Difference between Intune Standalone and ConfigMgr hybrid mode (part 4)

Recently I did some blogposts about the difference using Intune Standalone or ConfigMgr hybrid mode.
You can find them here: part 1 / part 2 / part 3

For ConfigMgr hybrid mode I mentioned the following:
As for ConfigMgr hybrid mode, this must be done in Configuration items and baselines, where not sure when they arrive. Monitoring - deployments is not the right place also, given a 'Unknown' status most of times. Did a lot of compliance checks and reboots on mobile devices, but nothing seems to happen..

Trick is, you need to do some additional configuration. When policies in Intune are working immediately, they are in ConfigMgr not.

When creating configuration items in ConfigMgr, "Remediate noncompliant settings" is turned on by default.

When creating and deploying configuration baselines, this is not the case. "Remediate noncompliant rules when supported" is not turned on by default. Trick is, you need to enable this for making them active.

In the baseline deployment properties "Remediate noncompliant rules when supported" must be selected. I did change the schedule for 7 days to 5 minutes too. After that configuration was starting on mobile devices right away.

Why this isn't configured by default is the question? Without this setting you can wait forever for policies to come through..

Difference between Intune Standalone and ConfigMgr hybrid mode (part 3)

In an earlier blogpost i wrote about pros and cons between Intune standalone and ConfigMgr hybrid mode, and the difference in speed between both solutions. This because Intune standalone (SAAS) is very fast (few seconds, sometimes few minutes) on enrollment of applications and/or policies. With ConfigMgr hybrid mode this is way slower, and can take up to multiple hours (or more) for making it happen. This time I want to share something on difference for Windows and Windows Phone devices.

With Windows 10, Microsoft is saying that there is One universal app platform, One security model, One management system, One deployment approach, and One familiar experience. Unfortunately that's not true when using a Windows 10 Mobile, managed by Intune standalone or ConfigMgr hybrid mode.

When deploying applications from one of both solutions, you will see that sometimes it's needed to choose Windows, the other time Windows Phone. Some apps are available for Windows, but not for Windows Phone (or the other way around). Very confusing if you ask me! So you must choose between a Windows app package or Windows Phone app package. That's hard to explain to customers..

When choosing a Windows app package (like I did), applications will not be offered on Windows 10 Mobile. In my perception this is not a Windows Phone anymore, with a different Windows Phone store. So yes, you must still use Windows Phone app package to make them available on Windows 10 Mobile. Very confusing if you ask me. Where does this fit in the One unified app store across devices, One great experience model? But wait there's more..

Within the post: Windows 10: A Store That’s Ready for Business, Microsoft is mentioning the following: 'with Windows 10 we will deliver one Windows Store for all Windows devices'. But therefore the new web-based Store portal must be used. So open Windows Store for Business and start adding apps to your inventory. When signing in with your Azure account (or add it next to your Live ID) a new tab in the default Store will be present.

After that a new tab is present in Windows Store, with the company name used, with apps added in Windows Store for Business. Because it can take up to 24 hours for the app to get present in the Private store, you must be patience on this :-)

More on that in a next blogpost. Thanks for reading.
Read more on part 1 and part 2

Difference between Intune Standalone and ConfigMgr hybrid mode (part 2)

In an earlier blogpost i wrote about pros and cons between Intune standalone and ConfigMgr hybrid mode. Is this post I will mention the difference in speed between both solutions. This because Intune standalone (SAAS) is very fast (few seconds, sometimes few minutes) on enrollment of applications and/or policies. With ConfigMgr hybrid mode this is way slower, and can take up to multiple hours (or more) for making it happen. This is very annoying indeed!
 
I'm using the SAAS solution myself; using it for demo purpose on my Windows 10 Mobile (Lumia 950). When doing enrollment on that and start a deploying applications and/or policies, they will be visible in a few seconds. Just have a look at some examples on that:
 

When deploying applications, or changing icons (or something like that), they are visible almost immediately.
 

When using Allow manual unenrollment (No), Intune cannot be removed from a Windows Phone or Windows 10 Mobile. Way better, because this isn't possible on iOS or Android devices, or special configuration is needed (iOS).
 

When using Allow application store for Windows 10 Mobile (No), the store isn't available anymore. Just an example how easy an application can be blocked, but again for Windows Phone only.
 

This for both the tile on start screen as for the start menu present on Windows Phones. They will be greyed out on start screen and start menu. Just want to see more off that.

