Introduction
The end user computing landscape has drastically changed over the last few years due to the drive towards remote working, and with this comes a need to rethink device management.
For Windows devices, ConfigMgr or Intune have been the go-to solutions from Microsoft under the Endpoint Manager umbrella. The combination of the two platforms brings a truly comprehensive approach to managing a Windows estate.
Since the adoption of remote working, I’ve regularly been asked about how to onboard or migrate VPN connected, Active Directory domain joined Windows devices into Microsoft Endpoint Manager with the least amount of IT staff intervention. In this post, I’ll look a couple of scenarios I’ve encountered and how I dealt with each one with some high-level bullet pointed steps. It is assumed that ConfigMgr and Intune have already been configured up to the point of being functional.
Disclaimer: This is not a how-to guide, it's more about explaining the options available. I provide links for further reading.
Scenario 1
Requirement:
VPN connected clients need to be managed with ConfigMgr.
Scenario:
o
Devices never return to office
o
AD domain joined only
o No ConfigMgr Client installed
Solution:
1.
Create GPO with ConfigMgr site assignment and client
deployment settings (Excellent how to guide here)
2.
Add software package installation to GPO using ccmsetup.msi hosted on a contactable file share
3.
Link GPO to OU containing target devices
Explanation:
With a few basic configuration changes, it’s possible to
take a large number of remotely connected devices from a position of no
management to being fully managed with ConfigMgr.
Scenario 2
Requirement:
Co-management with a CMG is needed to manage devices.
Scenario:
o
AD domain joined only
o
ConfigMgr Client installed
o No Cloud Management Gateway
Solution:
1.
Configure Azure AD Connect for Hybrid AAD join (More details)
2.
Manually create a Group Policy to apply the
client-side SCP registry entry (More details)
3.
Configure Intune Automatic Enrollment and
Co-management settings in ConfigMgr (More details)
4.
Provision a Cloud Management Gateway (More details)
Explanation:
A more modern approach to device management can be achieved with
co-management. Once these configuration changes have been implemented, Intune
could be used to manage workloads such as Software Updates or Compliance while
ConfigMgr remains in play for other tasks such as App deployment and inventory.
A CMG will allow ConfigMgr to continue managing devices even when they’re
internet-based (out of the office and disconnected from VPN).
Of course, once the devices are in this co-managed state, there is scope to transition away from ConfigMgr and aim for fully modern-management.
0 comments:
Post a Comment