Blog Post

Configuration Manager Blog
7 MIN READ

Cloud Attach Your Future - Part II - "The Big 3"

Danny_Guillory's avatar
Oct 06, 2020

When the global pandemic started, we were all thrust into the new (and very lightly explored) area of managing devices remotely 100% of the time. Of course, everyone rushed to their VPN solution only to uncover new obstacles and even more significant challenges which they had never anticipated.

As I talk to customers and I listen to how their management of the Windows estate has changed, I am always surprised by the lack of the "Big 3":

  1. Cloud management gateway (CMG)
  2. Tenant attach
  3. Co-management

These are the essential features that you need NOW as you continue to modernize and streamline your management solution.

 

Let's talk about why those capabilities are so important.

As an IT pro for fifteen years and seven years here at  Microsoft, I know that the thing on everyone’s mind is: "How do I make changes with minimal-to-no disruption" while also "marching towards that north star of cloud management?" What a great thought and a very tight line to walk. That’s the reason you should LOVE the "Big 3" – when you use them together, it provides the fastest path for you to move forward to cloud management with no disruption or risk.

 

Now, to be clear, the Big 3 is excellent, but I wouldn’t be doing anyone any favors if I failed to mention how its foundations are built on identity with Azure Active Directory. With any cloud solution, identity for both the user and the device is essential – and I would even argue they are critical. When you cloud-attach, you connect Configuration Manager with Azure Active Directory – and this allows you to both simplify and enhance the authentication capabilities leveraged by the Big 3. This is the kind of value I’m talking about.  Onboarding your Configuration Manager environment to your organization’s Azure Active Directory is the foundation on which cloud-attach is built.

 

There is no predetermined order in which you need to enable the Big 3. If I’m thinking with the customer side of my brain, I will start with the biggest value; and that means that starting with CMG is a no-brainer, especially in this work-from-anywhere, manage-from-everywhere new normal.  Right away, I would enable Cloud Management Gateway. This gives your organization immediate value and instant cloud transformation because you are using your already-established workflows and processes.

 

Second, I would enable tenant attach because of the immediate value of having your device records in the cloud and being able to take actions on these devices from the cloud console. Finally, co-management provides huge value by enabling Conditional Access and many of the other workloads that can be managed via Configuration Manager.

 

Each of the Big 3 brings a ton of cloud value, let me highlight some of my favorite capabilities of each that will give you the biggest value and fastest path to the cloud with the smallest amount of effort.

 

Cloud management gateway

IT Pros are all coping with and/or reacting to how different it is to manage devices that no longer entering the corporate network. The challenge that very quickly follows, however, is how to minimize the management traffic through the VPN. The management traffic passing via VPN can be overwhelming, and the truth is that none of us know how much management traffic there is, although work from anywhere has certainly highlighted how much this can be. Frankly, there is no need for this traffic to pass over the VPN. By enabling CMG you minimize the management traffic coming over the VPN solution and free up bandwidth for the business-critical traffic that does need to return on-premises. When you enable CMG, you maintain a line of sight into your devices wherever they are on the internet, allowing all your established processes and practices to continue, business as usual. This enables you to not only keep on top of things like software deployments and device configuration, but, more crucially, software updates, and patch compliance.

 

Implementing a CMG can be done with no disruption and no additional risk, providing vast amounts of immediate cloud value to any organization – and, thanks to recent feature improvements, it can be done very easily too. Client certificates, from an enterprise PKI, are the most secure and recommended client authentication mechanism. Still, Azure Active Directory and the recently added token authentication in Configuration Manager current branch (version 2002 and later), remove the need for deploying any additional, often complex infrastructure in order to manage existing (and sometimes legacy) Windows devices over the Internet.

 

As noted above, CMG is the first thing I recommend any company set up as soon as possible if you currently have an on-premises Configuration Manager solution. Without a CMG, your organization is rapidly falling behind on the journey to cloud management.

