SCCM Intune Windows 10 Co Management Architecture Decisions
Download as PPTX, PDF2 likes3,417 views
This document discusses co-management between Microsoft Intune and System Center Configuration Manager (SCCM). Co-management allows devices to be managed by both Intune and SCCM at the same time. The document outlines the prerequisites, architecture, and configuration needed to set up a Cloud Management Gateway (CMG) and Cloud Distribution Point (CDP) to enable co-management. It also describes several co-management scenarios and benefits such as the ability to manage both Azure AD joined and on-premises devices from SCCM.
SCCM Intune Windows 10 Co Management Architecture Decisions
- 2. ANOOP C NAIR 17+ YEARS OF EXPERIENCE IN IT MICROSOFT MVP/VEEAM VANGUARD @ANOOPMANNUR WWW.ANOOPCNAIR.COM HTTP://WWW.YOUTUBE.COM/C/ANOOPCNAIRSCCM
- 3. RAJUL 13 YEARS OF EXPERIENCE IN IT @WANDERINGROS @RAJULROS
- 4. AGENDA• WHAT IS CO-MANAGEMENT? • CO-MGMT IN DETAILS • CO-MGMT SERVER & LICENSE PRE REQUISITES • CO-MGMT CLIENT & AZURE AD PRE REQUISITES • CO-MGMT ENTRY POINTS • CLOUD DP & CLOUD MGMT GATEWAY • CMG/CDP GENERAL REQUIREMENTS • CMG CERTS REQUIREMENTS • CMG CONNECTIVITY FLOW • CMG WITH EXPRESS ROUTE • CMG SUPPORTED SCENARIOS • DEMO • CMG CAS SCENARIO • CMG SCALABILITY • C0-MGMT. BENEFITS
- 5. WHY CO- MANAGEMENT ? • CHANGE ? • WORLD IS CHANGING • DESTRUCTIVE PHASE • WHY TROUBLING IT PROS FOR A CHANGE ??
- 6. WHAT IS CO-MANAGEMENT? • CO MANAGEMENT IS DEVICE MANAGEABILITY FEATURE OF WINDOWS • BRIDGE FROM TRADITIONAL MANAGEMENT TO MODERN MANAGEMENT • CO EXISTENCE OF MANAGEMENT TOOLS (INTUNE, SCCM AND OTHER MDM??)
- 8. CO-MGMT SERVER & LICENSE PRE REQUISITES SCCM Intune License SCCM 1710 or later Intune Standalone (or Mixed?) EMS or M365 Cloud Management Gateway* Azure Subscription (PaaS)* Cloud Distribution Point Cloud Service Configuration * Optional
- 9. CO-MGMT CLIENT & AZURE AD PRE REQUISITES Client Azure Active Directory or Domain Windows 10 1709 or Later Domain Joined + AAD Registered (Hybrid AD) Azure AD Connect ADFS* Azure AD automatic enrollment enabled Azure AD Joined (Cloud) Conditional Access Policy Changes* * Optional
- 10. CO-MGMT ENTRY POINTS SCCM Managed + Domain Joined Intune Enrolment Intune Clients + Azure AD Joined SCCM Client Installation Windows 10 1709 or Later Windows 10 1709 or Later SCCM Agent will automatically trigger the Intune enrolment Auto Pilot + Configuration Profiles + PowerShell Script Firewall or Proxy Requirements (Connected to Corp LAN) CMP and CDP connectivity AAD Registration/CMG/CDP Client Settings (Domain Joined) Intune Mobile Application to configure install SCCM client CA, WiFi Profile, VPN Profile, Window Defender, Compliance policies Win 32 complex MSI application support /Appv Support
- 11. CLOUD DP & CLOUD MGMT GATEWAY Cloud Distribution Point (CDP) Cloud Management Gateway (CMG) DP on Azure Cloud Reverse Proxy on Azure? Azure PaaS Solution Azure PaaS Solution Azure Classic Deployment - MGMT Certs Authentication Azure Resource Manager (ARM) SCCM 1802 or later – AAD App Authentication Azure Classic Deployment (1710 or below) - MGMT Certs Authentication NOT Pre release Feature Anymore
- 12. CMG/CDP GENERAL REQUIREMENTS Cloud Distribution Point (CDP) Cloud Management Gateway (CMG) Azure Subscription admin Access (co-administrator) Azure Subscription admin Access (co-administrator) Self Signed Management Cert At least 1 On Premise server to host CMG connection Point. Service Certificate Certificates Cloud Service name on public DNS Azure AD user discovery is not required (1802 onwards) Enable Access to CDP on Client Settings Policy Clients must use IPv4 Service Connection Point to be Online Service Connection Point to be Online
- 13. CMG CERTS REQUIREMENTS Server authentication certificate Client authentication certificate CMG creates an HTTPS service for Internet Clients Azure AD Token for AAD joined machines Azure Management Cert (Classic Deployment Only) Clients must trust the CMG server authentication certificate Public Provider Certificate (Verisign/Digicert/Entrust/GoDaddy etc) or PKI Public Provider Certificate Root CA Wildcard server authentication certificate support (1802 onwards) *.anoopcnair.com Root and Intermediate Chain of Client Certs to clients Manual Upload – SCCM CMG installation wizard Deploy – GPO, SCCM Cert deployment, Any other delivery method Azure management certificate is required only for classic service deployments
- 14. CMG CONNECTIVITY FLOW AD CA Windows Update Connection Point
- 15. CMG WITH EXPRESS ROUTE
- 16. CMG SUPPORTED SCENARIOS Windows Client + Domain Join = (PKI) Windows 10 + Azure AD Join (Cloud or Hybrid) = Azure AD Software updates & Antivirus Software updates & Antivirus Inventory & client status Inventory & client status Compliance settings Compliance settings Software Deployment to the device Software Deployment to the USERS Windows 10 in-place upgrade TS (as of version 1802) Software Deployment to the DEVICES Windows 10 in-place upgrade TS (as of version 1802)
- 17. DEMO Co Mgmt Settings Co Mgmt Workload CMG/CDP mgmt setup Co-mgmt collection Query
- 18. CMG – CAS SCENARIO • CMG, CMG CP, SCCM SITE SERVER IN SAME REGION • SCCM CLIENT – CMG IS NOT REGION AWARE. • HIGH AVAILABILITY – 2 CMG & 2 CMG CP PER REGION
- 19. CMG – SCALABILITY 1 CMG – 16 VM’s 01 1 VM – 6000 Connections 02 1 CMG CP- 4 VM 03 1 CMG (16VM’s) = 4 CMG CP 04