One of the cool new features of Intune release 1705 is the ability to change the MDM authority without the need to contact Microsoft support and also without having to unenroll and reenroll devices. This is a pretty cool feature that people have been waiting for for some time.
So how is it achieved?
Well first up you also need to running ConfigMgr Current Branch 1610 and above. There are some key considerations to take into account and you can view these at the Microsoft TechNet documentation site here, most notably that the transition time for devices can take up to 8 hours.
To kick start the process we need to fire up the ConfigMgr console and navigate to Administration\Cloud Services\Microsoft Intune Subscriptions, right click the Microsoft Intune Subscriptions and choose Properties.
Select the Device Enrollment Manager tab and remove any Device Enrollment Manager roles.
In Assets and Compliance\Overview, right click Device Collections and choose Manage Device Categories.
Remove any existing device categories.
Next, navigate back to Administration\Cloud Services\Microsoft Intune Subscriptions, right click the subscription and this time choose Delete.
From the wizard, select the Change MDM Authority to Microsoft Intune option and click Next.
Click Yes to confirm the change.
Now you will need to sign into Intune with the account that was originally used to set ConfigMgr as the MDM authority by clicking the Sign In button.
Enter the username and password when prompted and sign in.
Click Next at the Summary screen.
Click Close to complete the removal of the subscription.
This process resets the MDM authority and no subscriptions will exist in the ConfigMgr console.
Now head to the Intune portal at https://admin.manage.microsoft.com and login with your tenancy admin account.
Click Admin\Mobile Device Management. You’ll note that no MDM authority exists for Intune. Click Set Mobile Device Management Authority.
This will set Intune to the MDM authority.
You’ll note above that the iOS and Mac OS X section reports that No APNs certificate was uploaded. We will now address this to be able to manage these devices.
Note that for the APN we need to renew the existing certificate that was being used in hybrid Intune in ConfigMgr. If we do not use the same certificate then all devices will have to become unenrolled and then reenrolled.
In the Microsoft Intune console, go to Administration\Mobile Device Management\iOS and Mac OS X and click Upload an APNs Certificate.
Next select Download the APNs Certificate Request and save the .csr file.
Connect to https://identity.apple.com and sign in with the account that manages your Apple APNs.
Select the correct APN certificate and click Renew.
Select the .csr file saved locally and click the Upload button.
Once the Upload completes, you will be presented with a Download button, click this to download the APNs .pem certificate. Save this file locally.
Back in the Intune console, click the Upload the APNs Certificate button.
Browse locally to where the .pem file was saved and enter the Apple ID that is used to manage the Apple APN certificates. Click Upload.
iOS and Mac OS X devices will be ready for enrollment.
Devices will now be informed of the change in MDM authority and this process will be seamless with no interruption to the management of the devices.
I recommend you take a look at the full list of Next Steps from the Microsoft documentation to make your transition as smooth as possible.