 

Tenant attach

After cloud management gateway, the next feature I would look to enable is tenant attach. This is a fantastic way to extend your on-premises management by attaching to the cloud, and it is genuinely exciting to see the investment being made in Microsoft Endpoint Manager, both on-premises and in the cloud.

 

Notice below in the screenshot that I am getting real-time data from Configuration Manager on-premises; this includes clients connected from the Internet over CMG. Let that sink in… cloud-attaching your existing Configuration Manager estate is truly management from virtually anywhere. You can manage devices anywhere on the Internet from anywhere using the cloud console. Even from a phone.

 

In this console I can see if the device is co-managed, the boundary groups in which the device belongs, if the device is online, and so much more. What you should take away from the screenshot is the frictionless union of on-premises and cloud. While leveraging the cloud console, you can still take advantage of the investments you already have from your on-premises infrastructure. Think about that some more and keep in mind that I mentioned that there’s no disruption when you set this up.  This means you don’t have to recreate configuration in the cloud to have it available to your management estate.

 

You have got to leverage cloud-attach to extend and supercharge your investments on-premises to the cloud!

 

 

Figure 1: When you cloud-attach, the Microsoft Endpoint Manager admin center shows real-time data from Configuration Manager and enables you to manage your devices from virtually anywhere.

 

Not only does tenant attach bring existing management into the admin center, there are also some features that only exist when you are cloud-attached, such as Endpoint Analytics or the brilliant new Timeline which shows events that have occurred on a device in order to improve the troubleshooting experience of your helpdesk.

 

 

Figure 2: The Timeline view shows events that have occurred on a device to improve the troubleshooting experience of your helpdesk.

 

Co-management

One common pre-conception is that co-management is just about migration. In reality, co-management is about digital transformation without the need to go through a huge migration effort. I mean, we all remember how much fun that ConfigMgr 2007 to 2012 migration was right?

Conditional Access is one of the most rapidly consumed services today – you simply can’t beat how easy and straightforward it is to enable by using co-management. But that's not the only reason for using co-management. I’m sure you’ve noticed that there’s a recurring theme here: immediate value. Co-management will help with device provisioning, device actions, and managing individual workloads as well – and it does that immediately.

 

I get a lot of customers that ask about device provisioning from the cloud, and we always end the conversation with the action to go turn on co-management. Provisioning devices can be such a complex and daunting task for many organizations, and enabling co-management and using Autopilot completely transforms and simplifies the provisioning process. The exciting piece for customers is when the Configuration Manager agent installs from the cloud, and then the device is effortlessly transformed into the corporate standard. This all happens over-the-air without the device needing to come on premises or connect to VPN – and it does this while still leveraging your existing application investments in Configuration Manager. Mind melting isn’t it?!?

 

Co-management also allows you to simplify your management by lifting workloads to the cloud.

 

As with any of the Big 3, there’s no one size fits all; digital transformation is about using the cloud that brings your organization the most business value. It’s pretty awesome to be able to control your transformation!  When you cloud-attach with co-management you control when you transform, and for what workloads you transform. From the screenshot below you can see the various workloads being managed from the cloud on the specific device, client health, and the last time the device communicated. There are lots of good insights here that you should be using to help drive the transformation of your business to the most secure cloud.

 

 

Figure 3: The co-management area shows you the device’s workloads being managed in the cloud, client health, and the last time the device communicated.

 

To summarize, there are some really simple steps you can take to get huge amounts of cloud value in your existing Configuration Manager environment, without the need to migrate, move, or otherwise cause disruption within your environment. The mantra here is “transformation not migration.”

 

Below are my exec-level value props for each of the Big 3.

  • CMG: Extend the capability of Windows device management and resolve VPN contention – without disruption to current workflows, without the added on-premises infrastructure to manage, and with no additional risk.
  • Tenant Attach: This is the simplest way to add value by extending the investment in your on-premises environment to the cloud without recreating net new configuration. Gain actions and insights to devices on-premises or off-premises from the Microsoft Endpoint Manager admin center.
  • Co-Management: Enable features in the cloud. Bring new functionality such as Conditional Access for immediate cloud value or begin to transition existing workloads from the cloud at your own pace.

