Microsoft Endpoint Manager tenant attach: Device sync and device actions

Applies to: Configuration Manager (current branch)

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center. You can upload your Configuration Manager devices to the cloud service and take actions from the Devices blade in the admin center.

Prerequisites

  • An account that is a Global Administrator for signing in when applying this change. For more information, see Azure Active Directory (Azure AD) administrator roles.

    • Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
  • An Azure public cloud environment.

    • The Upload to Microsoft Endpoint Manager admin center option is disabled for Microsoft Azure China 21Vianet (Azure China Cloud) and Azure US Government Cloud.
  • The user accounts triggering device actions have the following prerequisites:

  • If your central administration site has a remote provider, then follow the instructions for the CAS has a remote provider scenario in the CMPivot article.

This feature supports all OS versions that Configuration Manager currently supports as a client. For more information, see Supported OS versions for clients and devices.

Internet endpoints

  • https://aka.ms/configmgrgateway

  • https://*.manage.microsoft.com

  • https://dc.services.visualstudio.com

The service connection point makes a long standing outgoing connection to the notification service hosted on https://*.manage.microsoft.com. Verify the proxy used for the service connection point doesn't time out outgoing connections too quickly. We recommend 3 minutes for outgoing connections to this internet endpoint.

If your environment has proxy rules to allow only specific certificate revocation lists (CRLs) or online certificate status protocol (OCSP) verification locations, also allow the following CRL and OCSP URLs:

  • http://crl3.digicert.com
  • http://crl4.digicert.com
  • http://ocsp.digicert.com
  • http://www.d-trust.net
  • http://root-c3-ca2-2009.ocsp.d-trust.net
  • http://crl.microsoft.com
  • http://oneocsp.microsoft.com
  • http://ocsp.msocsp.com
  • http://www.microsoft.com/pkiops

Starting in version 2010, the service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud service is available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see Validate internet access.

Enable device upload when co-management is already enabled

If you have co-management enabled currently, you'll use the co-management properties to enable device upload. When co-management isn't already enabled, Use the Configure co-management wizard to enable device upload instead.

When co-management is already enabled, edit the co-management properties to enable device upload using the instructions below:

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.
  2. In the ribbon, select Properties for your co-management production policy.
  3. In the Configure upload tab, select Upload to Microsoft Endpoint Manager admin center. Select Apply.
    • The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.
    • Starting in Configuration Manager version 2010, when a single collection is selected, its child collections are also uploaded.
  4. Check the option to Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you also want to get insights to optimize the end-user experience in Endpoint Analytics.

Important

When you enable Endpoint analytics data upload, your default client settings will be automatically updated to allow managed endpoints to send relevant data to your Configuration Manager site server. If you use custom client settings, you may need to update and re-deploy them for data collection to occur. For more details on this, as well as how to configure data collection, such as to limit collection only to a specific set of devices, see the section on Configuring Endpoint analytics data collection.

Upload devices to Microsoft Endpoint Manager admin center

  1. Sign in with your Global Administrator account when prompted.
  2. Select Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.
  3. Choose OK to exit the co-management properties once you've done making changes.

Enable device upload when co-management isn't enabled

If you don't have co-management enabled, you'll use the Configure co-management wizard to enable device upload. You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune. All Devices managed by Configuration Manager that have Yes in the Client column will be uploaded. If needed, you can limit upload to a single device collection. If co-management is already enabled in your environment, Edit co-management properties to enable device upload instead.

When co-management isn't enabled, use the instructions below to enable device upload:

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.

  2. In the ribbon, select Configure co-management to open the wizard.

  3. On the Tenant onboarding page, select AzurePublicCloud for your environment. Azure Government Cloud and Azure China 21Vianet aren't supported.

  4. Select Sign In. Use your Global Administrator account to sign in.

  5. Ensure the Upload to Microsoft Endpoint Manager admin center option is selected on the Tenant onboarding page.

    • Make sure the option Enable automatic client enrollment for co-management isn't checked if you don't want to enable co-management now. If you do want to enable co-management, select the option.
    • If you enable co-management along with device upload, you'll be given additional pages in the wizard to complete. For more information, see Enable co-management.

    Co-management Configuration Wizard

  6. Choose Next and then Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.

  7. On the Configure upload page, select the recommended device upload setting for All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.

    • Starting in Configuration Manager version 2010, when a single collection is selected, its child collections are also uploaded.
  8. Check the option to Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you also want to get insights to optimize the end-user experience in Endpoint Analytics

  9. Select Summary to review your selection, then choose Next.

  10. When the wizard is complete, select Close.

Perform device actions

  1. In a browser, navigate to endpoint.microsoft.com

  2. Select Devices then All devices to see the uploaded devices. You'll see ConfigMgr in the Managed by column for uploaded devices. All devices in Microsoft Endpoint Manager admin center

  3. Select a device to load its Overview page.

  4. Choose any of the following actions:

    • Sync Machine Policy
    • Sync User Policy
    • App Evaluation Cycle

    Device overview in Microsoft Endpoint Manager admin center

Import a previously created Azure AD application (optional)

(Introduced in version 2006)

During a new onboarding, an administrator can specify a previously created application during onboarding to tenant attach. Don't share or reuse Azure AD applications across multiple hierarchies. If you have multiple hierarchies, create separate Azure AD applications for each.

From the Tenant onboarding page in the Co-management Configuration Wizard, select Optionally import a separate web app to synchronize Configuration Manager client data to Microsoft Endpoint Manager admin center. This option will prompt you to specify the following information for your Azure AD app:

  • Azure AD tenant name
  • Azure AD tenant ID
  • Application name
  • Client ID
  • Secret key
  • Secret key expiry
  • App ID URI

Azure AD application permissions and configuration

Using a previously created application during onboarding to tenant attach requires the following permissions:

Display the Configuration Manager connector status from the admin console

From the Microsoft Endpoint Manager admin center, you can review the status of your Configuration Manager connector. To display the connector status, go to Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager. Select a Configuration Manager hierarchy running version 2006, or later to display additional information about it.

Microsoft Endpoint Configuration Manager connector in the admin center

Note

Some information isn't available if the hierarchy is running Configuration Manager version 2006.

Offboard from tenant attach

While we know customers get enormous value by enabling tenant attach, there are rare cases where you might need to offboard a hierarchy. You can offboard from either the Configuration Manager console (recommend method) or from the Microsoft Endpoint Manager admin center.

Offboard from the Configuration Manager console

When tenant attach is already enabled, edit the co-management properties to disable device upload and offboard.

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.
  2. In the ribbon, select Properties for your co-management production policy.
  3. In the Configure upload tab, remove the Upload to Microsoft Endpoint Manager admin center selection.
  4. Select Apply.

Offboard from the Microsoft Endpoint Manager admin center

If needed, you can offboard a Configuration Manager version 2006 or later hierarchy from the Microsoft Endpoint Manager admin center. For example, you may need to offboard from the admin center following a disaster recovery scenario where the on-premises environment was removed. Follow the steps below to remove your Configuration Manager hierarchy from the Microsoft Endpoint Manager admin center:

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Tenant administration then Connectors and tokens.
  3. Select Microsoft Endpoint Configuration Manager.
  4. Choose the name of the site you would like to offboard, then select Delete.
    • This option is only visible for sites running Configuration Manager version 2006 or later.

When you offboard a hierarchy from the admin center, it may take up to two hours to remove from the Microsoft Endpoint Manager admin center. If you offboard a Configuration Manager 2103 or later site that's online and healthy, the process may only take a few minutes.

Next steps