How can I enable co-management in System Center Configuration Manager

[anyweb]

Introduction

Microsoft has just released System Center Configuration Manager Technical Preview 1709, and that Technical Preview release allows you to configure co-management. Microsoft announced co-management at Microsoft Ignite (September 2017) and now with this release you can begin testing that scenario (however you still need the yet to be released Windows 10 Fall creators update edition, aka Windows 10 version 1709), so for now you'll need to test with a Windows Insider preview release.

But what is co-management ? according to Microsoft it is...

Quote

Co-management is a solution where Windows 10 devices can be concurrently managed by Configuration Manager and Intune, as well as joined to Active Directory (AD) and Azure Active Directory (Azure AD) to provide a way for you to modernize over time. It’s a solution to provide a bridge from traditional to modern management and provides you with a path to make the transition using a phased approach.

 

The graphic below shows you that scenario.

Prerequisites

The following are general prerequisites for you to enable co-management:

• Technical Preview for Configuration Manager version 1709
• Azure AD
• EMS or Intune license for all users
• Intune subscription (MDM authority in Intune set to Intune)

Additional prerequisites for existing Configuration Manager clients

• Windows 10, version 1709 (Fall Creators Update) and later
• Hybrid Azure AD joined (joined to AD and Azure AD)

Additional prerequisites for new Windows 10 devices

• Windows 10, version 1709 (Fall Creators Update) and later
• Cloud Management Gateway in Configuration Manager

Create some collections

In SCCM Assets and Compliance, select Device Collections and create a device collection, called Pilot co-managed devices, and alternatively one called Production co-managed devices, populate them with some devices.

Enabling co-management

To configure Co-Management, select Administration, Cloud Services, and click on Co-Management. Enter the credentials of your Standalone MDM Intune tenant and click Sign In.

Create a Pilot co-management policy

To being with, you'll want to do a Pilot configuration of Co-Management.

Select your Pilot group of co-managed devices by clicking on Browse and selecting the Pilot co-managed devices collection created above.

On the Configure Enablement screen, set the drop down to Pilot

Click on Copy to copy that line of text, the text will be something like this:

CCMSETUPCMD="/mp:https:// CCMHOSTNAME= SMSSiteCode= SMSMP=https:// AADTENANTID= AADTENANTNAME= AADCLIENTAPPID= AADRESOURCEURI= SMSPublicRootKey="

Next, you can configure the workloads (on or off, there is no middle ground here)

and continue the wizard through to completion.

Create a Production co-management policy

After creating the above policy, and once you've completed your pilot, create a new  Production policy (Pilot will be greyed out).

Now, the drop down can choose All (or none).

and again configure workloads...

 

The created policies are shown here.

Recommended reading

To get more info about this topic, please review the following blog posts from Microsoft.

• https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1709#co-management-for-windows-10-devices
• https://blogs.technet.microsoft.com/enterprisemobility/2017/09/27/whats-new-with-microsoft-intune-and-system-center-configuration-manager-ignite-2017