At Ignite 2017, Microsoft announced a new feature for ConfigMgr and Intune called Co-Management (Original Article). Co-Management is a more simplified and manageable way to transition from ConfigMgr and AD to a modern management approach, with a migration to management through Intune and Azure AD. During my tests, I found I would actually benefit from having both environments working together.

Once when you finished setup Co-Management, you will able to see like this in your Intune portal, device is managed by MDM/ConfigMgr Agent.

 

More details about Co-management, see here:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

Prerequisites

You will need to have ConfigMgr 1710 and Windows 10 1709 to support Co-management. The setup of the co-management feature itself is very easy, however we will need to build up other necessary features to fully support it’s functionality.

You also need to setup AD connector, but I won’t cover those details in this time.

In my test lab, I setup one Primary Site (CM01.zit.local) and one site system server (CM02.zit.local).

CM01.zit.local (Primary Site):

This server is for support internal connection clients and whereas it is not required to use SSL, it is recommended.

Roles
Management Point (https)
Distribution Point (https)
Software Update Point (https)

CM02.zit.local (site system server):

This server is for support internet-based connection clients

Roles
Cloud management gateway connection point
Management Point (https, use gateway)
Software Update Point (https, use gateway)

Co-Management Setup

In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

Setup – Roles & Certificates

Cloud Management Gateway (feature)

Devices communicate over the internet to ConfigMgr via the Cloud Management Gateway. Certificates are required.

  1.  Azure Management certificate
  2. Cloud management gateway certificate
  3. Root certificate

Cloud Distribution Point (feature)

A cloud-based distribution point is ConfigMgr distribution point that is hosted in Microsoft Azure. Clients that are on internet connection can download contents from cloud distribution point without any need for a VPN connection back to their corporate network. Certificates are required.

  1. Azure Management certificate
  2. Cloud Distribution Point certificate
  3. Client Authentication certificate for domain joined clients

Management Point (CM01.zit.local, https)

Certificates are not required, but recommended.

  1. Web server cert for server authentication
  2. Client Authentication certificate for domain joined clients

Distribution Point (CM01.zit.local, https)

Certificates are not required, but recommended.

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients
  3. Certificate for distribution point

Software Update Point (CM01.zit.local, https)

Certificates are not required, but recommended.

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients

Management Point (CM02.zit.local, https)

A certificate is required for HTTPS mode if you want to use Azure AD to authenticate instead of client certificates. If you are using client certificates instead of the Cloud Management Gateway, an HTTPS management point is optional, but recommended.

If you are using Azure AD to authenticate for on premises or internet clients, an HTTPS management point is required.

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients

Software Update Point (CM02.zit.local, https)

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients

 

Next in Part 2, we will create certificates for these roles.

(1909)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Ram Lan
    Posted at 16:59 December 16, 2017
    Ram Lan
    Reply
    Author

    Hi – Excellent write-up on CMG and CDP. Followed all the steps and so far completed part 1 – part 5. Everything working as it should. Thanks for sharing your notes.

    Look forward to new topics in the future.

    Thanks

    Ram

    • Zeng Yinghua
      Posted at 17:08 December 16, 2017
      Zeng Yinghua
      Reply
      Author

      Hello Ram, thank you for reading, I am glad they are useful to you.

      Thanks, Sandy

  • Leave a Reply