Enterprise Mobility and Security Blog

RSS

We have heard repeatedly from our customers who are using System Center Configuration Manager connected with Microsoft Intune (hybrid MDM) that they’d like to move to a cloud-only experience with Intune on Azure. This experience brings many new benefits, such as large scale, unified admin console, RBAC, and more. To help customers easily transition, we’re introducing a new process of moving from hybrid MDM to Intune standalone.

Previously, the move from hybrid MDM to Intune standalone required a one-time authority switch that would move an entire tenant at once and force the admin to reconfigure all settings in Intune, including re-enrolling all devices. Our new approach will allow customers to move from hybrid MDM to Intune standalone in a more controlled manner without impacting end users. The new process consists of three parts: Microsoft Intune Data Importer, mixed authority, and an improved MDM authority switch.

Microsoft Intune Data Importer

One of the biggest hurdles with the process of moving from hybrid MDM to Intune standalone has been the need to recreate all the profiles, policies and apps targeted to users and devices. Microsoft Intune Data Importer is a new downloadable tool designed to automatically copy MDM data created in Configuration Manager to an Intune environment. Importable objects include configuration items, certificate profiles, email profiles, VPN profiles, Wi-Fi profiles, compliance policies, terms and conditions, and apps.

Because Active Directory (AD) groups can be synced to Azure AD groups, deployments for the imported objects can be imported if the user collections in Configuration Manager are based on AD groups. Deployments will appear as assignments in the Intune console.

Microsoft Intune Data Importer is available for download through GitHub. You can leave feedback for the tool there as well. We are continuing to add support for new settings, and your feedback will help us make improvements for future releases.

Mixed authority

The second big change in the migration process is what we refer to as mixed authority. Mixed authority allows admins to selectively migrate users from hybrid MDM to Intune standalone in a phased, controlled manner. This means that you can migrate some groups of users to Intune standalone while you continue to use hybrid MDM for the remaining users and devices. Once a user has been moved to Intune standalone, that user and all of their devices will be managed from the Intune on Azure console. You can then create and deploy policies, initiate remote actions, and enroll new devices as if this user were part of an Intune standalone environment. Tenant level policies, such as your iOS APNs certificate, will function for users and devices managed by both hybrid MDM and Intune standalone and will only be editable via the Configuration Manager console while in mixed authority mode.

With mixed authority, all tenants will use the Intune on Azure console and will not need to use the legacy Silverlight-based console for MDM management of migrated users. This new capability will be rolled out starting today. You will be notified through the Office 365 Message Center when your tenant is enabled for mixed authority. Note: the Silverlight-based console will still be required for tenants using the Intune PC client. Tenants using the Intune PC client will take longer to be enabled.

Putting it together

Microsoft Intune Data Importer tool and mixed authority are two pieces of the new migration strategy. We recommend running Microsoft Intune Data Importer first and making sure all policies and configurations are in place before migrating any users. If the policies targeted to a user are the same in both consoles, there will be no impact to the end user when they migrate.

Once you are satisfied with your testing in the Intune standalone environment, you will initiate the tenant MDM authority switch through the Configuration Manager console. Because of recent changes to the MDM switch, this will migrate any remaining hybrid MDM users. All of the policies and apps that were created in the Intune on Azure portal, as well as your tenant level policies, will be migrated and available for configuration in the Intune on Azure console. Enrolled devices will not be required to re-enroll.

We are really excited about the release of these new tools and can’t wait for customers moving to Intune standalone to have a smoother, more predictable experience. You can learn how to use this new functionality in our detailed documentation.