Thursday, September 17, 2015

My experience with ConfigMgr 2012 R2 SP1 and Intune in Hybrid scenario

Last months I did multiple ConfigMgr implementations in Hybrid scenario. That means that a Microsoft Intune (SAAS) subscription is connected, and ConfigMgr is set as Management Authority. Combining both solutions has a great benefit; managing all devices (desktops, notebooks, servers, Mac-clients and mobile devices) from a single management console. I did multiple blogposts on that as well, which are included in the end of this post. Let's have a closer look.

When the Microsoft Intune subscription is connected, configuration is needed for the different (mobile) platforms. They are not hard to configure, but needs different certificates for management. Let's have a look for the options available:
When enrolling Android devices no certificate is needed. Enrollment is done by installing the company portal. Downside is there's less to manage on this operating system. Both compliance policy and configuration items (less settings) can be configured. Not the best experience on this one for me. Depends on the device maybe?

When enrolling iOS devices an Apple Push Notification (APN) certificate is needed. This one is free and valid for 12 months. I like to enroll IPad's because of fast communication and great screen. Enrollment is done by installing the company portal. Optionally you can choose for DEP (Device Enrollment Program) and VPP (Volume Purchase Program) programs. That way you have over-the-air zero touch enrollment, and applications can be quickly installed without the need to have manually actions everytime. This because when doing required app deployment you must approve them one by one. With these programs this isn't needed anymore. Both compliance policy and configuration items (many settings) can be configured. Best experience for me so far.

When enrolling Windows Phone (WP) devices an Symantec certificate is needed (most of times). Enrollment is done by using workplace join and installing the company portal. For WP 8.1 devices the Symantec certificate is needed only for signing line-of-business apps. Enrollment is quick and easy, but I prefer the iOS way myself. When enrolling Windows 10 (Mobile) the behavior is same. Just by using workplace join, device management becomes available in ConfigMgr. Hope this experience becomes better in ConfigMgr 2016 (available soon) with Windows 10 (Mobile). That way Microsoft has the best solution available for device management. For some customers I like to use DEP and VPP for easy enrollment and app deploy. This because of over-the-air zero touch enrollment, and easy app installation.

On multiple operating systems I have almost same behavior for now. Enrollment and compliance settings are quick and easy. Configuration items however are slow and unstable. You can choose to deploy them to user/device collections (or both, depends on the setting?), but sometimes they work, sometimes not..
Example: I did an enrollment on an IPad, have the compliance policy in 1/2 minutes and the configuration baseline in 10/15 minutes. I installed some apps and they will be available on screen. After that I unenrolled the device. Apps are gone, configuration baseline is gone, compliance policy is not required anymore. Just great. Then I did another enrollment on the device. Have the compliance policy in 1/2 minutes again, did install the apps again. But the configuration baseline never come back again. That's sad and not reliable.

Hope this part will be better (and quicker) in a next release. For now I hope to do way more on Hybrid scenario :) Stay tuned for more!

Other blogposts about this topic:
How to reset your MDM authority in Microsoft Intune

Note: Most captures in Dutch, sorry for that :)

No comments:

Post a Comment