You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/configmgr/core/get-started/2021/includes/2103/7958749.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,7 +19,7 @@ Microsoft Endpoint Manager is an integrated solution for managing all of your de
19
19
20
20
### Prerequisites for cloud attach during upgrade
21
21
22
-
The same prerequisites apply as for tenant attach. For more information, see [Enable tenant attach](../../../../../tenant-attach/device-sync-actions.md#prerequisites).
22
+
The same prerequisites apply as for tenant attach. For more information, see [Enable tenant attach](../../../../../tenant-attach/device-sync-actions.md).
23
23
24
24
The new pages in the Updates Wizard only appear when you update the site from technical preview branch version 2102 or later.
Copy file name to clipboardExpand all lines: memdocs/configmgr/tenant-attach/device-sync-actions.md
+15-52Lines changed: 15 additions & 52 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
1
---
2
-
title: Microsoft Endpoint Manager tenant attach
2
+
title: Enable Microsoft Endpoint Manager tenant attach
3
3
titleSuffix: Configuration Manager
4
4
description: Upload your Configuration Manager devices to the cloud service and take actions from the admin center.
5
-
ms.date: 12/21/2021
5
+
ms.date: 03/21/2022
6
6
ms.topic: conceptual
7
7
ms.prod: configuration-manager
8
8
ms.technology: configmgr-core
@@ -13,60 +13,15 @@ ms.localizationpriority: high
13
13
ms.collection: highpri
14
14
---
15
15
16
-
# <aname="bkmk_attach"></a> Microsoft Endpoint Manager tenant attach: Device sync and device actions
16
+
# <aname="bkmk_attach"></a> Enable Microsoft Endpoint Manager tenant attach: Device sync and device actions
17
17
<!--3555758 live 3/4/2020 Configuration Manager version 2002 min-->
18
18
*Applies to: Configuration Manager (current branch)*
19
19
20
20
Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called **Microsoft Endpoint Manager admin center**. You can upload your Configuration Manager devices to the cloud service and take actions from the **Devices** blade in the admin center.
21
21
22
-
## Prerequisites
23
-
24
-
- An account that is a *Global Administrator* for signing in when applying this change. For more information, see [Azure Active Directory (Azure AD) administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-ad-administrator-roles).
25
-
26
-
- Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
27
-
28
-
- An Azure cloud environment.
29
-
30
-
- The **Upload to Microsoft Endpoint Manager admin center** option is disabled for Microsoft Azure China 21Vianet (Azure China Cloud) and Azure US Government Cloud.<!--8815787--> Starting in version 2107, this option is available for US Government customers.
31
-
32
-
- Starting in version 2107, United States Government customers can use the following tenant attach features in the US Government cloud:<!-- 8353823 -->
33
-
34
-
- Account onboarding
35
-
- Tenant sync to Intune
36
-
- Device sync to Intune
37
-
- Device actions in the Microsoft Endpoint Manager admin center
38
-
39
-
- At least one Intune license for you as the administrator to access the Microsoft Endpoint Manager admin center. <!--10254915-->
40
-
41
-
- The [administration service](../develop/adminservice/overview.md) in Configuration Manager needs to be set up and functional. <!--1104776-->
42
-
43
-
- The user accounts triggering device actions have the following prerequisites:
44
-
- The user account needs to be a synced user object in Azure AD (hybrid identity). This means that the user is synced to Azure Active Directory from Active Directory.
45
-
- For Configuration Manager version 2103, and later: </br>
46
-
Has been discovered with either [Azure Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#azureaddisc) or [Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#bkmk_aboutUser). <!--9089764-->
47
-
- For Configuration Manager version 2010, and earlier: </br>
48
-
Has been discovered with both [Azure Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#azureaddisc) and [Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#bkmk_aboutUser).
49
-
.
50
-
51
-
- The **Initiate Configuration Manager action** permission under **Remote tasks** in the Microsoft Endpoint Manager admin center.
52
-
- For more information about adding or verifying permissions in the admin center, see [Role-based access control (RBAC) with Microsoft Intune](../../intune/fundamentals/role-based-access-control.md#roles).
53
-
54
-
- If your central administration site has a [remote provider](../core/plan-design/hierarchy/plan-for-the-sms-provider.md), then follow the instructions for the [CAS has a remote provider](../core/servers/manage/cmpivot-changes.md#cas-has-a-remote-provider) scenario in the CMPivot article. <!--7796824-->
55
-
56
-
This feature supports all OS versions that Configuration Manager currently supports as a client. For more information, see [Supported OS versions for clients and devices](../core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md).<!-- MEMDocs#545 -->
57
-
58
-
## Internet endpoints
59
-
60
-
[!INCLUDE [Internet endpoints for tenant attach](../core/plan-design/network/includes/internet-endpoints-tenant-attach.md)]
61
-
62
-
Starting in version 2010, the service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud service is available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see [Validate internet access](../core/servers/deploy/configure/about-the-service-connection-point.md#validate-internet-access).<!--8565578-->
63
-
64
-
> [!NOTE]
65
-
> The service connection point checks the CRL. If this server doesn't have access to the URLs listed above, the CRL check fails. Consider setting a system proxy or use the following command: 'netsh winhttp set proxy'. For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site](https://support.microsoft.com/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-web-site-08612ae5-3722-886c-f1e1-d012516c22a1). Make sure that you include a bypass list for internal site communications. This configuration may be neccesary as the proxy server settings within Configuration Manager only configure the proxy for Configuration Manager applications and not the underlying OS.
