In my work to support a number of customers, I’ve noticed a clear shift away from what most would define as crisis management, towards a more considered move to improve remote performance. This primarily involves ensuring that we have the capacity to manage different workloads, but can also include provisioning a wider range of applications for users working from home.
Can’t we do this already??
The ability to add Office 365 apps to Windows 10 devices with Microsoft Intune has been in preview since version 1806. Along with a long list of other new features, version 2002 saw this move into full release – although you might have missed it, as it changed names from Mobile apps for co-managed devices, to now being called Client Apps.
We’ve had the ability to do this for a while, in preview, but it will be new to many of you who don’t have the resources or time to work with new features in this way. Ultimately, in the context of performance, it unlocks additional cloud-powered features, such as Conditional Access, and gives us the ability to extend key applications out from under the confines of Configuration Manager. That doesn’t mean an end to Configuration Manager though as it continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.
The path to co-management
Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. If you’ve not looked at co-management before, here’s a bit more background to get you started.
There are two primary ways for you to set up co-management: Bootstrapping with modern provisioning or Auto enrolling Configuration Manager managed devices. It's important to understand the prerequisites for each, as both require some combination of Azure Active Directory (Azure AD), Configuration Manager, Microsoft Intune and Windows 10.
Things to note
Here are a few things to consider before and then during the process: -
1. Before you switch any workloads, make sure you properly configure and deploy the corresponding workload in Intune. Make sure that workloads are always managed by one of the management tools for your devices.
2. From Configuration Manager version 1806, when you switch a co-management workload, the co-managed devices automatically synchronise MDM policy from Microsoft Intune.
3. Starting in version 1906, to reduce the number of devices in a pending state, a new co-managed device now automatically enrols to the Microsoft Intune service, based on its Azure AD device token. It doesn't need to wait for a user to sign into the device for auto-enrolment to start. To support this behaviour, the device needs to be running Windows 10 version 1803 or later. If you find that the device token fails, it will fall back to previous behaviour with the user token. I’d suggest you look in the ComanagementHandler.log for the following entry:
Enrolling device with RegisterDeviceWithManagementUsingAADDeviceCredentials
4. Remember, before you can configure, assign, protect, or monitor apps, you must add them to Microsoft Intune. Here is a useful page which details all the available supported App types, for future reference.
Let me know if you have any questions or would like to see how this functionality could be utilised in your environment. I’d be happy to share my experiences and provide more information.