Mastering the Move to Modern Management using ConfigMgr Josué Negrón Sr. Solutions Architect VMware Brooks Peppin EUS Systems Engineer VMware
Agenda Challenges with PCLM Solutions What are your Options? Co-Management with ConfigMgr using Intune Scripting Options to Move Workloads Co-Management with Workspace ONE On-boarding Collection Mapping App Migration Tracking and Dashboard
Evolution of Microsoft Client Management 2011 2012 2012 2017 2016 2014 Enterprise Mobility Suite Co- Management SCCM as a Service 2007 2003 1999 SMS 2.0 1994 SMS 1.0 Client Management Infancy (NT Domain) Groups Model Laptops, Servers, Enterprise Scale Comprehensive Management Management from the Cloud Consumerization of IT Transitioning to Modern Management Windows 3 Windows 95 1992 1995 Windows XP 2001 Windows Vista 2006 Windows 7 2009 Windows 8 2012 Windows 10 2015
With Windows 10, Microsoft Enables Modern Management of PCs Integrated MDM Framework Simplified Device Onboarding Cloud-based Management Microsoft s own IT is moving away from traditional PC management to modern management for Windows 10.* * Source: Microsoft IT Showcase; Aug 21, 2017; https://www.microsoft.com/itshowcase/article/video/708/windows-10-deployment-tips-and-tricks-from-microsoft-it 4
Journey to Modern Management Not a flip of a switch to get to Windows 10 / Modern Management Will take time, potentially years May have servers and legacy Windows OS under SCCM management Need to change 25 years of management practices Domain Centric to Device/User Centric Many plug-ins for SCCM Asset management, Auditing Similar to move from Exchange, Active Directory Hybrid Mode Exchange with O365 / AD Federation with Azure Customers may not be able to move all devices to modern management Will happen with device replacement (3-5 years)
Legacy PC Management Unified Endpoint Management Deploy Patch Configure Apps Secure Self-service Use Cases Retire High IT touch build and constantly maintain images specific to OEMs, OS version, use cases, roles Poor patch compliance patch management of domain joined PCs on company network On-network and domain joined PCs only, leveraging group policy objects (GPOs) Resource intensive packaging and deployment (heavy distribution infrastructure); supports Win32 apps only Perimeter defense and no visibility across off-network endpoints; manual remediation for compromised PCs Lacks self-service capabilities or requires third party addons (e.g. store front, recovery keys, etc.) Limited to corporate owned desktop management use cases with locked down machines Manual process: wipe and replace image for new user Simpler out-of-the-box and IT runtime provisioning without the need for imaging; upgrade to new version from cloud Updates PCs on or off the domain from the cloud in minutes; not months Configures PCs over-the-air and across any network; supports modern MDM + GPOs Scalable and reliable app distribution with cloud CDN + P2P; supports any app - Win32, store/uwp, SaaS Smarter conditional access polices and real-time visibility, compliance, and auto remediation across all endpoints Self-service features for app access, domain password reset, BitLocker recovery, remote wipe and lock and others Easily scales to modern use cases (e.g. BYOD) and other Windows, mobile, rugged and IoT endpoints (UEM) Wipe and reset remotely; ready for the new user
Bridging to Modern Management Adopt & Connect Transition to Modern ConfigMgr Content Delivery to Cloud Content Delivery Win32 to Modern Apps Kerberos to Modern Auth GPO to MDM Policy Imaging to Signature Image WSUS to WUfB Adopt Windows 10 Modernizing with a co-management bridge AD/AAD connect Adopt Office 365/ProPlus End of Support for Windows 7 Today
