Last week at Microsoft Ignite, we learned about co-management, a new mode that allows SCCM and Intune to both manage a Windows 10 device at the same time. There was a bit of confusion about whether or not co-management was open to third-party MDM providers. As it turns out, some of the SCCM/Intune integrations Microsoft showed were indeed proprietary, but also, Windows 10 Fall Creators Update has some key underlying changes that will allow SCCM and third-party MDM servers to do co-management, as well. This all adds up to a very important change for the enterprise desktop space, as it provides flexible new options for getting from traditional to modern management.
The journey to co-management
We’ve been talking about MDM for Windows 10 a lot over the last two years—we love the concept, but most companies are going to need help making the transition. We’ve looked at products that address this need from MobileIron, PolicyPak, and VMware AirWatch, and now we’re happy to see that Microsoft has also jumped in relatively quickly. (See Gabe’s article for more on this.)
In an Ignite session, Microsoft described their journey: Originally, they assumed that SCCM and Intune shouldn’t be on the same device, and that most customers would migrate group by group. But they heard the need for a bridge, too, and early this year began working on the co-management features announced last week. (By the way, check out the awesome graphic they used to describe different transition strategies.)
The key technical enablement components
As you can imagine, when you factor in all the choices around Intune, other MDMs, SCCM, AD, Azure AD, and AutoPilot, there are a lot of different ways to approach co-management. But for now, there are three key concepts to know about.
First, there’s SCCM and MDM co-existence. Originally, activating the SCCM agent would disable MDM. (You could get around this using other third-party agents, but we’ll set that aside for this conversation.) Now with the Windows 10 Fall Creators Update (1709) and SCCM 1710, the SCCM agent and MDM can co-exist. The changes also touch directory integration: Fall Creators Update devices can be joined to both AD and Azure AD at the same time.
The second key concept for co-management is the DeviceManageability CSP. (CSP stands for configuration service provider, which is what Windows 10 presents to MDM servers to configure and query.) This particular CSP allows the MDM server to see what management capabilities a device supports (which will naturally vary depending on the version of Windows and the hardware). Now, in Fall Creators Update, it has a new node that allows an MDM server to learn if there’s a traditional management agent also on the device, and which particular settings that agent has configured.
So essentially, using the DeviceManageability CSP, the MDM server get an idea of what SCCM is doing, but obviously, some server-side integration would help keep things coordinated—this is the third key component.
Microsoft showed off their server-side integration between SCCM and Intune, which is the proprietary aspect of co-management. You can connect SCCM to Intune, and then there’s a slider UI in the SCCM console that you can use to transition management workloads over to Intune. (See this session or this blog post for an illustration.) As we covered last week, the initial workloads that this integration supports are compliance policies, resource access policies, and Windows Update policies. Microsoft also has done a bit of integration between the Company Portal and Software Center apps, as demonstrated here.
Third-party MDMs will have to either rely on the DeviceManageability CSP to keep things in sync (it’s likely that this will continue to evolve), or build their own SCCM integrations, as partners have done for years. Either way, we’ll be watching to see how third-party vendors handle pulling workloads over from SCCM.
What does this mean?
As Gabe noted, Microsoft is acting relatively quickly, compared to past examples. This is a sign that Microsoft sees modern management (and the transition to it) as an important building block for the future of Windows. (Also, note that EMS is part of the Windows group now.)
At Ignite, it was noted that Microsoft has taken hybrid approaches to other products—for example, Azure AD can stay in sync with on-prem AD, and mailboxes can move back and forth between Exchange and Exchange Online—so applying this approach to SCCM and MDM makes a lot of sense, too.
The fact that the underlying components are part of Windows and exposed to third-party MDM creates a big opportunity for the likes of AirWatch, MobileIron, and others.
The co-management concept itself will enable MDM for Windows to spread more easily and faster. Instead of worrying about whether a unified endpoint management provider can cover enough legacy scenarios, or waiting for a key feature to come out, customers can get started with the Windows 10 MDM features that work for them sooner, and transition other features over time.
Together, I think these effects could usher in even more growth across the EMM industry.