Switching MDM authority to ConfigMgr Hybrid without user impact

In my last blog I wrote about switching the MDM Authority from Configuration Manager Hybrid to Intune Standalone, as promised today a description of the reverse path.

With Configuration Manager 1610 and the latest version of Intune we are also able to switch the MDM Authority from Intune standalone to Configuration Manager Hybrid. There are similarities with the switch described earlier but you can prepare more before the switch so that you are able to test directly after the switch.

Let’s see how it goes.

Prepare switch

Also when making the switch from Intune standalone to Configuration Manager hybrid you need to prepare and document your Intune standalone environment like described in the last blog. This can be done as preparation of the switch. All objects that need to be recreated can be created without the Microsoft Intune Subscription in place.

Document and create your objects before the switch;

  • VPN Profile
  • WiFi Profile
  • Certificate Profiles
  • Configuration Items and Configuration Baselines
  • Mobile Application Management policies
  • Mobile Application Configuration policies
  • Compliance Policies
  • Windows Hello for Business
  • Terms and conditions
  • Applications

Besides preparing the switch I have a couple of points I want to point out ;

Azure AD groups versus Collections

When assigning policies, apps and other resources to synchronized groups in Azure AD makes live easy. Since all management is done in the local Active Directory you can easily use the AD groups with the collections in Configuration Manager.

Using dynamic user or device groups in Azure AD is a bit different, you need to translate the queries used in Azure AD to queries you can use in the collections in Configuration Manager.

Performing the switch to Configuration Manager Hybrid

  1. In the Configuration Manager console go to the Administration workspace >> Cloud Services >> Microsoft Intune Subscription and click on Add Microsoft Intune Subscription.
  2. Click Next and login with the administrator credentials, click Next again..
  3. The Wizard detects that the tenant already is used and adds an MDM Authority option to the wizard
Change MDM authority
  1. Check the checkbox “Change My MDM authority to Configuration Manager” and click Next,
  2. Configure the General, Company Contact Information, Company Logo and optionally the Device Enrollment Managers and click Close.
    Allmost done

Looking at the logfiles you will notice the message “Site has valid Intune subscription”.

Check the logs!

Again in the Intune on Azure portal the MDM Authority is set to unknown, looking at the good old Silverlight console you see the right authority set;

Authority set to Configuration Manager

Renew MacOs and iOS APNs certificate

Again you need to go through the APN certificate process;

  1. Click Create APNs Certificate Request and download a new CSR file from Intune
    Download the new CSR
  2. Go to https://identity.apple.com/pushcert/ find the APN certificate and click renew.
  3. Upload the CSR and download the new MDM_ Microsoft Corporation_Certificate.pem file
  4. Upload the new MDM_ Microsoft Corporation_Certificate.pem file via the Configuration Manager console via Administrator workspace >> Cloud Services >> Microsoft Intune Subscription, select Microsoft Intune Subscription and go to Configure Platforms >> iOS.
    Upload the APNs cert

Note: watch out with renewing the APNs certificate, renewing a new one will result in the fact that all Apple devices will be automatically unenrolled.

What’s next?

Since the most of the resources already are prepared, only the platforms need to be enabled after the switch. This can be done via the Configuration Manager console via Administrator workspace >> Cloud Services >> Microsoft Intune Subscription, select Microsoft Intune Subscription and go to Configure Platforms >> Android / Windows / Windows Phone.

Also the VPP tokens need to be re-added and the Windows Store for Business needs to be reconfigured.

Observations

  • During the switch you see the Intune Subscription being added to Configuration Manager in for instance the dmpdownloader.log and dmpuploader.log files
  • Straight after the switch is initiated, the device is still visible in Intune Standalone. After a couple of minutes the device is removed from the console
  • After a couple of hours the device will show up in Configuration Manager. This takes longer than switching from Configuration Manager hybrid to Intune Standalone
  • Again be careful with renewing the APNs cert.
  • Be sure to test this switch in a lab environment first!
Device is managed (again) by Configuration Manager

Till later!

Comments

Total
0
Shares
3 comments
  1. Is this still a monitored Blog? I have a few questions – doing a co-management SCCM >

  2. May I ask, if I were to do the reverse now that Hybrid Intune is being depreciated, where would I find the current MDM authority from an SCCM log file and Azure perspective after I make the switch to standalone Intune?

Leave a Reply to Peter Daalmans Cancel reply

Your email address will not be published. Required fields are marked *

Previous Post

Switching MDM authority to Intune standalone without user impact

Next Post

Mobile Threat Protection integration available in Intune on Azure

Related Posts
Total
0
Share