Co-Management – Device Compliance

After speaking with Adam Gross @adamgrosstx (Follow him he is a great resource to the community) we were discussing how ConfigMgr admins are wondering why they should implement co-management and how will it benefit them? Hopefully this post will give you an insight into just one of the many benefits of “Cloud-Attaching” your SCCM environment with Intune. In this post i am going to demonstrate the end to end process of why moving the compliance policies workload from SCCM to Intune is beneficial. I am assuming you have already set up Co-Management at this point.

Create & Assign the Compliance Policy

The first step is we need to create and assign a compliance policy in Intune in preparation for moving the workload over from SCCM to Intune.

  • Navigate to Intune (https://aka.ms/intuneportal)
  • Device Compliance
  • Policies
  • Create Policy
  • Enter a Name
  • Platform – Windows 10 and Later
  • Configure Settings

image

Configure the settings you want to evaluate for compliance. There are a lot of settings which im not going to go through but to name a few examples:

  • Require Encryption
  • Require Firewall
  • Minimum OS Version

image

Once you have created the policy you now need to assign it to either a group or you can use “All Users”

image

At this point the compliance policy will evaluate against all targeted Windows 10 Devices. However at this point if the you have not moved the slider from SCCM to Intune in Co-Management then none of your Co-Managed clients will receive the compliance policy and report a status.

Moving the Workload

Below is a screenshot of the compliance status of a co-managed device before we have moved the workload over to Intune. All it says is “See ConfigMgr” at the moment.

image

  • Open the SCCM Admin Console
  • Go to Administration > Cloud Services > Co-Management
  • Go to the Properties of your existing co-management settings

On the workloads tab you will see 7 workloads available if you are on SCCM 1806 or later. (If you see 6 it is because mobile apps is a pre-release feature and you have to enable it). I am going to move the compliance policies to Intune.

image

The Result

Now that you have moved the workload your co-managed devices will start evaluating the compliance policy you assigned in Intune Standalone.

image

As you can see my co-managed device is now reporting a status. I have deliberately made sure the device evaluates as non-compliant for this demo.

Now what?

Now your co-managed devices are reporting a compliance status you are probably thinking Ok great but now what? Well this is where we can start utilizing the compliance state using conditional access. Essentially we can create a conditional access policy that only allows users access to corporate resources when they are on a “Compliant” Device.

Creating the Conditional Access Policy

  • Navigate to Azure Active Directory
  • Conditional Access
  • New Policy
  • Name the Policy
  • Users and Groups > Assign the User groups you want the policy to apply to

image

  • Select the Cloud Apps you want the Policy to Apply to i.e. All Cloud Apps

image

  • Choose the conditions i.e. Device Platform Windows

image

Now the grant section under access controls is the most important part of this blog post as this is where we are going to force users who we specified in the policy, who are connecting to the specified cloud apps and connecting from a specificed platform to be on a COMPLIANT device in order to be able to gain access to the corporate resources.

  • Tick Require device to be marked as compliant
  • Enable the Policy

image

The End Result

I made sure my co-managed device was non-compliant just to prove my conditional access policy is working as expected. On the co-managed client i am going to try and login to the intune portal.

image

Now i am going to make my device compliant and try again

image

Successful Sign in

image

Summary

To summarise i have leveraged Co-Management and the compliance policies workload to be able to control access to corporate data from only Windows devices which meet a set criteria (Compliant).

Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME