By current expert estimates, the COVID-19 pandemic may result in people working from home for an extended time. After adapting to sudden remote work using available devices at home, many organizations are beginning to allow corporate PCs and laptops to be taken home to work remotely. Millions of these PCs are currently being managed using on-premises tools such as Configuration Manager. When these devices are no longer on-premises and are not expected to “check in” to the corporate network for weeks, how do you ensure they remain managed and up-to-date?
Previous articles in this series discussed some ideas to enable personal PCs and pre-provision new business PCs for remote users. Now let’s talk about how you can manage work devices being used remotely to maintain their health and security using Configuration Manager and the Microsoft cloud.
Who should read this article?
This article will help IT decision makers and Configuration Manager administrators who currently manage a mostly on-premises PC management infrastructure. It will help them prepare the PCs for cloud management before they are sent home. You’ll see how to apply automation and intelligence in Microsoft cloud to your existing infrastructure. The tools discussed in this article may already be available to you if you own Microsoft 365 E3 or EMS E3 and above licenses.
This is not meant to be an exhaustive guide but will help you enable users in a consistent and unified way, irrespective of their physical location.
Using Configuration Manager? Enable support for remote workers with co-management
The global health crisis has made many businesses look for ‘easy wins’ in the cloud to complement their existing device management infrastructure. Configuration Manager and Microsoft Intune are now a part of a single solution called Microsoft Endpoint Manager. With this change, organizations that are currently using on-premises Configuration Manager are able to use Intune cloud services to co-manage Windows 10 devices without additional licensing costs. Co-management may be an attractive technology for devices managed by Configuration Manager that will no longer be on-premises and are not expected to “check in” to the corporate network for weeks. Use this co-management tutorial to understand the pre-requisites and implement hybrid Azure AD and Configuration Manager client configurations as you prepare to enable co-management of your Windows 10 devices.
Paths to co-management with Microsoft Endpoint Manager
Benefits of adding cloud management to Configuration Manager right away
This approach has several benefits for your organization beyond helping manage the additional demands on IT due to Coronavirus response.
Firstly, co-management adds the ability for you to use Intune cloud services to manage remote devices, while concurrently managing them from on-premises Configuration Manager servers. You may choose to stay in co-management for as long as you want and still gain intelligence from the Microsoft 365 cloud to your day-to-day work. For example:
deploy updates faster so that you can make your organization more secure and compliant
take immediate actions on all your devices from a unified web console – whether managed on-premises or natively in the cloud
completely automate your compatibility testing when upgrading to a new release of Windows
Cybersecurity is another vital consideration when devices roam outside the physical corporate boundary. With co-management, you gain the important benefit of Conditional Access for PCs. Conditional Access makes sure that only trusted users can access organizational resources on trusted devices using trusted apps. This not only helps protect remote workers but also protects the corporate network from being disrupted by an infected machine. Conditional Access combines granular control over organizational data with a user experience that maximizes worker productivity on any device, from any location. With Conditional Access, you can determine if a device is encrypted, if malware is detected, if device settings are updated, and if mobile devices are jailbroken or rooted.
To secure co-managed remote work devices, we recommend enabling Conditional Access right away. Over time, you can decide which other Configuration Manager tasks you feel comfortable moving to the cloud. One of the benefits of co-management is that you control which workloads you switch from Configuration Manager to Intune.
Additionally, the cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam out of your physical location without additional on-premises infrastructure. You also don't need to expose your on-premises infrastructure to the internet. Adding the power of the cloud management gateway to Microsoft Endpoint Manager will set you up with a robust long-term remote work infrastructure. Rob York recently published an excellent article about managing remote machines using cloud management gateway (CMG) in Configuration Manager.
Several reputed cybersecurity agencies (for example, NCSC in UK, CISA in US, and ASD in Australia) have recommended MDM tools to set up devices with a standard configuration, and also to remotely lock devices, erase data, or retrieve a backup. With Microsoft Endpoint Manager, once you enable co-management, you have a single policy authoring console to standardize your security policies, device configurations, and app settings across all your endpoints. Using powerful tools such as the Security baselines in Microsoft Intune, you can apply a known group of settings and default values that are recommended by our security experts. If you currently use group policy, migrating to Intune for management is much easier with these baselines since they are natively built into Intune and include a modern management experience. You can quickly create and deploy a secure profile, knowing that you're helping protect your organization's resources and data.
If you happen to be a customer that is not using Configuration Manager to manage your Windows devices, moving straight to Microsoft Intune will greatly increase your ability to manage remote devices during this crisis. If you are using Configuration Manager, this is the right time to take action and use the combined power of cloud insights with Microsoft Intune to keep business data safe while helping people keep working productively from home. In both cases, you should not think about ConfigMgr and Intune as separate offerings, but within the continuum of Microsoft Endpoint Manager.
Many customers take their first steps with Microsoft FastTrack, a unique service designed with one goal in mind: helping you get the most value out of your Microsoft 365 investment. Use your FastTrack Center Benefits with eligible subscriptions to work with Microsoft specialists to assess, remediate, enable, and drive user satisfaction with your Intune roll-out. You can get help through the Microsoft 365 admin center or the FastTrack site.
These are unprecedented times and we are here to help and share guidance so you can keep your employees connected. We continue to update our Microsoft COVID-19 Response resources with guidance and learnings, please check frequently for more ideas and information: https://news.microsoft.com/covid-19-response
Some other guidance in this series to help you rapidly enable secure remote work:
As always, we would love to hear your experiences with remote productivity while maintaining a healthy social distance. Join the conversation in our Remote Work Tech Community to share, engage and learn from experts.