Microsoft Endpoint Manager tenant attach: Device sync and device actions

Applies to: Configuration Manager (current branch)

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.

Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service and take actions from the Devices blade in the admin center.

Prerequisites

  • An account that is a Global Administrator for signing in when applying this change. For more information, see Azure Active Directory (Azure AD) administrator roles.
    • Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
  • An Azure public cloud environment.
  • The user accounts triggering device actions have the following prerequisites:
  • If your central administration site has a remote provider, then follow the instructions for the CAS has a remote provider scenario in the CMPivot article.

Internet endpoints

  • https://aka.ms/configmgrgateway

  • https://*.manage.microsoft.com

  • https://dc.services.visualstudio.com

The service connection point makes a long standing outgoing connection to the notification service hosted on https://*.manage.microsoft.com. Verify the proxy used for the service connection point doesn't time out outgoing connections too quickly. We recommend 3 minutes for outgoing connections to this internet endpoint.

Enable device upload when co-management is already enabled

If you have co-management enabled currently, you'll use the co-management properties to enable device upload. When co-management isn't already enabled, Use the Configure co-management wizard to enable device upload instead.

When co-management is already enabled, edit the co-management properties to enable device upload using the instructions below:

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.

  2. In the ribbon, select Properties for your co-management production policy.

  3. In the Configure upload tab, select Upload to Microsoft Endpoint Manager admin center. Select Apply.

    • The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.
  4. Check the option to Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you also want to get insights to optimize the end-user experience in Endpoint Analytics.

    Upload devices to Microsoft Endpoint Manager admin center

  5. Sign in with your Global Administrator account when prompted.

  6. Select Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.

  7. Choose OK to exit the co-management properties once you've done making changes.

Enable device upload when co-management isn't enabled

If you don't have co-management enabled, you'll use the Configure co-management wizard to enable device upload. You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune. All Devices managed by Configuration Manager that have Yes in the Client column will be uploaded. If needed, you can limit upload to a single device collection. If co-management is already enabled in your environment, Edit co-management properties to enable device upload instead.

When co-management isn't enabled, use the instructions below to enable device upload:

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.

  2. In the ribbon, select Configure co-management to open the wizard.

  3. On the Tenant onboarding page, select AzurePublicCloud for your environment. Azure Government Cloud and Azure China 21Vianet aren't supported.

  4. Select Sign In. Use your Global Administrator account to sign in.

  5. Ensure the Upload to Microsoft Endpoint Manager admin center option is selected on the Tenant onboarding page.

    • Make sure the option Enable automatic client enrollment for co-management isn't checked if you don't want to enable co-management now. If you do want to enable co-management, select the option.
    • If you enable co-management along with device upload, you'll be given additional pages in the wizard to complete. For more information, see Enable co-management.

    Co-management Configuration Wizard

  6. Choose Next and then Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.

  7. On the Configure upload page, select the recommended device upload setting for All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.

  8. Check the option to Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you also want to get insights to optimize the end-user experience in Endpoint Analytics

  9. Select Summary to review your selection, then choose Next.

  10. When the wizard is complete, select Close.

Perform device actions

  1. In a browser, navigate to endpoint.microsoft.com

  2. Select Devices then All devices to see the uploaded devices. You'll see ConfigMgr in the Managed by column for uploaded devices. All devices in Microsoft Endpoint Manager admin center

  3. Select a device to load its Overview page.

  4. Choose any of the following actions:

    • Sync Machine Policy
    • Sync User Policy
    • App Evaluation Cycle

    Device overview in Microsoft Endpoint Manager admin center

Import a previously created Azure AD application (optional)

(Introduced in version 2006)

During a new onboarding, an administrator can specify a previously created application during onboarding to tenant attach. Don't share or reuse Azure AD applications across multiple hierarchies. If you have multiple hierarchies, create separate Azure AD applications for each.

From the Tenant onboarding page in the Co-management Configuration Wizard, select Optionally import a separate web app to synchronize Configuration Manager client data to Microsoft Endpoint Manager admin center. This option will prompt you to specify the following information for your Azure AD app:

  • Azure AD tenant name
  • Azure AD tenant ID
  • Application name
  • Client ID
  • Secret key
  • Secret key expiry
  • App ID URI

Azure AD application permissions and configuration

Using a previously created application during onboarding to tenant attach requires the following permissions:

Next steps