mastering the move to modern management using...

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Josué NegrónSr. Solutions Architect

VMware

Brooks PeppinEUS Systems Engineer

VMware

Mastering the Move to Modern Management using ConfigMgr


AgendaChallenges with PCLM SolutionsWhat are your Options? Co-Management with ConfigMgr using IntuneScripting Options to Move WorkloadsCo-Management with Workspace ONE

On-boardingCollection MappingApp MigrationTracking and Dashboard


2003

20122012

2011

2007

1999SMS 2.0

1994SMS 1.0

Client Management Infancy (NT Domain)

Groups ModelComprehensive Management

Laptops, Servers, Enterprise Scale

Management from the Cloud

Evolution of Microsoft Client Management

2017

Consumerization of IT

Co-Management

SCCM as a Service

2016

Windows 10

2015

Windows 8

2012

Windows 7

2009

Windows Vista

2006

Windows XP

2001

Windows 95

1995

Windows 3

1992

2014 EnterpriseMobility Suite

Transitioning to Modern Management

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM4

With Windows 10, Microsoft Enables “Modern Management” of PCs

Integrated MDM Framework

Simplified Device Onboarding

Cloud-based Management

Microsoft’s own IT is moving away from traditional PC management to modern management for Windows 10.*

* Source: Microsoft IT Showcase; Aug 21, 2017; https://www.microsoft.com/itshowcase/Article/Video/708/Windows-10-deployment-tips-and-tricks-from-Microsoft-IT


Journey to Modern Management

• Not a flip of a switch to get to Windows 10 / Modern Management• Will take time, potentially years

• May have servers and legacy Windows OS under SCCM management

• Need to change 25 years of management practices• Domain Centric to Device/User Centric

• Many plug-ins for SCCM• Asset management, Auditing

• Similar to move from Exchange, Active Directory• Hybrid Mode Exchange with O365 / AD Federation with Azure

• Customers may not be able to move all devices to modern management• Will happen with device replacement (3-5 years)


Legacy PC Management

DeployHigh IT touch – build and constantly maintain images specific to OEMs, OS version, use cases, roles

PatchPoor patch compliance – patch management of domain joined PCs on company network

ConfigureOn-network and domain joined PCs only, leveraging group policy objects (GPOs)

AppsResource intensive packaging and deployment (heavy distribution infrastructure); supports Win32 apps only

Perimeter defense and no visibility across off-network endpoints; manual remediation for compromised PCs

Simpler out-of-the-box and IT runtime provisioning without the need for imaging; upgrade to new version from cloud

Updates PCs on or off the domain from the cloud in minutes; not months

Configures PCs over-the-air and across any network; supports modern MDM + GPOs

Scalable and reliable app distribution with cloud CDN + P2P; supports any app - Win32, store/UWP, SaaS

Smarter conditional access polices and real-time visibility, compliance, and auto remediation across all endpoints

Unified Endpoint Management

Lacks self-service capabilities or requires third party add-ons (e.g. store front, recovery keys, etc.)

Limited to corporate owned desktop management use cases with locked down machines

Retire Manual process: wipe and replace image for new user

Self-service features for app access, domain password reset, BitLocker recovery, remote wipe and lock and others

Easily scales to modern use cases (e.g. BYOD) and other Windows, mobile, rugged and IoT endpoints (UEM)

Wipe and reset remotely; ready for the new user

Secure

Self-service

Use Cases


AD/AAD

connect

Adopt Windows 10

Adopt Office 365/ProPlus

Imaging to Signature Image

End of Support for Windows 7

GPO to MDM Policy

Kerberos to Modern Auth

Win32 to Modern Apps

ConfigMgr Content Delivery to Cloud Content Delivery

Today

WSUS to WUfB

Adopt & Connect Transition to Modern

Bridging to Modern Management

Modernizing with a co-management bridge


• SCCM is a religion• People have built their careers on SCCM

• As they move to Modern Management, SCCM becomes irrelevant

• Unless a customer is already 100% at Windows 10 • WinXP, Win7, Win8 and Server OS’s

• Most companies have had SCCM in place for over 20 years• Not easy to just “rip off the Band-Aid”

• We may need SCCM to get to Windows 10• Upgrade Win7 to Win 10

• Typical hardware refresh cycle is 3-5 years

Why Co-Manage with SCCM


Co-Management with Intune

You must have the following prerequisites in place before you can enable co-management with Intune or EMS:

• Requires Windows 10 version 1709 or later

• Requires Configuration Manager version 1710 or later

• Must be Intune Standalone

• Cannot be Hybrid MDM (Intune joined to SCCM)

• EMS or Intune license for all users

• Devices must be Hybrid Azure AD-joined (SCCM Managed)

• Azure AD Joined (Intune Managed)

• Azure AD automatic enrollment enabled


Supported Workloads• Device Compliance Policies

• Resource Access Policies

• Configure VPN, Wi-Fi, email, and certificate settings on devices.

