Intune, ConfigMgr agent or agentless management for Windows 8.1 clients?

Posted: February 6, 2014 in Uncategorized

The world of device or client management is changing rapidly and will keep changing. Mobile devices are transitioning to fully capable workspace machines whereas laptops are becoming more mobile and mainly internet-based. Traditional desktop numbers are dropping. Users will take more responsibility in getting the appropriate apps and keeping their devices up to date and protected. On the other hand organizations need to control and maintain device compliancy in scenario’s where highly classified information is disclosed through apps. Number of usage scenario’s is growing. With that, management scenario’s become more granular as well. Happily enough technology is also changing. In SCCM and it’s predecessors mobile device management capabilities are not new and covered some mobile scenario’s. Starting from Systems Management Server (SMS) 2003 Device Management Feature Pack administrators where able to do some level of management on Windows based smartphones. In later versions more “mobile” features and platform support where added. When Windows Intune came into play Mobile Device Management became more mature and capable in supporting all sorts of business scenario’s. Also, the Microsoft Windows client platform is developed with a mobile-first strategy, enabling anywhere, anyplace, anytime relevant functionality while still supporting all sorts of legacy scenario’s as well (such as managed desktops). All form factors will be supported in all scenario’s. However it raises some questions when designing such a solution:

  • Should i choose for SCCM or Windows Intune? Both?
  • Is Windows 8.1 a mobile BYO platform or more a desktop client platform? Or both?
  • Do i (the noble admin) need to provide updates and anti-malware services or is that done by the user him/herself?
  • Should and can i install a management client, is the client domain or workspace joined
  • Is the device private or corporate owned?
  • What kind of apps will be deployed? ARM vs x86 or x64 based?

For each scenario IT admins have to think in terms of capabilities. With SCCM you will be able to manage corporate and LAN/VPN connected Windows devices well enough. A way of managing devices that are mainly connected to foreign networks such as the internet is to extend SCCM with a Windows Intune subscription that will serve the internet connected clients. If you don’t have the luxury of having SCCM you can use Windows Intune separatly (only for small environments). To start with the client management capabilities there are some client mechanisms that can be used by SCCM and Windows Intune to configure the client:

  • OMA-DM API (Open Mobile Alliance Device Management): Many organizations want to manage certain classes of devices, like tablets and BYOD devices, as mobile devices and do only light management. With Windows 8.1, you can use an OMA-DM API agent to allow management of Windows 8.1 devices with mobile device management products such as XenMobile, MobileIron, etc. No agent is required to use this feature.
  • Windows Intune agent: A software agent similar to the Configuration Manager client which is installed on the device and will provide support for deployment of updates and endpoint protection as an addition to the OMA-DM functions. The Windows Intune client should only be used in scenario’s without the existence of SCCM on Windows x86 or x64 platform with the requirement to centrally manage updates/antimalware. There is no Windows Intune client for Windows RT or other platforms such as IOS, Android, OSX and Linux.
  • Configuration Manager agent: Most capable management agent for managing Windows based platforms. When a Windows Intune subscription is connected to SCCM only clients without the ConfigMgr agent, using OMA-DM instead, can use Windows Intune cloud servers to find content or policies that are configured in SCCM. You only need the SCCM console to manage it all. It might be a bit confusing that a ConfigMgr agent cannot use Intune cloud servers (yet??).

Microsoft made an overview on platform support for enterprises:
415199

 

 

 

 

 

 

 

 

 

As you can see the Windows Intune agent is not listed in this table. This is because Microsoft positioned Windows Intune as an extension to SCCM for larger enterprises. For smaller organizations Windows Intune could suffice and than you could need the Windows Intune client capabilities to centrally manage and control updates and endpoint protection.

When looking to Windows based devices/clients only two scenario’s are left mainly:

  1. ConfigMgr Agent based management: updates, endpoint protection, inventory for Windows PC’s such as Windows XP, Windows 7, Windows 8 and Windows 8.1. x86 and x64 architecture only.
  2. Agentless management: for Windows RT, Windows Phone and Windows 8.1 devices/clients in a BYO scenario!!!

Windows 8.1 PC management
Note that Windows 8.1 can positioned in two scenario’s: the Windows PC and the Windows BYO device. This is important because when you need to manage a Windows 8.1 client as a Windows PC you should install the ConfigMgr client. Also, the client should be domain joined. You can deploy and manage all settings and software configurations on the client. You will have complete control of the client configuration. 

Windows 8.1 BYO management
However, when you need to manage a Windows 8.1 client as a mobile device the ConfigMgr should not be installed. Just enable device management through charms bar > PC Settings > Network > Workplace. Enter your credentials that matches a synchronized Windows Intune user account. Optionally Workspace Join the device to the corporate Active Directory to support additional services such as Single-Sign-On and Workspace Folders. You have only management control on some security features that are available to the OMA-DM API. No complete control, only light management possible.

workfolders

 

 

 

 

 

 

 

 

 

Conclusion
A summary to this post gives a quick list of each deployment scenario that should be used for each management scenario for Windows 8.1 clients/devices:

  1. Intune client: used only for small number of clients. SCCM not used.
  2. ConfigMgr client: used for enterprise PC management. With or without Intune subscription.
  3. Agentless: used for BYO management of Windows 8.1 devices.

I hope this clears things up a bit. In other posts i will discuss the Company Portal and BYO management of other platforms such as IOS, Android etc.

Advertisements
Comments
  1. C says:

    Hi, I was interested to read your comments in particular, when you say “When a Windows Intune subscription is connected to SCCM the client with a ConfigMgr agent installed can use Windows Intune cloud servers to find content or policies that are configured in SCCM. You only need the SCCM console to manage it all.” How exactly does this feature work as I have not see it work successfully yet and can find little to no documentation on it?

    • dvdruit says:

      I’ve updated the post. It is just the other way around. You cannot use Intune servers to act as content/policy servers to the SCCM client agent. They only reply to OMA-DM or Intune agent connected clients.
      Thanks for your comment!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s