Move from Hybrid Mobile Device Management to Intune on Azure

First published on TechNet on Aug 14, 2018
We published a service change announcement in the Office Message Center to customers using Hybrid Mobile Device Management (MDM) on August 14, 2018. We've also posted a reminder to all customers on February 6, 2019. Both announcements are shared below. Following the announcements, we’ve included answers to frequently asked questions. If you’ve got any additional questions, reach out to us through your Microsoft Account representative, FastTrack for Microsoft 365 or EMS, Microsoft Partner, or contact us directly through comments on this post. We will continue to update this blog post as needed.



MC146431 - Plan for Change: Move to Intune on Azure for your Mobile Device Management

Since launching on Azure over a year ago, Intune has added hundreds of new customer-requested and market-leading service capabilities, and now offers far more capabilities than those offered through hybrid Mobile Device Management (MDM). Intune on Azure provides a more integrated, streamlined administrative experience for your enterprise mobility needs.

As a result, we see that most Enterprise Mobility + Security (EMS) customers choose Intune on Azure over hybrid MDM. The number of customers using hybrid MDM continues to decrease as more customers move to the cloud. Therefore, on September 1, 2019, we will retire the hybrid MDM service offering. Please plan your migration to Intune on Azure for your MDM needs. We have tools, case studies, and other resources to help with this migration.

Note: This change does not affect on-premises System Center Configuration Manager (ConfigMgr) or co-management for Windows 10 devices. If you are unsure whether you are using hybrid MDM, go to the Administration workspace of the ConfigMgr console, expand Cloud Services , and click Microsoft Intune Subscriptions . If you have a Microsoft Intune subscription setup, your tenant is configured for hybrid MDM.



How does this affect me?

• Microsoft will support your hybrid MDM usage for the next year. We will continue to release major bug fixes and ensure existing functionality is supported on OS versions, such as enrollment on iOS 12. We will not invest in new features for hybrid MDM.

• We do not expect any end user impact to this change, provided you migrate to Intune on Azure before the end of the hybrid MDM offering.

• Licensing remains as is; Intune on Azure licenses are included with hybrid MDM.

• We will begin to block the onboarding of new hybrid MDM customers starting in November 2018. We have removed this bullet as this block will not start in November. We will update this post when we have a new date.  We will start blocking new hybrid MDM customers with the 1902 service update, expected end of February.

• On September 1, 2019, any remaining hybrid MDM devices will no longer receive policy, apps, or security updates.

What do I need to do to prepare for this change?

• Start planning your migration for MDM from the ConfigMgr console to Azure. Many customers, including Microsoft IT, have gone through this process. Read this case study sharing best practices and lessons learned from Microsoft’s own migration.

• Review tools and documentation we’ve created to simplify the process of moving from hybrid MDM to Intune on Azure. Many customers, including some of our largest and smallest, have successfully used these tools and guidance to migrate.

• Contact your partner of record or FastTrack for assistance. FastTrack for Microsoft 365 or EMS can assist in your migration from hybrid MDM to Intune on Azure. More information on how to open this specific type of FastTrack ticket is included in the Additional Information link.

MC 173024  - Reminder: Move to Intune for your Mobile Device Management

As previously announced in MC146431, updated in documentation, and amplified through social channels, on September 1, 2019, Intune will retire the hybrid Mobile Device Management (MDM) service offering. Many customers have migrated and shared that the move to Intune for MDM was easier than expected. If you have not begun, start planning your move. We have tools, case studies, and other resources to help with your migration.

How does this affect me?
Microsoft will support your hybrid MDM usage until September 1, 2019. We will continue to release major bug fixes but will not invest in new features for hybrid MDM. After September 1, any remaining hybrid managed MDM devices will no longer receive policy, apps, or security updates. There are no changes to licensing. Intune licenses are included with hybrid MDM.

What do I need to do to prepare for this change?

• Migrate your MDM prior to September 1, 2019.
• Learn best practices from other customers. Microsoft IT migrated and shared their experience in this case study.
• Review tools and documentation we’ve created to simplify the process of moving from hybrid MDM to Intune.
• Be aware of two migration customer learnings:
1. iOS email profiles - when you create your new Intune iOS email profile, make sure it is an exact mirror of your hybrid iOS profile if you intend for no end user interaction during migration. Customers have shared that even a slight difference between the two will pull down a new iOS profile. An updated profile could then require end-user interaction such as entering in a PIN, depending on your configuration. 
2. Conditional Access – ConfigMgr on-premises Conditional Access for PCs will be removed on September 1, 2019 at the same time hybrid is retired. If you use Conditional Access on PCs managed by the ConfigMgr agent, you should enable Conditional Access in Intune for those PCs before you migrate to ensure they are still protected. To do that, you should enable co-management in ConfigMgr for your PCs, move the compliance policy workload to Intune, and then complete your migration from Intune hybrid to Intune standalone.
• We will block new hybrid customer onboarding starting with the 1902 Intune service release, expected to ship end of February. After this time, you will not be able to set your MDM authority to hybrid, including moving back to hybrid after changing MDM authority to Intune or SCCM.
• Contact your partner of record or FastTrack for assistance. FastTrack for Microsoft 365 or EMS can assist in your migration from hybrid MDM to Intune and FastTrack can also assist setting up co-management. More information on how to open this specific type of FastTrack ticket is included in the Additional Information link.