• Windows Update Policies

• Endpoint Protection (starting in Configuration Manager version 1802)

• Device Configuration (starting in Configuration Manager version 1806)

• Office 365 Click-to-Run apps (starting in Configuration Manager version 1806)

• Mobile apps (starting in Configuration Manager version 1806 as a pre-release feature)

• Ability to Execute Remote Commands

https://docs.microsoft.com/en-us/sccm/core/servers/manage/pre-release-features


Co-Management Dashboard


Major Limitations Today

• Many Prerequisites: SCCM 1710+, Windows 10 1709+, AD+AAD Joined, CMG for Intune-Only Managed Devices, etc.

• No clear path to fully migrate apps to a modern approach

• Does not migrate workloads over from SCCM to Intune, Co-Management only chooses who the primary source of management should be

• Only supports some use-cases, thus might not work for all of your devices in your organization

• No clear path for customers who want to rip-and-replace quickly; but great for a longer term migration plan


• Available on GitHub & VMware {code}:

• SCCM to AirWatch App MigrationMigrate existing Win32 applications from SCCM to AirWatch

• SCCM to AirWatch Tag CreationAutomatically create tags in AirWatch for SCCM collections and tag devices to maintain a link between SCCM and AirWatch

• SCCM to AirWatch Auto RegistrationAutomatically pre-register SCCM devices into AirWatch using serial number and primary user. Allows silent AirWatch enrollment via staging account.

Open-Source SCCM Migration Tools

AirLift to get to Modern Management

SCCM App Migration

Device Collection Migration

Auto Onboarding

https://github.com/vmwaresamples/AirWatch-samples/tree/master/Windows-Samples/Tools & Utilities/SCCM App Migration

https://github.com/vmwaresamples/AirWatch-samples/tree/master/Windows-Samples/Tools & Utilities/SCCM to AirWatch Tag Creation

https://github.com/vmwaresamples/AirWatch-samples/tree/master/Windows-Samples/Tools & Utilities/SCCM to AirWatch Auto Registration


SCCM Terms Workspace ONE Translations Intune Translations

WMI/MOF Closest would be CSPs/APIs CSPs/APIs

Apps & Packages Software Distribution (Win32 Apps) Client Apps (Windows MSI Line-of-Business)

Distribution Points (DPs) + BranchCache

CDN + P2P Cloud DPs

MDT/OSD Next Evolution is OOBE/AutoPilot/Dell Factory Provisioning

OOBE + AutoPilot

Software Center/App Catalog Workspace ONE Catalog Company Portal

MBAM for Encryption BitLocker Lifecycle Management BitLocker Configuration via CSP

Collections Smart Groups / Tags Assignments/Groups

Software Updates/ADRs/WSUS Windows Update Profile (WUfB or WSUS) Software Updates (WUfB)

Task Sequences No Mapping – similar to Product Provisioning No Mapping – PowerShell Scripts

Site Code (3 Characters) & Assigned Site

Group ID & Enrollment Group Tenant

Enrollment Point Device Services (Mobile and Mac Devices Only) --

Management Point Device Services (Windows Devices) Cloud Management Gateway

Primary Site/Secondary Site Parent/Child Organization Group --


Did you know….

VMware has supported co-existence (“co-management”) with SCCM since late 2015!So where are we today with speeding your transition to Windows 10 modern management, let’s take a look!


Workspace ONE AirLift

• Server-side Connector

• Web-based Admin Experience

• Passive Orientation to Simplify Co-Management

• Fully Productized and Supported

• Available with ALL Workspace ONE Editions

Windows 10 Clients

ConfigMgr Workspace ONE UEM

6


Communication Protocols

Workspace ONE

MODERN

Configuration Manager

TRADITIONAL AirLift

Windows Remote Management (WinRM) & Configuration Manager

Cmdlets

Workspace ONE UEM RESTful APIsAirLift Service

AirLift Web UI


AirLift Prerequisites

✓ Workspace ONE UEM 9.5+

✓Admin with API Access & REST API Key

✓Device Services, Console, API URLs

✓ SCCM 2012 R2+

✓ SCCM Account with at Least Read-Only Permissions✓ Additional access needed to create Enrollment App from AirLift (Optional)

✓ SCCM Account must be Remote Management Group (Win RM)

✓ SCCM Site Code

✓ SCCM Device Collections with Active Windows 10 Devices

✓ AirLift VM (Recommend Small Dedicated VM with Good SCCM Connectivity)

✓AirLift Installer will Download & Install SQL Express and MongoDB✓ Installer will Securely Configure for Use Only by AirLift