Why Co-Manage with SCCM SCCM is a religion People have built their careers on SCCM As they move to Modern Management, SCCM becomes irrelevant Unless a customer is already 100% at Windows 10 WinXP, Win7, Win8 and Server OS s Most companies have had SCCM in place for over 20 years Not easy to just rip off the Band-Aid We may need SCCM to get to Windows 10 Upgrade Win7 to Win 10 Typical hardware refresh cycle is 3-5 years
Co-Management with Intune You must have the following prerequisites in place before you can enable co-management with Intune or EMS: Requires Windows 10 version 1709 or later Requires Configuration Manager version 1710 or later Must be Intune Standalone Cannot be Hybrid MDM (Intune joined to SCCM) EMS or Intune license for all users Devices must be Hybrid Azure AD-joined (SCCM Managed) Azure AD Joined (Intune Managed) Azure AD automatic enrollment enabled
Supported Workloads Device Compliance Policies Resource Access Policies Configure VPN, Wi-Fi, email, and certificate settings on devices. Windows Update Policies Endpoint Protection (starting in Configuration Manager version 1802) Device Configuration (starting in Configuration Manager version 1806) Office 365 Click-to-Run apps (starting in Configuration Manager version 1806) Mobile apps (starting in Configuration Manager version 1806 as a pre-release feature) Ability to Execute Remote Commands
Co-Management Dashboard
Major Limitations Today Many Prerequisites: SCCM 1710+, Windows 10 1709+, AD+AAD Joined, CMG for Intune-Only Managed Devices, etc. No clear path to fully migrate apps to a modern approach Does not migrate workloads over from SCCM to Intune, Co- Management only chooses who the primary source of management should be Only supports some use-cases, thus might not work for all of your devices in your organization No clear path for customers who want to rip-and-replace quickly; but great for a longer term migration plan
Open-Source SCCM Migration Tools Available on GitHub & VMware {code}: SCCM to AirWatch App Migration Migrate existing Win32 applications from SCCM to AirWatch SCCM to AirWatch Tag Creation Automatically create tags in AirWatch for SCCM collections and tag devices to maintain a link between SCCM and AirWatch SCCM to AirWatch Auto Registration Automatically pre-register SCCM devices into AirWatch using serial number and primary user. Allows silent AirWatch enrollment via staging account. Device Collection Migration Auto Onboarding SCCM App Migration AirLift to get to Modern Management
SCCM Terms Workspace ONE Translations Intune Translations WMI/MOF Closest would be CSPs/APIs CSPs/APIs Apps & Packages Software Distribution (Win32 Apps) Client Apps (Windows MSI Line-of-Business) Distribution Points (DPs) + BranchCache MDT/OSD CDN + P2P Next Evolution is OOBE/AutoPilot/Dell Factory Provisioning Cloud DPs OOBE + AutoPilot Software Center/App Catalog Workspace ONE Catalog Company Portal MBAM for Encryption BitLocker Lifecycle Management BitLocker Configuration via CSP Collections Smart Groups / Tags Assignments/Groups Software Updates/ADRs/WSUS Windows Update Profile (WUfB or WSUS) Software Updates (WUfB) Task Sequences No Mapping similar to Product Provisioning No Mapping PowerShell Scripts Site Code (3 Characters) & Assigned Site Group ID & Enrollment Group Enrollment Point Device Services (Mobile and Mac Devices Only) -- Tenant Management Point Device Services (Windows Devices) Cloud Management Gateway Primary Site/Secondary Site Parent/Child Organization Group --
Did you know. VMware has supported co-existence ( co-management ) with SCCM since late 2015! So where are we today with speeding your transition to Windows 10 modern management, let s take a look!
