I never planned to write this post but I’ve found some occurrences recently where organisations wanted to pilot co-management of their devices in Microsoft Endpoint Manager, but had configured it in a less than optimal way which exposed them to some risk of inadvertent changes. In short, don’t just use a single collection for all your co-management piloting. In that case, I have some recommendations to make.
First thing to emphasise here and pre-requisites aside, if you are planning to use co-management then you can enable it to ALL devices with the comfort of no tangible impact as long as all the workload sliders are over to the left. That said, I understand where some people prefer to only pilot co-management and then add more device to the pilot as they test out the workloads with Intune. In this scenario, I have some guidance as follows.
Configure upload tab
This in effect refers to “Tenant Attach”. This is essentially just syncing devices to Endpoint Manager Admin center so they appear and you can perform ConfigMgr based actions on them. This is zero impact to the device, it doesn’t even know about it as actions are performed only by the ConfigMgr backend. The only caveat to be aware of here, if you set this to “All devices..” then that may being across the records of any servers too. Of course Servers cannot be enrolled to Intune anyway so no risk of impact again just be clear. Some people love the idea of having the single places to nudge device actions from, in fact there’s functionality in there which makes life easier for some server management too. Conversely some people do not want any evidence of servers so they will use a specific collection that contains only client devices.
This is actually controlling which devices are being enrolled to Intune and therefore co-managed. This is all on the assumption that they have the necessary pre-reqs (which I won’t cover in this post).
In theory the way this was designed was to select All so all devices are then “co-managed”, but actually the default position is that ConfigMgr controls EVERYTHING until the point you move the workloads across to pilot or Intune. As you will have hopefully seen the process of co-managing a device is silent and seamless so much of the time that’s the option organisation take as you’re guaranteed any new or added devices are automatically co-managed.
In practice, you also have the Pilot bullet point. In this case I would recommend you to exclusively use a Co-Management collection as I have here. Don’t use this collection for anything else (then you retain confidence that any changes will have no effect elsewhere) and just add in your initial devices that you want to co-manage.
This will control which workloads you want Intune to start being used with. To be really clear, if all sliders are to the left then ConfigMgr is in full control of everything – hence it’s easy to recommend enabling automatic enrolment into co-management for all devices.
Once you move a slider to the right, that enables Intune to start being used for that workload – it DOES NOT necessarily stop ConfigMgr from being used for that workload, you can use both (some small exceptions noted in the docs – https://docs.microsoft.com/en-us/mem/configmgr/comanage/workloads)
If you have enabled some workloads in Pilot, you need to choose a collection to use for piloting that workload. By popular demand, Microsoft added a collection for each workload some versions back, this is the best way to do it (by popular opinion) as you retain more granular control and therefore confidence that you’re not going to get unexpected outcomes. What I highly recommend is that you create a collection for each workload as a kind of framework for your co-management. Each of those collections should be limited on the Co-Management collection shown in the Enablement tab.
Doing it this way you get confidence that ALL devices in the Co-Management collection will be co-managed, but unless they are also in one of the pilot collections then nothing will change. Additionally, if you inadvertently add a device to one of the pilot collections but it’s not in the Co-Management collection, nothing will change.
I quickly drafted this to illustrate using the client apps workload as an example. The blue rectangles represent collections and they are all using Co-Management as the limiting collection.
Hopefully that helps to some extent. If you don’t feel confident on the outcome of co-managing all your devices at once, hopefully this approach can help you feel more comfortable that you retain the control and you can move devices into co-management knowing you have that control. Also, if you do co-manage a large portion of your devices without having them all in pilot, you’ll have the ability to test/pilot the workloads over the next weeks/months/years but you have the added functionality of things like remote wipes, remote restart and locate machine for example as the device is still Intune enrolled.
That’s it for now!