How to change your Intune MDM authority
By Paul Winstanley, Microsoft System Center Configuration Manager Consultant, SCCM Solutions Ltd. He has 22 years experience in IT and is a community leader at Windows Management User Group (WMUG) and blogs at sccmentor.com.
Microsoft has made the ability to change your business’ Mobile Device Management (MDM) authority a lot easier with the release of Intune 1705.
A feature of this release is that you no longer need to contact Microsoft Support to switch the authority and you no longer need to unenroll and reenroll devices to achieve this.
A caveat to this, however, is that you must be running System Center Configuration Manager 1610 and above to have the option to switch authority.
If you are running earlier releases then you must still contact MS directly, so there’s no better time to upgrade to SCCM Current Branch’s latest version, 1702, to take advantage of some of the other great features being implemented, such as full support for Windows 10, the Content Management Gateway for managing Internet based clients, Software Points in boundary groups, Content Library Cleanup tool and many more.
There are some considerations to take note of when changing your MDM authority and we will be discussing these in this article, as well as taking you through the steps to change from either hybrid Intune (incorporated into SCCM) to standalone Intune or vice versa.
Before Changing your Authority
The following information should be taken into account before you change your MDM authority. They're considerations and preparation work that will put you in a position to make the change.
- You must be running SCCM Current Branch 1610 or above, if you are running earlier releases of Current Branch then use in-console Servicing to get you to 1610 or the latest release. If you are running SCCM 2012 then assess your businesses readiness to upgrade the site to Current Branch. The TechNet Current Branch supported configuration documents are a good place to start investigating those requirements. Be aware of some of the important support statements around SQL versions required for SCCM CB and note that Windows Server 2008R2 is no longer supported for site servers and most site system roles from SCCM CB 1702. Also consider some of the deprecated features of Current Branch that should be considered within your business before upgrading, such as no support for Windows XP or Server 2003/2003R2 clients.
- Check that the user that is assigned to change the MDM authority has an EMS/Intune licence assigned against their account and that the user can sign into the Intune portal before making the switch.
- An extremely important consideration when managing iOS devices in your environment is that the Apple Push Notification service (APNs) certificate, that is used to manage the devices, is renewed and assigned back to the new Intune authority. If a different APN certificate is used to manage the authority, then all the devices will become unenrolled. It is therefore imperative that the correct APN certificate is identified before it is assigned to the tenant.
Hybrid to Standalone considerations
The following considerations must be taken into account when making the change to standalone Intune.
- Ensure that the users being migrated have an EMS/Intune licence assigned against their account prior to changing the authority. Address each user that does not have a licence assigned.
- Remove any Device Enrollment Manager roles that have been configured in SCCM. To do this go to Administration\Cloud Services\Microsoft Intune Subscriptions within the Configuration Manager console. Right click the Microsoft Intune Subscriptions and select Properties. Remove all the roles in the Device Enrollment Manager tab.
- Remove any device categories that the business has created. To do this go to Assets and Compliance\Overview, right click Device Collections and choose Manage Device Categories. Delete any configured categories.
- The account that is used to access the Apple Push Notification service (APNs) certificate should be identified and its login details should be known, so that the current APN can be renewed and assigned to the new MDM authority.
Standalone to Hybrid considerations
The following considerations must be taken into account when making the change to hybrid Intune.
- Ensure that users managed by standalone Intune are added to a collection in SCCM. This collection will then be used when configuring the subscription for Intune in the SCCM console.
- Ensure that the Admin user with the Intune/EMS license assigned to them is added to the collection in SCCM.
- Check the Intune portal MDM authority is set to Intune. To do this go to More Services\Monitoring + Management\Intune\Device enrollment\Overview. Note that if the authority reports, Managed by Intune and Office 365, then you need to change your licence for those users to Intune or Enterprise Mobility as Office 365 managed MDM devices will no longer be managed if you changed to a hybrid authority.
- Remove the Device Enrollment Manager role and turn off device group mapping in Intune.
When you change the MDM authority it can take up to 8 hours for devices to connect and synchronise with the service after the change so bear this in mind.
With all the considerations met, you will need to ensure that you are creating replacement profiles, policies and apps within the new MDM authority to replace the existing, these will not be migrated over. It is recommended that the new settings, that will be configured, are created with the same name as the old settings. This ensures that the old settings are overwritten and that no redundant policies or profiles are left on the devices.
Be sure to recreate WiFi, VPN, Configuration and Certificate profiles, Mobile Application Management (MAM) and Mobile App Configuration policies and ensure that all applications are addressed.
