{"id":10606,"date":"2018-05-25T12:41:23","date_gmt":"2018-05-25T19:41:23","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10606"},"modified":"2023-06-09T11:13:46","modified_gmt":"2023-06-09T18:13:46","slug":"migrating-mobile-device-management-to-intune-in-the-azure-portal","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/migrating-mobile-device-management-to-intune-in-the-azure-portal\/","title":{"rendered":"Migrating mobile device management to Intune in the Azure portal"},"content":{"rendered":"
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n
In a cloud-only future, our streamlined infrastructure will support modern management of personal and corporate devices on the Microsoft network. To progress toward this vision, we migrated our hybrid mobile device management (MDM) configuration to Microsoft Intune in the Azure portal because it offers greater scalability and ease of management. Our migration process and tools import data from Configuration Manager, providing an easy, phased transition that has been transparent for employees.<\/p>\n
Microsoft employees use various operating systems across a wide range of corporate and personal device types for work. Microsoft Digital\u00a0traditionally managed mobile devices and applications through a common set of tools in a hybrid environment of System Center Configuration Manager and Microsoft Intune. To accelerate modern management for Windows 10, we\u2019ve recently started the transition to standalone mobile device management (MDM) using Microsoft Intune in the Azure portal.<\/p>\n
Hybrid MDM uses Intune as the cloud delivery channel for policies, profiles, and applications to devices, and Configuration Manager on-premises infrastructure to administer content and manage the devices. The hybrid implementation uses the same on-premises infrastructure and administrative console to manage mobile devices with Intune, and PCs and servers with the Configuration Manager client. As we move toward a cloud-only future and modern management, we\u2019re working to streamline our physical infrastructure and reduce the overall number of traditionally managed clients to provide a modern workplace that\u2019s always updated, always protected, and easily scalable.<\/p>\n
More personal devices are being used for work, and more of our identity services are moving to the cloud. The number of traditionally domain-joined PCs at Microsoft is beginning to trend down, and the number of devices managed through Intune is trending upward. Scalability and ease of management are a couple of key factors in our decision to migrate to Intune in the Azure portal as our modern service platform. Intune in the Azure portal provides many advanced features, such as:<\/p>\n
Previously, moving from hybrid MDM, using Configuration Manager and Intune, to Intune in the Azure portal required a one-time authority switch. This approach was challenging because it required IT to move the entire tenant at once and forced administrators to reconfigure all settings in Intune, including re-enrolling all devices. To provide an easier transition, Microsoft introduced a new migration process of moving from hybrid to standalone Intune in a phased manner without disrupting the end-user experience. The new process consists of three components: Microsoft Intune Data Importer, mixed authority, and an improved MDM authority switch.<\/p>\n
Microsoft Intune Data Importer<\/a>\u00a0is a new administrator design tool that\u2019s designed to automatically copy device management data created in Configuration Manager to an Intune environment. Importable objects include configuration items, certificate profiles, email profiles, VPN profiles, wireless network profiles, compliance policies, terms and conditions, and apps. The importer tool helps address one of the biggest challenges we were facing when looking at moving from hybrid to standalone\u2014 the need to recreate all profiles, policies, and apps.<\/p>\n Using mixed authority, we can selectively migrate users from our existing hybrid MDM configuration to Intune in controlled phases. This means that now we can migrate some groups of users to the standalone implementation while continuing to use the hybrid MDM environment for the remaining users and devices. After a user is migrated, we can use Intune to create and deploy policies, initiate remote actions, and enroll new devices.<\/p>\n Note:<\/strong>\u00a0Tenant-level policies, such as our iOS APNs certificate, will function for users and devices managed by either hybrid MDM or Intune, but will be editable only via the Configuration Manager console while we\u2019re using mixed authority mode.<\/p>\n After we\u2019re satisfied with testing Intune in the Azure portal, we can initiate a tenant MDM authority switch through the Configuration Manager console to migrate the remaining users from the hybrid MDM environment. All the policies and apps that were migrated from the Configuration Manager console, as well as tenant-level policies, will be available for configuration in the Intune console. Most importantly, enrolled devices aren\u2019t required to re-enroll\u2014making the migration entirely transparent to users.<\/p>\n We strive to provide employees a consistent experience regardless of the device they use, how often they use it, or what platform it runs on. At Microsoft, we require any device that\u2019s used for work to be enrolled in Intune or domain-joined in Active Directory or Azure AD. At Microsoft, we have approximately 300,000 domain-joined devices that we manage with System Center Configuration Manager, and approximately 125,000 devices that we manage using Intune, including:<\/p>\n Before we allow any device to access corporate resources such as email, SharePoint Online, Skype for Business, OneDrive for Business, or any applications or services built on Office 365, we need to make sure that:<\/p>\n We started our migration using a phased approach that\u2019s allowing us to migrate and test subsets of users and devices while the remaining users and devices are still being managed by our\u00a0hybrid MDM environment. We wanted to make sure that migration process would be transparent to our users.