Workspace ONE AirLift ConfigMgr Windows 10 Clients 6 Workspace ONE UEM Server-side Connector Web-based Admin Experience Passive Orientation to Simplify Co-Management Fully Productized and Supported Available with ALL Workspace ONE Editions
Communication Protocols Configuration Manager TRADITIONAL AirLift Workspace ONE MODERN Windows Remote Management (WinRM) & Configuration Manager Cmdlets AirLift Web UI AirLift Service Workspace ONE UEM RESTful APIs
AirLift Prerequisites Workspace ONE UEM 9.5+ Admin with API Access & REST API Key Device Services, Console, API URLs SCCM 2012 R2+ SCCM Account with at Least Read-Only Permissions Additional access needed to create Enrollment App from AirLift (Optional) SCCM Account must be Remote Management Group (Win RM) SCCM Site Code SCCM Device Collections with Active Windows 10 Devices AirLift VM (Recommend Small Dedicated VM with Good SCCM Connectivity) AirLift Installer will Download & Install SQL Express and MongoDB Installer will Securely Configure for Use Only by AirLift AirLift will Create Two Services that Run under Network Service
Live Demo: Getting Started with AirLift
Mapping Device Collections
SCCM Device Collection Mapping Empower the admin to accelerate their adoption and visibility of our Co-Management capabilities Leverage existing ConfigMgr Device Collections Complex Query Based Rules Based on Device Type (e.g. Dell XPS) One to Many Mapping between Collections and Workspace ONE Map ConfigMgr Collections to Workspace ONE Smart Groups Backend Task keeps Workspace ONE Synced with ConfigMgr Multiple Purposes for Collection Mapping Windows 10 Devices Systems that can be Upgraded to Windows 10 Dell Laptops, etc. One to One, Many to One or Specific Mapping
Live Demo: Taking Flight with AirLift; Onboarding Devices
Enrollment
Live Demo: Migrating Apps
Application Migration Transition SCCM Applications to Workspace ONE UEM Enumerate SCCM Applications Supports MSI s Supports Scripted Installs (MSI, EXE, ZIP) Supports Multiple Deployment Types Validations to Increase Predictability Rules Introspect SCCM App Metadata BEFORE Export Validate Info (e.g. Install Translated from System to Device ) Validation Error (e.g. Uninstall Command Line Missing) Application Export is NOT App Rationalization Offering Automated Packaging Does Not Work Against SCCM Packages
Troubleshooting AirLift Install Directory: %ProgramFiles%\VMware\VMware AirLift Workspace ONE Enrollment Application Contains the AirWatch Agent, SCCM Integration Client, and icons. AppSettings.JSON Change logging level and contains the connection strings to SQL Express and MongoDB %ProgramData%\VMware\VMware AirLift MongoData Log Contains logs for Mongo DB Logs Contains AirLift logs, more detailed than the Activity Log Note before installing AirLift you should ensure your user account has the minimum required access to SCCM. You should also have admin rights to install all of the dependencies.
Dashboard
FAQ's 1. Does this install require access to the SCCM DB? No 2. How does this communicate with SCCM? WinRM and SCCM Cmdlets 3. What SCCM information does it query? Device Collections, Devices, Users, SCCM Apps 4. What SCCM RBAC access is needed? Read-only Analyst 5. What SCCM RBAC access is optional? Privilege to create SCCM App and Deploy 6. How long will AirLift take to do the initial synchronization? 1-20 mins depending on the size and number of both Workspace ONE and SCCM entities. Subsequent synchronization is incremental. 7. Does AirLift support Direct and Rule-based Device Collections? Yes 8. Does AirLift support anything other than SCCM Device Collections? No
Learn Workspace ONE modern management for Windows 10 Test Drive Workspace ONE on your Windows 10 devices Get Started on Your POC or Deployment Demos https://youtu.be/3ooap0qqom Y https://vmwarelearningzone.vm ware.com/oltpublish/site/cms.d o?view=openlearning Hands-on-Labs http://labs.hol.vmware.com/hol /catalogs/catalog/878 Beginners: HOL-1857-01-UEM - Getting Started Advanced: HOL-1857-02-UEM - Unified Endpoint Management for Windows 10 Sign up to VMware TestDrive: https://portal.vmtestdrive.com/ TestDrive Getting Started Guide: https://kb.vmtestdrive.com/hc/en- us/articles/360001372254-getting- Started-with-TestDrive Workspace ONE for Windows 10 Walkthrough Guide: https://kb.vmtestdrive.com/hc/en- us/articles/360001152734-experience- Workspace-ONE-on-Windows-10 POC: Workspace ONE Windows 10 Reviewers Guide: https://techzone.vmware.com/resour ce/reviewers-guide-windows-10- unified-endpoint-managementairwatch Deployment: Professional Services Use Case Add-on for Windows 10: https://www.vmware.com/content/da m/digitalmarketing/vmware/en/pdf/d atasheet/vmware-workspace-oneairwatch-service-add-on-use-casedatasheet.pdf
You ve got questions, we got answers hopefully