

Related reading

  • Microsoft have produced a bunch of blog posts and videos about Co-management called Cloud connecting with co-management here.
  • You can read a FAQ about co-management here.

 

That's it for this blog post, please join us in the next part where we will look at co-management workloads.

Share this post


Link to post
Share on other sites

quick question, did you follow this guide exactly, or are you just trying out co-management yourself ?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.