One of the consideration before moving your endpoint management to Intune is whether to use Cloud Attach or Co-management with your current Microsoft Endpoint Configuration Manager (SCCM/MECM) setup. In this blog post, we will explore how Cloud Attach and Co-Management can be used in Intune and MECM to maximize efficiency and cost savings. We’ll also discuss the benefits of Cloud Attach and Co-Management, as well as any considerations that should be taken when implementing these technologies.
Intro
Cloud Attach and Co-Management allow organizations to manage devices in a unified way, regardless of the underlying technology. With Cloud Attach and Co-Management, organizations can use a single console to manage devices running different operating systems. This eliminates the need to use multiple consoles to manage different device types, which can be time-consuming and complex. Additionally, Cloud Attach and Co-Management can be used to manage a device fleet regardless of the underlying technology, such as Windows, Mac, iOS, and Android.
Cloud attach allows organizations to use MECM to manage devices that are enrolled in Microsoft Intune, without the need to install the MECM client on the device. This allows organizations to take advantage of the advanced management capabilities of MECM, while still using Intune for device enrollment and basic management tasks.
Co-management, on the other hand, allows organizations to use both MECM and Intune to manage the same set of devices. With co-management, organizations can use MECM for traditional device management tasks, such as deploying software and updates, while using Intune for modern management tasks, such as mobile device management and conditional access.
In summary, cloud attach allows organizations to use MECM to manage devices enrolled in Intune, while co-management allows organizations to use both MECM and Intune to manage the same set of devices.
Cloud Attach and Intune
Cloud attach in MECM and Intune refers to the ability to integrate and manage cloud-based resources, such as Azure Active Directory and Office 365, with on-premises resources. This allows for a more seamless and unified management experience across both environments.
The main benefits of cloud attach include:
- Greater flexibility and scalability, as cloud-based resources can be easily added or removed as needed.
- Improved security, as cloud-based resources can be managed and secured using the same tools and policies as on-premises resources.
- Improved collaboration and productivity, as users can access and manage resources from anywhere, on any device.
The main drawbacks of cloud attach include:
- The need for a stable and reliable internet connection in order to access and manage cloud-based resources.
- The potential for increased complexity and cost, as additional tools and services may be required to manage both on-premises and cloud-based resources.
- The need for careful planning and coordination, as changes to one environment can potentially affect the other.
How to configure Cloud Attach in Intune and MECM
To configure cloud attach in Microsoft Intune and MECM, you will need to complete the following steps:
- In MECM console, open the Administration workspace, and go to the Cloud Services node.
- Click the Add Cloud Services Wizard, and select Microsoft Intune.
- Follow the on-screen instructions to connect MECM to your Intune tenant, and to enable cloud attach.
- In Intune, go to the Devices page, and select the Device management settings option.
- Under the Cloud Attach section, click the Edit button.
- Select the Enable cloud attach option, and then select the MECM server that you want to use for cloud attach.
- Click Save to apply the changes.
After completing these steps, MECM will be able to manage devices that are enrolled in Intune, without the need to install the MECM client on the device. Note that you may need to enroll the devices in Intune and deploy the appropriate policies before MECM can manage them.
Note: The specific steps for configuring cloud attach may vary depending on your environment and the version of MECM and Intune that you are using. It is recommended to refer to the documentation provided by Microsoft for the most up-to-date instructions.
PowerShell script to configure Cloud Attach in Intune and SCCM
Here is a sample PowerShell script that can be used to configure cloud attach in MECM and Intune:
Copy code# Import the Configuration Manager module
Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'
# Connect to the Configuration Manager site
$SiteCode = 'ABC'
$SiteServer = 'MECMServer'
$Connection = New-CmConnection -ServerName $SiteServer -SiteCode $SiteCode
# Enable cloud attach for the Configuration Manager site
Set-CmSite -Connection $Connection -CloudAttach
# Import the Intune module
Import-Module 'C:\Program Files\Microsoft Intune\Powershell\Intune.psd1'
# Connect to the Intune service
$TenantID = '12345678-abcd-1234-abcd-1234567890ab'
$ClientID = '12345678-abcd-1234-abcd-1234567890ab'
$ClientSecret = 'MySecretKey'
$IntuneConnection = Connect-Intune -TenantID $TenantID -ClientID $ClientID -ClientSecret $ClientSecret
# Enable cloud attach for Intune
Set-IntuneTenant -Connection $IntuneConnection -CloudAttach
# Save the changes to Configuration Manager and Intune
$Connection.Save()
$IntuneConnection.Save()
This script first imports the Configuration Manager and Intune PowerShell modules, and then connects to the Configuration Manager site and the Intune service using the specified server name, site code, tenant ID, client ID, and client secret.