66
-
67
22
## <aname="bkmk_edit"></a> Enable device upload when co-management is already enabled
68
23
69
-
If you have co-management enabled currently, you'll use the co-management properties to enable device upload. When co-management isn't already enabled, [Use the **Cloud Attach Configuration Wizard**](#bkmk_config) to enable device upload instead.
24
+
If you have co-management enabled currently, you'll use the co-management properties to enable device upload. When co-management isn't already enabled, [Use the **Cloud Attach Configuration Wizard**](#bkmk_config) to enable device upload instead. Before you enable tenant attach, verify that the [prerequisites for tenant attach](prerequisites.md) have been met.
70
25
71
26
When co-management is already enabled, edit the co-management properties to enable device upload using the instructions below:
72
27
@@ -89,7 +44,7 @@ When co-management is already enabled, edit the co-management properties to enab
89
44
90
45
## <aname="bkmk_config"></a> Enable device upload when co-management isn't enabled
91
46
92
-
If you don't have co-management enabled, you'll use the **Cloud Attach Configuration Wizard** to enable device upload. You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune. All Devices managed by Configuration Manager that have **Yes** in the **Client** column will be uploaded. If needed, you can limit upload to a single device collection. If co-management is already enabled in your environment, [Edit co-management properties](#bkmk_edit) to enable device upload instead.
47
+
If you don't have co-management enabled, you'll use the **Cloud Attach Configuration Wizard** to enable device upload. You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune. All Devices managed by Configuration Manager that have **Yes** in the **Client** column will be uploaded. If needed, you can limit upload to a single device collection. If co-management is already enabled in your environment, [Edit co-management properties](#bkmk_edit) to enable device upload instead. Before you enable tenant attach, verify that the [prerequisites for tenant attach](prerequisites.md) have been met.
93
48
94
49
When co-management isn't enabled, use the instructions below to enable device upload:
95
50
@@ -114,6 +69,12 @@ When co-management isn't enabled, use the instructions below to enable device up
114
69
1. Select **Summary** to review your selection, then choose **Next**.
115
70
1. When the wizard is complete, select **Close**.
116
71
72
+
## Scope tags
73
+
<!--IN12698965-->
74
+
Tenant-attached devices receive the [default scope tag](../../intune/fundamentals/scope-tags.md#default-scope-tag) from Microsoft Intune. If you remove the default scope tag from a tenant-attached device, the device won't be displayed at all in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). Currently, tenant-attached devices can't be assigned scope tags unlike [co-managed devices](../comanage/overview.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) can.
75
+
76
+
However, sometimes you don’t want certain [Intune roles](../../intune/fundamentals/role-based-access-control.md#built-in-roles) to see tenant-attached devices. For instance, you may not want someone with Intune's **Help Desk Operator** role to see tenant-attached devices because they're servers. In these cases, create or use a custom role in Intune that doesn't have **Default** listed for its **Scope tags**. When [creating custom Intune roles](../../intune/fundamentals/create-custom-role.md#to-create-a-custom-role), keep in mind that the default scope tag is automatically added to all untagged objects.
77
+
117
78
## Perform device actions
118
79
119
80
1. In a browser, navigate to `endpoint.microsoft.com`
@@ -128,8 +89,6 @@ When co-management isn't enabled, use the instructions below to enable device up
128
89
[](./media/3555758-device-overview-actions.png#lightbox)
129
90
130
91
131
-
[!INCLUDE [Import a previously created Azure AD application](includes/import-azure-app.md)]
132
-
133
92
## Display the Configuration Manager connector status from the admin console
134
93
<!--IN9229333, CM7138634-->
135
94
From the Microsoft Endpoint Manager admin center, you can review the status of your Configuration Manager connector. To display the connector status, go to **Tenant administration** > **Connectors and tokens** > **Microsoft Endpoint Configuration Manager**. Select a Configuration Manager hierarchy to display additional information about it.
@@ -167,6 +126,10 @@ When you offboard a hierarchy from the admin center, it may take up to two hours
167
126
> [!NOTE]
168
127
> If you are using custom [RBAC roles with Intune](../../intune/fundamentals/role-based-access-control.md#roles), you will need to grant the **Organization** > **Delete** permission to offboard a hierarchy.
169
128
129
+
130
+
[!INCLUDE [Import a previously created Azure AD application](includes/import-azure-app.md)]
131
+
132
+
170
133
## Next steps
171
134
172
135
-[Enroll Configuration Manager devices into Endpoint analytics](../../analytics/enroll-configmgr.md#bkmk_cm_enroll)
title: Microsoft Endpoint Manager tenant attach prerequisites
3
+
titleSuffix: Configuration Manager
4
+
description: Prerequisites for Microsoft Endpoint Manager tenant attach.
