Planning device co-management

Co-management allows you to attach your existing System Center Configuration Manager (SCCM) deployment to Intune MDM to allow additional functionality such as conditional access, linking devices to Azure AD, remote restart or factory reset, and so on. These abilities come in handy when a user reports a device missing or stolen and you need to ensure the safety of corporate data on the device. And with co-management, you're getting the best of on-premises device management and cloud-based management.

Co-management requires SCCM and an EMS subscription. If you don't have EMS, you'll need an Azure AD premium license and Intune licenses for all users.

To begin setting up co-management, follow these steps:

1. Go to System Center Configuration Manager | Administration | Cloud Services | Co-Management.
2. Click Configure co-management to open the co-management onboarding wizard.
3. When you sign in to your Azure AD tenant through the wizard, you'll be asked if you want to automatically enroll existing Configuration Manager clients in Intune. You can choose Pilot or All for devices to enroll. Pilot will only enroll the devices you designate later as part of a pilot group; All will enroll all devices.
4. Configure workloads, deciding which workloads will be managed by Configuration Manager or Intune:
   • Configuration Manager: Continue managing in Configuration Manager
   • Pilot Intune: Continue managing in Configuration Manager except for items in the Pilot group (configured in the wizard)
   • Intune: Manage in Intune

Note the following table is not a recommendation, but an example of the choices you'll need to make when working through the co-management onboarding wizard. For each workload, you'll decide how you want it managed. The Xs signify the selection you'd be making in the wizard:

If, after configuration, you choose to switch workloads from one to another, you'll need to make sure you've configured and deployed the workload in Intune first so that the workload is managed by a tool at all times. Once switched, the managed device will automatically synchronize the MDM policy from Intune.

We'll explore device monitoring in the next section.