Have questions? Join our Ask Microsoft Anything (AMA) event this Thursday, October 8th from 8:00-9:00 a.m. Pacific Time in the Microsoft Endpoint Manager community!

 

 

Reference Links:

 

Danny Guillory Jr
Senior Program Manager
@sccm_avenger

 

Updated Oct 06, 2020
Version 1.0
  • Blacklioneth , so let's remove the word "Hybrid" because that's just a way overused and generic term right now. There are a few things to unpack in your message. Feel free to Direct Message me and we can have a deeper dialogue about what you're trying to achieve. I could ramble a bunch of stuff and be in "left field" and probably confuse you more than help. 

  • Danny_Guillory Nice post, thanks for it.  I would like to ask you something, since it seems like I have the floor for a minute.  If customer XYZ has no ConfigMgr nor Intune in place today, but they DO have on-premises AD and will continue to require it, what is Microsoft's stance in terms of recommended approach for best overall capabilities and experience:

     

    1. Implement ConfigMgr, and Intune, and enable co-management.
    2. Skip ConfigMgr altogether and just implement Intune.

    I'm of the opinion that ConfigMgr is essentially legacy, even though it clearly has more fine-grained administrative control over many things.  I can't figure out if Microsoft is behind Intune as being as good as ConfigMgr or not.  There's a lot of effort and marketing going into ConfigMgr at present, I think more than Intune.  So I just wonder.

     

    Thanks in advance.

  • Hello JeremyTBradshaw, Sorry I did not see this earlier. This ended up in my junk folder. 

     

    Your number 2 there is the answer  "Skip ConfigMgr altogether and just implement Intune."

     

    Those customers that do not have ConfigMgr, I would strongly suggest they go straight to Cloud Only, period. The strategy around Cloud-First is simple and will also cause the innovation of processes and workflows. If you have no management solution today go cloud-only, DO NOT "knee jerk" to an on-prem solution because "I can't do ____________ with Cloud Only"! When I hear customers say "I can't", that means they just have not found another way, so modernizing and innovating some processes is what I try to explore and unpack.

     

    Eventually, you should end up validating your business needs can be meet with Cloud Only management or you validate that you need small and simple on-prem to fill the gaps. This is an exercise I recommend quite often with customers I engage with that want to go Cloud Only. I will also add if a customer does land on Cloud Attached ConfigMgr it is small, simple, & efficient (think set it, and forget it).

     

    Microsoft is ALL IN on Endpoint Manager (that means ConfigMgr & Intune), so I also want to call out we have stated this many times over publicly. We have no plans to minimize the investment in Configuration Manager and for Customers that have Configuration Manager, we strongly suggest they cloud attach. Cloud Attaching ConfigMgr is by far the easiest and simplest TRANSFORMATION to Cloud. I'll end with keep in mind these things don't happen overnight and some customers need time to modernize not just their technology and processes but also the mindset. 

  • Thanks very much for the detailed response Danny_Guillory .  It is exactly what I hoped to hear - essentially that, even considering all the hype, marketing, and advancements with ConfigMgr, the recommendation for when ConfigMgr isn't already implemented, is to bypass it altogether (and go straight Intune).

     

    I'll bookmark this page now and refer to it moving forward.  Again, thanks very much!

  • Blacklioneth's avatar
    Blacklioneth
    Copper Contributor

    Hello Danny_Guillory - Great article thank you for sharing 

     

    We have ConfigMgr and on the process of implementing Intune( test is in progress) 

    from your article I understood configuring CMG is a must for the hybrid environment (ConfigMgr & Intune), we are worried about legacy application that uses http 

    My Question is 

    1. can we enable co-management with out CMG

    2.  if I enable CMG will there be a work around for the legacy apps 

     

    Thank you 

     

     

  • gregb's avatar
    gregb
    Copper Contributor

    Great article! I appreciate the guidance, it gives me more confidence to lead our team.