A few weeks back at Microsoft Ignite 2019, we learned about the next big step for SCCM and Intune: Microsoft will bring them together under the umbrella of Microsoft Endpoint Manager. What does this really mean, and how integrated will they be? Let’s dig in.
What is Microsoft Endpoint Manager?
Microsoft Endpoint Manager is a couple of things.
First, it’s a new brand name that will cover SCCM and Intune, as well as related tools and concepts, such as Desktop Analytics, co-management, and Autopilot.
Second, it’s new licensing terms. Current SCCM customers will be entitled to use Intune to co-manage Windows 10 devices. (You’ll still have to have Intune licenses for other devices.)
Third, it’s a new web-based management console that allows you to do both Intune and SCCM administrative tasks in one place. This is called the Microsoft Endpoint Manager Admin Center, and will supersede the Microsoft 365 Device Management Admin Center (DMAC). To be clear, your SCCM servers will still be on premises, but you’ll be able to manage them from this console. This should be coming out early next year; I’m going to spend the bulk of the article on it.
While we’re going over Microsoft Endpoint Manager, it’s also worth reviewing Microsoft’s philosophy of modern management, which Brad Anderson outlined in a recent blog post. Basically, it’s not just about using MDM APIs instead of Group Policy, it’s about all the stuff you can do when your management plane is connected to the cloud. Look at all the analytics that can be done using machine learning and artificial intelligence, and then used to improve management, security, and user experience. And, of course, Microsoft has data from all the Intune environments and Windows devices all over the world, so they have a lot of data to feed into this.
How does the integration work?
Taking a massive, 27-year-old management platform and melding it with a cloud unified endpoint management product isn’t easy. So how is Microsoft doing this? There are a lot of answers in the Ignite session number DEP40, “Supercharge PC and mobile device management: Attach Configuration Manager to Microsoft Intune and the Microsoft 365 cloud.”
In a way, the integration process started two years ago with the introduction of co-management, which as we know involves enrolling a device in both Intune and SCCM at the same time. To help make this work, Microsoft got Intune and SCCM talking to each other, so that they can coordinate when management tasks are transferred from one platform to the other. (See below for a screenshot of an early version of this in the SCCM interface.)
This coordination, by the way, is what Microsoft adamantly says differentiates their version of co-management from using SCCM with other UEM platforms, which they call co-existence. (Though a lot of people call it co-management when other products are used, anyway.)
Now, as I mentioned before, the new Microsoft Endpoint Manager Admin Center will live in the cloud, but be able to reach down and drive SCCM servers residing on premises. Here’s the basic architecture slide that Microsoft showed.
If you already went through the process of hooking up SCCM and Intune for co-management, which they call “Client Attach,” enabling “Tenant Attach” will just be another checkbox. These are both forms of “Cloud Attach” for SCCM.
Recreating the entire SCCM console in a web interface would be something like a five-year process, so for now, Microsoft started by building enough functionality for helpdesk roles. Other functionality will follow.
As demoed at Ignite, the Microsoft Endpoint Manager Admin Center can show inventory from all devices, whether they’re in SCCM, Intune, co-managed by both, or enrolled in Jamf.
MEM (as I guess we’ll be calling it, or how about MEMAC?), queries the SCCM database in real time, as copying everything up to the cloud and keeping it in sync would be difficult.
Drilling down into devices, you can do things like look at device details, see a timeline of events, view SCCM collections, query the client through CMPivot, and install apps on demand.
The Ignite session also showed a demo of a cloud-powered Windows crash database, and in general, these types of cloud-based analytics features came up a lot. For example, there’s also Policy Analytics, which goes through your GPOs and recommends MDM policies that can replace them, and user experience analytics (Get rid of your spinning drives and 30 million security agents to speed up boot times).
The changing position on co-management
One thing that was notable is that Brad Anderson wrote that “Co-management isn’t a bridge; it’s a destination.” I couldn’t help but think about how two years ago, everybody was calling co-management a bridge. We called it a bridge, Microsoft called it a bridge, Brad called it a bridge, and so on. Back at Ignite 2017, this was illustrated with one of my favorite slides ever:
I don’t mean for this to be a “gotcha!” moment or anything, but it does make me wonder what this means for the Intune (e.g., cloud-based features in MEM) roadmap.
Microsoft is adamant that SCCM isn’t going away. And in an FAQ (PDF), they said that co-management is both a bridge and a destination, and that they’re all about letting customers use any combination they want.
Microsoft says that all customers should start using co-management so they can get all the analytics features. Then, they suggest that customers could pick a date, and then after that, all new devices could be cloud managed only.
I’m sort of curious what happens after that, though. What about those places where you still need co-management? How many will there be? Is this a legacy compatibility layer, or more strategic for Microsoft? Is this moving the goalposts for modern management? I wouldn't want co-management to be a fallback that allows the Intune team to get complacent.
For places where SCCM is still in use, how should it evolve? We can envision a world where the MEM console gets more and more features, and you’re in the old SCCM console less and less, so you could almost see SCCM servers as headless edge appliances for the MEM platform. And then maybe this could be a hosted service? I’m just thinking out loud here.
Either way, for now, anything that helps get more customers on board with modern management to any degree is good to see. This modern management thing is feeling more and more real every month.
What about VMware Workspace ONE for Microsoft Endpoint Manager?
The other big endpoint management news during the week of Ignite was VMware’s announcement of Workspace ONE for Microsoft Endpoint Manager. There’s a lot to unpack here—VMware and Microsoft may have a variety of partnerships, but not to put too fine a point on it, the competition is fierce. I’m going to save this for another article, so stay tuned.
This article was originally published on November 26, 2019.