5
+
ms.date: 03/21/2022
6
+
ms.topic: conceptual
7
+
ms.prod: configuration-manager
8
+
ms.technology: configmgr-core
9
+
manager: dougeby
10
+
author: mestew
11
+
ms.author: mstewart
12
+
ms.localizationpriority: high
13
+
ms.collection: highpri
14
+
---
15
+
16
+
# Microsoft Endpoint Manager tenant attach: Prerequisites
17
+
<!--3555758 live 3/4/2020 Configuration Manager version 2002 min-->
18
+
*Applies to: Configuration Manager (current branch)*
19
+
20
+
Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called **Microsoft Endpoint Manager admin center**. You can upload your Configuration Manager devices to the cloud service and take actions from the **Devices** page in the admin center. Some of the features you may want to use include:
21
+
22
+
- Run PowerShell [scripts](scripts.md)
23
+
- Install [applications](applications.md)
24
+
- Query devices with [CMPivot](../tenant-attach/cmpivot-samples-attached.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json)
25
+
- Display a [timeline](timeline.md) of events from the device
26
+
27
+
## Prerequisites
28
+
29
+
- An account that is a *Global Administrator* for signing in when applying this onboarding change. For more information, see [Azure Active Directory (Azure AD) administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-ad-administrator-roles).
30
+
31
+
- Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
32
+
33
+
- An Azure cloud environment.
34
+
35
+
- The **Upload to Microsoft Endpoint Manager admin center** option is disabled for Microsoft Azure China 21Vianet (Azure China Cloud) and Azure US Government Cloud.<!--8815787--> Starting in version 2107, this option is available for US Government customers.
36
+
37
+
- Starting in version 2107, United States Government customers can use the following tenant attach features in the US Government cloud:<!-- 8353823 -->
38
+
39
+
- Account onboarding
40
+
- Tenant sync to Intune
41
+
- Device sync to Intune
42
+
- Device actions in the Microsoft Endpoint Manager admin center
43
+
44
+
- At least one Intune license for you as the administrator to access the Microsoft Endpoint Manager admin center. <!--10254915-->
45
+
46
+
- The [administration service](../develop/adminservice/overview.md) in Configuration Manager needs to be set up and functional. <!--1104776-->
47
+
48
+
- If your central administration site has a [remote provider](../core/plan-design/hierarchy/plan-for-the-sms-provider.md), then follow the instructions for the [CAS has a remote provider](../core/servers/manage/cmpivot-changes.md#cas-has-a-remote-provider) scenario in the CMPivot article. <!--7796824-->
49
+
50
+
This feature supports all OS versions that Configuration Manager currently supports as a client. For more information, see [Supported OS versions for clients and devices](../core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md).<!-- MEMDocs#545 -->
51
+
52
+
## Permissions
53
+
54
+
The user accounts performing device actions have the following prerequisites:
55
+
56
+
- The user account needs to be a synced user object in Azure AD (hybrid identity). This means that the user is synced to Azure Active Directory from Active Directory.
57
+
- For Configuration Manager version 2103, and later: </br>
58
+
Has been discovered with either [Azure Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#azureaddisc) or [Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#bkmk_aboutUser). <!--9089764-->
59
+
- For Configuration Manager version 2010, and earlier: </br>
60
+
Has been discovered with both [Azure Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#azureaddisc) and [Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#bkmk_aboutUser).
61
+
- The **Initiate Configuration Manager action** permission under **Remote tasks** in the Microsoft Endpoint Manager admin center.
62
+
- For more information about adding or verifying permissions in the admin center, see [Role-based access control (RBAC) with Microsoft Intune](../../intune/fundamentals/role-based-access-control.md#roles).
63
+
64
+
## Internet endpoints
65
+
66
+
[!INCLUDE [Internet endpoints for tenant attach](../core/plan-design/network/includes/internet-endpoints-tenant-attach.md)]
67
+
68
+
Starting in version 2010, the service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud service is available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see [Validate internet access](../core/servers/deploy/configure/about-the-service-connection-point.md#validate-internet-access).<!--8565578-->
69
+
70
+
> [!NOTE]
71
+
> The service connection point checks the CRL. If this server doesn't have access to the URLs listed above, the CRL check fails. Consider setting a system proxy or use the following command: 'netsh winhttp set proxy'. For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site](https://support.microsoft.com/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-web-site-08612ae5-3722-886c-f1e1-d012516c22a1). Make sure that you include a bypass list for internal site communications. This configuration may be necessary as the proxy server settings within Configuration Manager only configure the proxy for Configuration Manager applications and not the underlying OS.
72
+
73
+
## Limitations
74
+
<!--IN12698976-->
75
+
Currently, Configuration Manager devices aren't included when retrieving a device list through a PowerShell script or through Microsoft Graph API. To work around this issue, use the **Export** option from the **All devices** page in the admin center.
0 commit comments