Next, the script enables cloud attach for the Configuration Manager site and the Intune service, and then saves the changes.
Note: This is just a sample script and may need to be modified to work in your specific environment. It is always a good idea to test any script before using it in a production environment.
Co-management and Intune
Co-management in MECM and Intune refers to the ability to manage both on-premises and cloud-based resources using a combination of both tools. This allows for a more seamless and unified management experience, as both tools can be used together to manage and secure devices, applications, and data.
The main benefits of co-management include:
- Improved efficiency and productivity, as both tools can be used to manage and secure resources from a single console.
- Greater flexibility and scalability, as on-premises and cloud-based resources can be managed together using a consistent set of policies and procedures.
- Improved security, as both tools can be used to monitor and protect against security threats in real-time.
The main drawbacks of co-management include:
- The potential for increased complexity and cost, as both tools may require additional licenses and services to operate together.
- The need for careful planning and coordination, as changes to one environment can potentially affect the other.
- The need for ongoing training and support, as both tools may require specialized skills and expertise to manage effectively.
How to configure Co-management in MECM and Intune
To configure co-management in Microsoft Intune and MECM, you will need to perform the following steps:
- In MECM, go to the Administration > Overview > Cloud Services > Co-management page, and then click on the Configure co-management button.
- In the Configure co-management wizard, select the option to enable co-management, and then follow the on-screen instructions to complete the configuration.
- In Intune, go to the Devices > Configuration Manager page, and then click on the Set up co-management button.
- In the Set up co-management wizard, select the option to enable co-management, and then follow the on-screen instructions to complete the configuration.
- After the configuration is complete, you can enroll your devices in both MECM and Intune, and then use both tools to manage those devices.
Note: The specific steps for configuring co-management may vary depending on your environment and the version of MECM and Intune that you are using. It is recommended to refer to the documentation provided by Microsoft for the most up-to-date instructions.
PowerShell script to configure Co-management in MECM and Intune
Here is a sample PowerShell script that can be used to configure co-management in MECM and Intune:
Copy code# Import the Configuration Manager module
Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'
# Connect to the Configuration Manager site
$SiteCode = 'ABC'
$SiteServer = 'MECMServer'
$Connection = New-CmConnection -ServerName $SiteServer -SiteCode $SiteCode
# Enable co-management for the Configuration Manager site
Set-CmSite -Connection $Connection -CoManagementEnabled
# Import the Intune module
Import-Module 'C:\Program Files\Microsoft Intune\Powershell\Intune.psd1'
# Connect to the Intune service
$TenantID = '12345678-abcd-1234-abcd-1234567890ab'
$ClientID = '12345678-abcd-1234-abcd-1234567890ab'
$ClientSecret = 'MySecretKey'
$IntuneConnection = Connect-Intune -TenantID $TenantID -ClientID $ClientID -ClientSecret $ClientSecret
# Enable co-management for Intune
Set-IntuneTenant -Connection $IntuneConnection -CoManagementEnabled
# Save the changes to Configuration Manager and Intune
$Connection.Save()
$IntuneConnection.Save()
This script first imports the Configuration Manager and Intune PowerShell modules, and then connects to the Configuration Manager site and the Intune service using the specified server name, site code, tenant ID, client ID, and client secret.
Next, the script enables co-management for the Configuration Manager site and the Intune service, and then saves the changes.
Note: This is just a sample script and may need to be modified to work in your specific environment. It is always a good idea to test any script before using it in a production environment.
Consideration for Cloud Attach and Co-management
When deciding whether to use cloud attach or co-management in Intune and MECM, you should consider the following factors:
- The type of devices that you need to manage: Cloud attach is only available for devices that are enrolled in Intune, so if you need to manage devices that are not enrolled in Intune, you will need to use co-management instead.
- The level of management control that you require: Cloud attach allows you to use MECM to manage devices that are enrolled in Intune, but you will not be able to use MECM for traditional device management tasks, such as deploying software and updates. If you need this level of control, you will need to use co-management instead.
- The level of complexity that you are willing to accept: Co-management allows you to use both MECM and Intune to manage the same set of devices, but this can add complexity to your environment. If you want to keep things simple, you may want to use cloud attach instead.
Summary
In summary, if you need to manage devices that are not enrolled in Intune, or if you require a high level of management control, you should use co-management. If you only need to manage devices enrolled in Intune, and you are willing to trade off some control for simplicity, you may want to use cloud attach instead.
- #GoIntune #2 Cloud Attach and Co-Management - January 19, 2023
- #GoIntune #1 Device identity in Azure AD and Intune - November 23, 2022
- Azure MFA licensing explained - May 24, 2022