When using Allow Camera (No), the following message is given, presenting a black screen when choosing OK. A message that the camera is blocked would be better I guess then presenting a black screen, but maybe it will be in future.

As for ConfigMgr hybrid mode, this must be done in Configuration items and baselines, where not sure when they arrive. Monitoring - deployments is not the right place also, given a 'Unknown' status most of times. Did a lot of compliance checks and reboots on mobile devices, but nothing seem to happen..

As mentioned in an earlier blogpost: Still I truly believe in ConfigMgr hybrid mode, having best of both worlds. But Microsoft still needs some development for a way better experience on that!

More on that in a next blogpost. Thanks for reading.
Read more on part 1 and part 3

Difference between Intune Standalone and ConfigMgr hybrid mode

When using Microsoft Intune, you can choose between Intune Standalone and ConfigMgr hybrid mode. Both have their own pros and cons. Microsoft is still recommending hybrid mode, because then you have best of both worlds. Point is, I'm not convinced anymore. Both ConfigMgr and Intune are great products, where Intune still need some development on new features. Customers are not always convinced about the solution, asking more enterprise features.
 

Having a look at my experience so far, I detect the following:
 
Intune standalone (pros):
-Easy to setup, Software As A Service (SAAS) solution;
-Can be managed everywhere with internet access;
-Very fast on enrollment of applications and/or policies (!);
-Can be used for both patch management & antivirus on endpoints with internet access;
-New features are released immediately.
Intune standalone (cons):
-With ConfigMgr in-place, two consoles for management;
-On some parts, less features then hybrid mode;
-You need to sign-in at every application change.
 
ConfigMgr hybrid mode (pros):
-Recommended configuration by Microsoft;
-Best of both worlds in a single management console;
-More features then Intune standalone;
-Deployment types and deployments are easier to handle.
ConfigMgr hybrid mode (cons):
-Less easy to setup; on-premises ConfigMgr infrastructure needed;
-Cannot be managed from everywhere, on-premises ConfigMgr console needed;
-Way slower on enrollment of applications and/or policies (!);
-Cannot be used for both patch management & antivirus on endpoints with internet access, because you need direct access or internet-based client management (IBCM) for that;
-New features will released slower in hybrid mode.

So yes, Microsoft is working on the feature part, and new features are available in ConfigMgr hybrid mode sooner. This because of the Service Connection point in ConfigMgr Current Branch.
But what's most annoying, You cannot have both patch management & antivirus on endpoints with internet access, because a ConfigMgr agent will be present on the device. Not an Intune agent, pointing to a SAAS solution. Therefore additional solutions like direct access or internet-based client management (IBCM) are needed.

And overall; when deploying applications and/or policies from Intune standalone, they are applied in few seconds. Within ConfigMgr hybrid mode it can take multiple hours (or more) when something happens. Still I truly believe in ConfigMgr hybrid mode, having best of both worlds. But Microsoft still needs some development for a way better experience on that! Hope they will soon :-)

More on that in a next blogpost. Thanks for reading.
Read more on part 2 and part 3

My experience with ConfigMgr 2012 R2 SP1 and Intune in Hybrid scenario

Last months I did multiple ConfigMgr implementations in Hybrid scenario. That means that a Microsoft Intune (SAAS) subscription is connected, and ConfigMgr is set as Management Authority. Combining both solutions has a great benefit; managing all devices (desktops, notebooks, servers, Mac-clients and mobile devices) from a single management console. I did multiple blogposts on that as well, which are included in the end of this post. Let's have a closer look.

When the Microsoft Intune subscription is connected, configuration is needed for the different (mobile) platforms. They are not hard to configure, but needs different certificates for management. Let's have a look for the options available:
When enrolling Android devices no certificate is needed. Enrollment is done by installing the company portal. Downside is there's less to manage on this operating system. Both compliance policy and configuration items (less settings) can be configured. Not the best experience on this one for me. Depends on the device maybe?

When enrolling iOS devices an Apple Push Notification (APN) certificate is needed. This one is free and valid for 12 months. I like to enroll IPad's because of fast communication and great screen. Enrollment is done by installing the company portal. Optionally you can choose for DEP (Device Enrollment Program) and VPP (Volume Purchase Program) programs. That way you have over-the-air zero touch enrollment, and applications can be quickly installed without the need to have manually actions everytime. This because when doing required app deployment you must approve them one by one. With these programs this isn't needed anymore. Both compliance policy and configuration items (many settings) can be configured. Best experience for me so far.