✓AirLift will Create Two Services that Run under ‘Network Service’


Live Demo: Getting Started with AirLift


Mapping Device Collections


SCCM Device Collection Mapping

Empower the admin to accelerate their adoption and visibility of our Co-Management capabilities

• Leverage existing ConfigMgr Device Collections• Complex Query Based Rules

• Based on Device Type (e.g. Dell XPS)

• One to Many Mapping between Collections and Workspace ONE

• Map ConfigMgr Collections to Workspace ONE Smart Groups• Backend Task keeps Workspace ONE Synced with ConfigMgr

• Multiple Purposes for Collection Mapping• Windows 10 Devices

• Systems that can be Upgraded to Windows 10

• Dell Laptops, etc.

• One to One, Many to One or Specific Mapping


Live Demo: Taking Flight with AirLift; Onboarding

Devices


Enrollment


Live Demo: Migrating Apps


Application Migration

Transition SCCM Applications to Workspace ONE UEM

• Enumerate SCCM Applications • Supports MSI’s

• Supports Scripted Installs (MSI, EXE, ZIP)

• Supports Multiple Deployment Types

• Validations to Increase Predictability• Rules Introspect SCCM App Metadata BEFORE Export

• Validate Info (e.g. Install Translated from ‘System’ to ‘Device’)

• Validation Error (e.g. Uninstall Command Line Missing)

• Application Export is NOT• App Rationalization Offering

• Automated Packaging

• Does Not Work Against SCCM Packages


Troubleshooting

• AirLift Install Directory: %ProgramFiles%\VMware\VMware AirLift• Workspace ONE Enrollment Application – Contains the AirWatch Agent, SCCM

Integration Client, and icons.

• AppSettings.JSON – Change logging level and contains the connection strings to SQL Express and MongoDB

• %ProgramData%\VMware\VMware AirLift• MongoData

• Log – Contains logs for Mongo DB

• Logs• Contains AirLift logs, more detailed than the Activity Log

• Note before installing AirLift you should ensure your user account has the minimum required access to SCCM. You should also have admin rights to install all of the dependencies.


Dashboard


FAQ's1. Does this install require access to the SCCM DB? No

2. How does this communicate with SCCM? WinRM and SCCM Cmdlets

3. What SCCM information does it query? Device Collections, Devices, Users, SCCM Apps

4. What SCCM RBAC access is needed? Read-only Analyst

5. What SCCM RBAC access is optional? Privilege to create SCCM App and Deploy

6. How long will AirLift take to do the initial synchronization? 1-20 mins depending on the size and number of both Workspace ONE and SCCM entities. Subsequent synchronization is incremental.

7. Does AirLift support Direct and Rule-based Device Collections? Yes

8. Does AirLift support anything other than SCCM Device Collections? No


Demos• https://youtu.be/3OOap0qQOM

Y

• https://vmwarelearningzone.vmware.com/oltpublish/site/cms.do?view=openlearning

Hands-on-Labs• http://labs.hol.vmware.com/HOL

/catalogs/catalog/878

• Beginners: HOL-1857-01-UEM -Getting Started

• Advanced: HOL-1857-02-UEM -Unified Endpoint Management for Windows 10

Sign up to VMware TestDrive: • https://portal.vmtestdrive.com/

TestDrive Getting Started Guide: • https://kb.vmtestdrive.com/hc/en-

us/articles/360001372254-Getting-Started-with-TestDrive

Workspace ONE for Windows 10 Walkthrough Guide:

• https://kb.vmtestdrive.com/hc/en-us/articles/360001152734-Experience-Workspace-ONE-on-Windows-10

POC: Workspace ONE Windows 10 Reviewers Guide:

• https://techzone.vmware.com/resource/reviewers-guide-windows-10-unified-endpoint-management-airwatch

Deployment: Professional Services Use Case Add-on for Windows 10:

• https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/datasheet/vmware-workspace-one-airwatch-service-add-on-use-case-datasheet.pdf

Learn Workspace ONE modern management for Windows 10

Test Drive Workspace ONE on your Windows 10 devices

Get Started on Your POC or Deployment

http://labs.hol.vmware.com/HOL/catalogs/catalog/878

https://portal.vmtestdrive.com/

https://kb.vmtestdrive.com/hc/en-us/articles/360001372254-Getting-Started-with-TestDrive

https://kb.vmtestdrive.com/hc/en-us/articles/360001152734-Experience-Workspace-ONE-on-Windows-10

https://techzone.vmware.com/resource/reviewers-guide-windows-10-unified-endpoint-management-airwatch

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/datasheet/vmware-workspace-one-airwatch-service-add-on-use-case-datasheet.pdf


You’ve got questions, we got answers… hopefully

mastering the move to modern management using...

Documents