Tenant Attach is a new feature in ConfigMgr 2002. It allows you to get ConfigMgr based devices into the Endpoint Manager console in the cloud and perform some basic tasks against them. You don’t need to have stood up any co-management to achieve this but if you want to management them beyond the basic actions, then co-man is something you will need to configure. Basically a tenant attached device will NOT be MDM enrolled.
Audio Guide – Beta
Make sure you stand up the following pre-requisites to be able to use Tenant Attach.
- ConfigMgr 2002 as a minimum
- A global admin is needed when setting up the services.
- An Azure public cloud environment
- User account triggering the device actions to have the following:
- Discovered with both AAD user discovery and Active Directory user discovery
- The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Endpoint Manager admin center
If you need to allow access to Internet Endpoints then the following are required:
Enabling Tenant Attach in the ConfigMgr Console
In the ConfigMgr console, navigate to Administration\Overview\Cloud Services\Co-management. Right click and choose Configure co-management. As you can from my screenshot, this is grayed out as I have already enabled co-man in my environment.
In this wizard, select AzurePublicCloud in the Tenant Onboarding screen and sign in with your global administrator account. Ensure Enable automatic client enrollment for co-management is deselected. Click Next.
For the Configure Upload section, enable Upload to Microsoft Endpoint Manager admin center.
Let’s dig a little deeper on these settings now, on a site which already has co-man enabled and show you how to check the logs to show things are happening.
On a device with co-man enabled, right click CoMgmtSettingsProd in Administration\Overview\Cloud Services\Co-management ad choose Properties.
Click the Configure Upload tab and enable Upload to Microsoft Endpoint Manager admin center. At this stage you can choose to sync all devices or select a collection to target. This would be the same if you were following the creation of co-management previously or if you are editing an existing co-managed site. Click Apply.
You’ll need to authenticate with a Global Admin account.
Click OK to Create AAD Application when prompted. This action provisions a service principal and creates an Azure AD application registration which allows the sync to occur.
Take a look at the CMGatewaySyncUploadWorker.log on the site server. In particular, the Batching records entry. This will tell you that a number of devices are being synched up.
Note that uploads, for changes, will occur every 15 minutes and devices take approx. 5 to 10 minutes to then appear in the Microsoft Endpoint Manager admin center.
Performing actions against the device
In the Microsoft Endpoint Manager admin center, in the Devices\All devices section, you’ll see the uploaded devices.
By clicking on a device you can see that you now have actions you can perform against it, namely:
- Sync machine policy
- Sync user policy
- App evaluation cycle
When selecting an action, click Yes to initiate.
You’ll see the action report as pending.
and if successful it will report back as completed.
As you can see, enabling Tenant Attach is extremely simple and puts you one step forward to managing devices in a single console. It’s the future!
Thanks Paul. What and where is “The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Endpoint Manager admin center” ?
This is a role you can assign to in Intune admin role. So if you create a custom role you’ll see it listed as an option https://docs.microsoft.com/en-us/mem/intune/fundamentals/create-custom-role. Some of the built in roles already have this ability. It just allows that admin to send an action to endpoint – such as machine policy retrieval. Cheers Paul