<\/p>\n As part of our pre-migration assessment, we ran the\u00a0Intune Data Importer tool<\/a>, without performing the actual import, to collect data about objects we selected from our Configuration Manager hierarchy.\u00a0Importing Configuration Manager data to Microsoft Intune<\/a>\u00a0saves us time by automating the process of recreating objects from Configuration Manager to Intune, plus it provides details about the objects we can import and information about the objects that can\u2019t be imported. This step was useful in helping us identify which objects would need to be recreated in Intune rather than imported\u2014helping us better plan our migration phases and more accurately estimate the time required to mitigate the objects that had errors.<\/p>\n While analyzing the information about importable objects and errors, we took that opportunity to identify stale or obsolete objects\u2014such as test apps, idle devices, or outdated policies\u2014that might no longer be required. Beyond simply being an exercise in our migration process, this activity gave us an opportunity to critically look at our processes, and to streamline our environment\u2014this is key toward our goal of implementing cloud-only, modern management at Microsoft.<\/p>\n After assessing our environment, we began the task of\u00a0preparing Intune for user migration<\/a>. As a prerequisite, we needed to validate that we had Intune license assignments for all users. Because we were coming from a hybrid environment, we already had Network Device Enrollment Service and Exchange connectors installed. We also needed to ensure that all the required administrative access permissions for Configuration Manager and Intune were granted.<\/p>\n Note:<\/strong>\u00a0If you\u2019re not already an Azure AD tenant admin, an Azure AD admin will need to make the Intune\u00a0Data Importer tool a registered app in Azure AD and provide user access to the users who will be performing the migration.<\/p>\n We decided which Intune roles, and their scope and assignments, we needed. Examples include app manager, policy manager, profile manager, and helpdesk operator. We then created Azure AD groups and made object assignments to these groups.<\/p>\n We can configure a mixed MDM authority to\u00a0change the MDM authority for specific users\u00a0<\/a>within the same tenant by selecting some users to be managed in Intune while all other devices continue to be managed with hybrid MDM. As part of planning and testing our approach, we created a small number of test accounts and enrolled those devices in hybrid MDM. We added those test accounts to a migration Active Directory security group. Because groups can be synced to Azure AD groups, deployments for the imported objects can be imported if the user collections in Configuration Manager are based on Active Directory groups. Deployments will appear as assignments in the Intune console. After we migrated the test migration group and validated the functionality of objects imported from Configuration Manager and those that were newly created, we excluded the migration collection from Configuration Manager. After the migration user collection was updated, Intune cloud user sync removed the users from Configuration Manager and Intune hybrid MDM, and the standalone Intune environment became their management authority.<\/p>\n After we finished pre-migration planning and testing, we began migrating small groups of users. As each group was migrated, and functionality was validated, we increased the number of targeted users in each phase.<\/p>\n Mixed authority made it possible for us to test that standalone functionality was working as expected, for each small subset of users, on the migration collection before we started migrating additional users. Our migration testing included:<\/p>\n As soon as we complete the migration of all the remaining users, we will initiate the MDM authority switch from Configuration Manager and Intune to Intune in the Azure portal.<\/p>\n Changing our MDM authority to Intune is the last phase, and final milestone, of our migration. After we ensured that all users and devices managed by hybrid MDM were successfully migrated to Intune, we completed the steps in the Configuration Manager console to delete our existing Intune subscription and\u00a0change our tenant-level MDM authority<\/a>.<\/p>\n We rely on reporting for planning, analyzing business logic, and demonstrating service accountability through metrics. There are three options available for reporting, and we\u2019re currently using all three options based on our business needs:<\/p>\n If you\u2019re thinking about deploying Microsoft Intune and aren\u2019t sure which environment is best for you, read\u00a0Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager<\/a>\u00a0to help you decide. If you have hybrid MDM and have decided to migrate, download the\u00a0Microsoft Intune Data Importer<\/a>\u00a0and see\u00a0Start migrating from hybrid MDM to Intune standalone<\/a>.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":" This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft. In a cloud-only future, our streamlined infrastructure will support modern management of personal and corporate devices on the Microsoft network. To progress toward this vision, we migrated our…<\/p>\n","protected":false},"author":146,"featured_media":10610,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[1],"tags":[],"coauthors":[674],"jetpack_publicize_connections":[],"yoast_head":"\nMixed authority<\/h3>\n
Improved MDM authority switch<\/h3>\n
Migrating our hybrid environment to standalone<\/h2>\n
\n
\n
Solution architecture<\/h3>\n
Assessing our hybrid environment<\/h3>\n
<\/p>\n
Preparing Intune<\/h3>\n
Planning and testing our migration approach<\/h3>\n
Migrating users in controlled phases<\/h3>\n
Performing test cases to validate end-to-end device manageability<\/h4>\n
\n
Changing our MDM authority to Intune<\/h3>\n
Reporting<\/h2>\n
\n
Lessons learned<\/h2>\n
\n
\n
Next steps<\/h2>\n