Explore the benefits behind SCCM tenant attach
When you plug your System Center Configuration Manager into the Microsoft cloud with this feature, you add more flexibility to your device management capabilities.
The cloud has its benefits, but not every IT team is ready to snip their tether to their on-premises management tools just yet.
Many traditional products, such as System Center Configuration Manager (SCCM), connect to the cloud, which removes some technical barriers, such as the need for a VPN. Not all enterprises are the same and many are reluctant to make a complete switch from longstanding operational practices rooted in the data center to one based in the cloud. Microsoft addressed these situations when it developed the tenant attach feature in SCCM that gives an organization a way to gradually shift some management workloads to the cloud.
Microsoft Endpoint Manager (MEM) debuted in late 2019 and combined the capabilities of Intune and SCCM into one web portal called the MEM admin center. To view and manage your devices, you connect SCCM to your tenant.
What is tenant attach for SCCM?
Tenant attach connects your Azure tenant to your on-premises SCCM environment, then you view and manage devices directly from the web portal at the endpoint.microsoft.com URL.
Tenant attach shows you details for the client, such as collections and real-time client information, and also lets you perform tasks, such as using the resource explorer to view hardware information and deploy applications.
At the time of publication, these tenant-attach features are still in preview:
- client details;
- application installation;
- device timeline;
- resource explorer;
- ability to run scripts;
- CMPivot for tenant-attached devices; and
- endpoint security for tenant-attached devices.
Which problems does tenant attach solve for SCCM administrators?
When you remotely manage devices via the SCCM console, you need a working VPN connection and a PC. With tenant attach, you handle tasks from the web portal through a browser, which gives you the option to manage these devices from any device at any location with an internet connection.
Some examples of everyday IT activities available through the MEM admin center include:
- trigger machine policy;
- trigger user policy;
- trigger an app evaluation cycle;
- deploy applications;
- retrieve reports with the CMPivot query tool; and
- run scripts on clients.
You also see client details, such as when the client was last active, which management point it contacted and the device collection membership.
What are the limitations to tenant attach?
Tenant attach is limited to viewing data and performing basic administrative tasks in your SCCM environment, but the ability to manage your devices from any location makes up for those shortcomings.
Network connectivity issues are continuously monitored on the service connection point in SCCM and verifies the availability of the cloud service. The service connection point produces two log files named CMGatewaySyncUploadWorker.log and CMGatewayNotificationWorker.log for troubleshooting.
Tenant attach does not make the SCCM console obsolete, but Microsoft plans to continue its development in the Microsoft Endpoint Manager admin center to make this a possibility in the future.
What is the difference between tenant attach and co-management?
With co-management, you manage your devices with both SCCM and Microsoft Intune. You have the option of moving workloads, such as software update deployment between either tool. The advantage of co-management is it gives you a phased way to move from an on-premises management framework to the cloud. SCCM still has some features not available in Intune, such as management of Windows Server deployments and software metering.
Tenant attach uses co-management for its configuration, but it does not require devices to be enrolled into Intune or workloads to be switched from SCCM to Intune. Tenant attach extends simple management capabilities to the MEM admin center.
What are the requirements for SCCM tenant attach?
To configure tenant attach, you need the following prerequisites:
- an account with Global Administrator rights;
- SCCM version 2002 or later;
- an Azure subscription;
- synchronization of user accounts triggering actions for devices from Active Directory to Azure Active Directory; and
- configuration of several server connectivity endpoints through the firewall.
The option to upload devices to MEM is not supported for Azure China or Azure US Government Cloud.
Starting with SCCM 2010, additional verification tasks will occur when you enable tenant attach to ensure network connectivity.
How do you set up ConfigMgr tenant attach?
You configure tenant attach from the co-management properties settings. If you do not have co-management enabled, you set up device upload via the co-management configuration wizard.
You find the co-management properties at Administration > Overview > Cloud Services > Co-management. Go to the tab Configure upload and enable the checkbox for Upload to Microsoft Endpoint Manager admin center.
Below that setting, you have the option to manage all devices or specific machines or you can produce a test environment for tenant attach. In the last scenario, you would select the option to upload device information from just one collection.
Automatic enrollment of devices to co-management is not necessary nor is it required to switch workloads to Intune to use tenant attach for SCCM.
Next, use co-management configuration wizard at Administration > Overview > Cloud Services > Co-management. Select Configure co-management to start the setup.
Sign in with your Azure credentials and check Upload to Microsoft Endpoint Manager admin center.
After the setup, you can review the progress in the GatewaySyncUploadWorker.log log file, which is the same log you use for troubleshooting if devices do not appear in MEM.