The additional information link in the message center post points to this blog post for more information. As shared in this post’s introduction, we’re including answers to some frequently asked questions.



Q: What is Hybrid MDM?

A: Hybrid MDM was originally created to utilize the capabilities of the ConfigMgr console while managing mobile devices with Microsoft Intune. Hybrid MDM uses Intune as the delivery channel for policies, profiles, and applications to devices and uses ConfigMgr on-premises infrastructure to administer content and manage the devices.



Q: How do I know if I’m using hybrid MDM?

A: Go to the Administration workspace of the ConfigMgr console, expand Cloud Services , and click Microsoft Intune Subscriptions . If you have a Microsoft Intune subscription setup, your tenant is configured for hybrid MDM.



Q: Are hybrid MDM and co-management the same thing?

A: Nope! The key difference is that hybrid is for mobile devices and has been an alternative solution to Intune in the cloud, whereas co-management is for Windows 10 devices where the ConfigMgr and Intune consoles can be used simultaneously to manage different workloads for the same devices.



Q: Does this affect co-management?

A: Not at all. Co-management enables you to concurrently manage Windows 10 devices by using both ConfigMgr and Intune. Co-management is where we see growth of customers wanting both on premise and cloud-based management.



Q: Is ConfigMgr going away?

A: A resounding no! This change does not affect our interest or investments in ConfigMgr as a solution for on-premises device management. We will continue to fully support our customers in this area.



Q: What do I do if I’ve done a bunch of customizations with hybrid MDM?

A: Contact us through your Microsoft Account representative, FastTrack, Microsoft Partner or us directly through this post if you have migration blockers.



Q: I use mixed authority. Do I need to migrate?

A: Yes! This service announcement will affect customers with mixed authority .



Q: What’s behind this strategy shift?

A: The end user expectation is changing the role of IT. Remember years ago, when you could hold off adopting a new operating system for months or even years? Now, day zero support is expected by your end users. They have a brand-new phone with the latest operating system, and their creativity and teamwork depend on O365 access. Your job is not just to manage that device – you deliver user empowerment, management, and security. As Unified Endpoint Management, Identity and Access Management, and Endpoint Protection all come together, the hybrid MDM solution is not meeting that need nor is it reacting quickly enough to the changes in the MDM marketplace.



Q: Can my Microsoft Partner provide support?

A : If you have a Microsoft partner that provides ongoing managed services, please reach out to them directly for additional support.



Q: How do I request assistance from FastTrack?

A: To request assistance from FastTrack, get started by going to FastTrack for Microsoft 365 or EMS . Click on the “Sign In” prompt, and enter your org ID. Go to the dashboard, and from there follow the prompts to access the Request for Assistance form. Your submission will be reviewed and routed to the appropriate team that will address your specific needs and eligibility.  You can also find best practices, tools, and resources from the experts to help make your experience with the Microsoft Cloud a great one. Screen shots of this workflow are also provided in this linked support blog .



Q: Does this affect Conditional Access (CA) or On-premises MDM with ConfigMgr?

A: These features are not deprecated. We are working on a solution to allow these features to work without hybrid MDM.

Q: Does this affect Conditional Access (CA) for ConfigMgr?

A: ConfigMgr on-premises Conditional Access for PCs will be removed on September 1, 2019 at the same time hybrid is retired. If you use Conditional Access on PCs managed by the ConfigMgr agent, you should enable Conditional Access in Intune for those PCs before you migrate to ensure they are still protected. To do that, you should enable co-management in ConfigMgr for your PCs, move the compliance policy workload to Intune, and then complete your migration from Intune hybrid to Intune standalone. 

Post updates:

8/27/18: Updated with information about CA and On-prem MDM with ConfigMgr

11/5/18: Updated by removing the November date - we'd planned to block the onboarding of new hybrid customers this month, but we won't hit that November timeline. We will provide an update on this blog when we have a more official date.

2/6/18: Updated with the confirmation that new hybrid customers will start being blocked from onboarding to hybrid end of February. Also added in the Conditional Access for ConfigMgr update.