When enrolling Windows Phone (WP) devices an Symantec certificate is needed (most of times). Enrollment is done by using workplace join and installing the company portal. For WP 8.1 devices the Symantec certificate is needed only for signing line-of-business apps. Enrollment is quick and easy, but I prefer the iOS way myself. When enrolling Windows 10 (Mobile) the behavior is same. Just by using workplace join, device management becomes available in ConfigMgr. Hope this experience becomes better in ConfigMgr 2016 (available soon) with Windows 10 (Mobile). That way Microsoft has the best solution available for device management. For some customers I like to use DEP and VPP for easy enrollment and app deploy. This because of over-the-air zero touch enrollment, and easy app installation.

On multiple operating systems I have almost same behavior for now. Enrollment and compliance settings are quick and easy. Configuration items however are slow and unstable. You can choose to deploy them to user/device collections (or both, depends on the setting?), but sometimes they work, sometimes not..
Example: I did an enrollment on an IPad, have the compliance policy in 1/2 minutes and the configuration baseline in 10/15 minutes. I installed some apps and they will be available on screen. After that I unenrolled the device. Apps are gone, configuration baseline is gone, compliance policy is not required anymore. Just great. Then I did another enrollment on the device. Have the compliance policy in 1/2 minutes again, did install the apps again. But the configuration baseline never come back again. That's sad and not reliable.

Hope this part will be better (and quicker) in a next release. For now I hope to do way more on Hybrid scenario :) Stay tuned for more!

Other blogposts about this topic:
How to reset your MDM authority in Microsoft Intune

Note: Most captures in Dutch, sorry for that :)

Using ConfigMgr 2012 R2 SP1 and Microsoft Intune in a Hybrid configuration

Within my daily job I'm doing Configuration Manager (ConfigMgr) and Endpoint Protection (SCEP) consultancy and training a lot. ConfigMgr is a great product for managing on-premises devices, like servers, desktops and notebooks. With Microsoft Intune, Mobile Device and Application Management on tablets and smartphones can be done. This is a standalone Software as a service (SAAS) solution which exists for multiple years now. When integrating both solutions, you have a Hybrid configuration in-place.

Benefit of using a Hybrid configuration is integration! You can manage both Windows, Mac and Mobile devices within a single management console. Just make sure to set the management authority (which can be set on Office 365, Intune or Configuration Manager) on the right one. When it's set on Configuration Manager no management has to be done in the SAAS console anymore. Just use collections, applications and policies which are in ConfigMgr by default, to manage mobile devices as well. On the different clients, a Intune Company Portal needs to be installed for management.

Last years Microsoft has done a good job to improve speed on client communication and policies. That way you can enroll a mobile device in a few minutes, publish policies and applications, and set an unenrollment (when needed) all within approx. 15/20 minutes. When forcing a Reset passcode (new passcode must be entered) or Remote lock (device is locked and passcode needs to be set again), it will be active in approx. 1/2 minutes. During unenrollment all configuration and apps are removed also. Reasons enough to stay enrolled.

With Windows 10 Mobile coming, the richest set on policies can be configured. When creating policies (configuration items), you will see the difference on Android, iOS and Windows (Phone) platforms. Hope that will be better and easier in the future. It's possible also to deploy applications (from the different app stores) and weblinks to mobile devices. You can choose to open them in a web browser or install them. During installation a shortcut is created in Apps, so no need to open the Intune Company Portal again.

Hope to have some real experience on Windows 10 (Mobile) soon. It looks like the choice is really easy now! Just use Windows 10, Azure Active Directory (AAD), Enterprise Mobility Suite (EMS/Intune) and ConfigMgr from now on. That way Microsoft can convince you on the new generation available, which is Mobile first, Cloud first. Windows as a service, ConfigMgr as a service (2016) and Software as a service! I'm very excited about this, hope you are too?!

The following can be found on the "In the cloud" blog:
While there have been many improvements to the MDM capabilities, not every management capability exists – yet. To solve for this, we have effectively built a “bridge” between the ConfigMgr agent and the MDM agent which enables the agents to co-exist and expose all the existing manageability that you know today – as well as the new functionality that is being exposed via MDM to be manageable from the ConfigMgr console. No one else (traditional PC management or EMM vendor) has done any work like this. This is another HUGE reason that ConfigMgr + EMS is your best solution for deploying and managing Windows 10.

Just great if you ask me :-)