- If moving to standalone Intune, analyse the SCCM collections to determine how deployment has been assigned to resources or applications and replicate in Intune.
- If moving to hybrid Intune, any synchronised groups in Azure AD can easily be assigned to SCCM collections from local AD, however if dynamic user or device assignment has been configured in Azure, then the criteria for assignment needs to be analysed and then created accordingly as query based collections in SCCM.
It is worth noting that there is an interim period when a device is offline when the change in MDM authority occurs and when the device checks back in with the service. To ensure that devices remain protected in that period, the following profiles will remain on the device for up to 7 days before they are overwritten with the new settings:
- Email profile
- VPN profile
- Certificate profile
- WiFi profile
- Configuration profiles
There's quite a lot to take in and prepare upfront but once you have everything in place then you are ready to make the change in your MDM authority. The steps you have to perform to achieve this are, however, fairly painless. Let's take a look at these now, starting with a change to a standalone MDM authority.
Changing from a hybrid to standalone MDM authority
In the SCCM console, go to Administration\Cloud Services\Microsoft Intune Subscriptions, right click the subscription and choose Delete.
In the Remove Microsoft Intune Wizard, select the Change MDM Authority to Microsoft Intune option.
You'll be warned that you'll need to recreate any apps and policies. If you've followed the advice in the previous section then you'll be in a good place to proceed.
Now you will need to sign into Intune with your organisational account and proceed through the wizard. In the Azure Portal you'll note that the MDM authority is no longer set and you will need to configure this to Intune.
Enabling enrollment for iOS devices in standalone Intune
If you are managing iOS devices, then you will need to renew the APN certificate and upload to Intune. To do this, I found it easier to use the old Intune portal at https://admin.manage.microsoft.com. Go to Administration\Mobile Device Management\iOS and Mac OS X and click Upload an APNs Certificate. Download the generated .csr file.
Connect to https://identity.apple.com and sign in with the account that manages your Apple APNs. Select the correct APN certificate and click Renew. Remember, this must be the APN certificate that is currently being used within SCCM so that devices continue to be enrolled, if you get this wrong then all devices will need to be un-enrolled and re-enrolled.
Upload the .csr file and when this completes you will be able to download the .pem certificate.
Back in the Intune console, click the Upload the APNs Certificate button.
Once uploaded, iOS and Mac OS X devices will continue to use the new MDM authority or be ready for enrollment.
These complete the steps you need to take to move the MDM authority to standalone. Now let's take a look at the move to a hybrid MDM authority.
Changing from standalone to a hybrid MDM authority
In the SCCM console, go to Administration\Cloud Services\Microsoft Intune Subscriptions, right click and choose Add Microsoft Intune Subscription.
Sign into Intune with your organisational account and click through the wizard. When prompted, select to Change the MDM authority to Configuration Manager.
If you have followed the key considerations stated previously, then you should have a pre-populated collection for all your Intune users within the SCCM console. If you haven't, then create one at this stage, once created point the General Configuration\Collection option to the collection. Complete the Microsoft Intune Wizard accordingly.
Enabling enrollment for mobile devices in Hybrid Intune
As with the change to standalone Intune, you will need to enable enrollment for iOS devices in hybrid Intune. To kick start this process, go to Administration\Cloud Services\Microsoft Intune Subscriptions. Right click and choose Create APNs certificate request. Save the .csr locally.
Connect to https://identity.apple.com and sign in with the account that manages your Apple APNs. Select the correct APN certificate and click Renew. Remember, as before, this must be the APN certificate that is currently being used within SCCM so that devices continue to be enrolled, if you get this wrong then all devices will need to be un-enrolled and re-enrolled.
Upload the .csr file and when this completes you will be able to download the .pem certificate.
Back in the SCCM console, go to Administration\Cloud Services\Microsoft Intune Subscription, and choose Configure Platforms\iOS.
Enable iOS enrollment and browse to the APN certificate to complete the process.
To finalise the enrollment of mobile devices remember to switch on enrollment of Android and Windows based devices also from the Administration\Cloud Services\Microsoft Intune Subscription\Configure Platforms menu.
Completing the process
With the change in MDM authority having taken place, the Intune service will send out a notification to enrolled devices to check-in and synchronise. End users are able to manually check-in with the new authority by manually running a check-in from their device. Administrators will be able to verify that devices appear in the new MDM authority - either the Azure Portal or the SCCM console. Note that it can take up to a week for compliance data to report back in to the new MDM authority, even though the device is protected.