Modernising Desktop Management – Part 4
Cloud Endpoint Management
In the third instalment in this series, I discussed the changes in Office 365 ProPlus, including licensing, deployment, and update changes.
Here, in this fourth and final part, I outline the options for Cloud-driven Endpoint management.
Microsoft Endpoint Manager
Microsoft Endpoint Manager is Microsoft’s new name for the unified management experience unifying Configuration Manager and Microsoft Intune to manage all organisation endpoints. While an organisation can use one or other service, the most considerable flexibility is available when the two services are combined. So to drill down a bit further on the individual components:
Microsoft announced Windows Intune in 2011 as a simplified and modern endpoint management service. Since then, Microsoft has invested significant time and energy into developing the Microsoft Intune service as a capable Mobile Device Management (MDM) platform. Now Microsoft Intune can manage Windows, macOS IOS, and Android devices.
Microsoft Intune has two major management models: Mobile Device Management (MDM) and Mobile Application Management (MAM).
MDM allows for an organisation to control the configuration of a device, including installing apps, requiring full device encryption, and enabling/disabling specific components in the Operating System. Most organisations commonly use MAM for BYOD on iOS and Android devices.
MAM allows organisations to apply controls to the productivity apps users need. MAM is most popular with BYOD where users do not want to give the organisation full control over their device, but still need to access organisational data such as email. Many organisations combine MDM and MAM on iOS and Android to allow personal use on organisational devices or to give users access to specific organisational apps that require VPN connectivity on devices they own.
Microsoft Intune supports MDM for the following platforms:
With this broad platform support, many small or medium organisations can manage their entire endpoint estate with just Microsoft Intune. For larger organisations that have invested significant time into developing their processes with Configuration Manager, these two services can be linked and can work together to manage end-user devices.
Microsoft Intune is a cloud-based service that can be used to manage devices, irrespective of their connection to a corporate network. This is one of the most significant limitations of Active Directory and Group Policy along with simple deployments of Configuration Manager.
Microsoft Intune can be used to manage the entire device lifecycle, from initial device provisioning, update management, device re-provisioning and device retirement.
With services like Windows Autopilot, Apple Business Manager and Android Zero-Touch, it is possible to apply a complete configuration to a corporate device without IT needing to interact directly with the device. A device is pre-enrolled to Microsoft Intune, and then issued to the end-user. The user receives the device in a factory state, signs-on with their corporate credentials, and Microsoft Intune takes over configuring the device and deploying end-user apps based on the corporate policy. For iOS, Android and macOS devices, this can be done anywhere where there is internet connectivity. When provisioning Windows devices, if the device must be joined to your corporate Active Directory Domain, then it currently needs to be connected to your corporate network to complete the provisioning process.
Configuration Manager and Co-Management
Many organisations have been using Configuration Manager as their primary Windows endpoint management tool for years and are already familiar with the tool. One of the most significant concerns organisations have when using multiple endpoint management tools is policy conflicts, when it is not possible to be sure which configuration wins on a managed device. To that end, Microsoft built Co-Management into Configuration Manager. Co-management enables Microsoft Intune and Configuration Manager to work seamlessly together and allows organisation admins to decide which service should take priority in the event of a conflict. With the latest updates of Configuration Manager, this can be configured at a granular level.
Co-Management enables some new features on managed Windows devices, including:
- Remote device reset
- Integration with Azure AD to enable Compliance with Conditional Access Policies
- Agent Health (The two agents can report on the partners health)
With Co-Management enabled, it is also possible for an organisation to enable the use of the Windows Autopilot service, while still maintaining Configuration Manager as the primary user app deployment tool.
Configuration Manager and Cloud Management Gateway
While many large organisations use Configuration Manager to manager their desktops. Most organisations require the device to be connected to the corporate network to enable the Configuration Manager agent to contact the server. The Cloud Management Gateway removes that requirement.
Cloud Management Gateway is a preconfigured Azure Service that can be deployed by an organisation to enable client agents to connect to Configuration Manager over an internet connection. Cloud Management Gateway is useful for several scenarios, such as:
- Managing remote user devices.
- Deploying Updates and OS Upgrades to devices outside the corporate network.
- Extending Configuration Manager services to devices that are Joined only to Azure Active Directory.
- Reducing the need for end-user devices to be always connected to a VPN.
Configuration Manager and Tenant Attach
Releasing later this year, Microsoft will enable Configuration Manager Tenant Attach. Tenant Attach is Microsoft’s next step to provide desktop admins with a single pane of glass admin tool for both Microsoft Intune and Configuration Manager.
With Tenant Attach, admins will be able to view configuration and perform admin tasks on all devices under management, whether they’re Configuration Manager only, Co-Managed, or Microsoft Intune managed only.
Tenant Attach is available for preview in the 2003 technical preview.
How do I get started?
For organisations that already have Configuration Manager, the most natural first step is to begin co-management of your devices, this allows you to take advantage of remote wipe and Compliance Policies with Conditional Access. For more information on how you can start using Microsoft Intune, talk to us about our Enterprise Mobility Management and Windows MDM workshops.
A Helicopter Tour of Intune, MAM, MDM and Conditional Access As an IT pro, you’re likely juggling conflicting interests, especially when it comes to end-user device management. How do you ensure that your users can work from anywhere while protecting your company’s...read more
Content and Code, an IT Lab company, becomes Content+Cloud When we became part of the IT Lab group back in November 2018, we brought our market-leading expertise in Office 365 and SharePoint into a successful managed services organisation, giving it the capability to...read more
Motor Giant's Production Line Rolls Faster with SharePoint Ensuring the NHS is equipped to weather the coronavirus storm remains a crucial part of the UK Government’s strategy, including meeting its critical need for ventilators. Having been called upon by Microsoft...read more