Microsoft co-management: a bridge to modern management

As the path to what Microsoft refers to as “modern management” can be challenging, co-management can be an effective interim solution — giving enterprises time to plan and invest in modernizing workloads while enjoying some of the benefits of managing devices and applications from the cloud. But is co-management a useful step in the right direction, or does it just delay reaching the desired end state? We believe it depends on your readiness and resources. In this paper we explore when co-management can be a good choice and offer points to consider if you decide to design and implement it.

Microsoft offers different paths to modern management, and co-management is the most iterative, providing a bridge to full modern management down the road. Co-management uses shared workloads (categories of work) to manage an employee's computer with both traditional and modern methods. Devices and applications can be gradually transitioned from the traditional Microsoft System Center Configuration Manager (ConfigMgr) to the modern Intune. Employees benefit from the features of cloud-centric management while maintaining access to the legacy applications and services they use every day.

If your network is not yet able to handle cloud-centric distribution, using co-management can provide some modern management benefits — including scalability, flexibility and lower cost of ownership — while you are transforming your network to support cloud-ready solutions. With co-management, workloads can gradually be moved over to a pilot group of devices, allowing for adequate forecasting as well as discovering any needed changes relating to network configuration and bandwidth.

How co-management overcomes obstacles to modern management

You may well ask, "Why can't we just migrate directly to modern management, bypassing the need for co-management?" You can, but there are many obstacles to transitioning directly, including differences in the policies applied by group policy and configuration service providers (CSPs ), security and — perhaps most significantly — the question of application readiness. Co-management can overcome many of these obstacles and serve as an essential interim solution until all workloads are handled from the cloud, including application modernization itself.

The following diagram depicts co-management at a logical level.

Reference: Co-management is instant and easy with #Just4Clicks (Microsoft)

One of the primary benefits of co-management is being able to specify which workloads are managed in a traditional manner with ConfigMgr and which are managed in a modern manner with Intune. The workload transition itself is performed in the ConfigMgr console.

ConfigMgr 1802 Windows 10 1803 supports the following four workloads for co-management:

• Compliance policies
• Resource access policies
• Windows update policies (but not feature updates)
• Endpoint protection

Additional workloads are available in ConfigMgr 1806. Workload transfers can also be piloted before broad deployment.

Co-management requires configuring an employee's computer in a hybrid Azure AD joined, which means the computer is simultaneously joined to an on-premises Active Directory (AD) and registered with Azure AD. Co-management also manages the policy priority between group policy and CSPs.

Design and implementation considerations

Microsoft recently explained that co-management can be enabled with #Just4Clicks. While it is true that co-management can indeed be enabled in the traditional ConfigMgr console with just a few clicks, extensive planning and prerequisites are required to make optimal use of co-management.

Several areas need to be considered, but particularly policy management, application management, and network and security.

Policy management

While co-management enables the capabilities of both traditional group policy object (GPO) and modern (CSP) policy management, combining them — and configuring and managing policy precedence — adds complexity to a Windows 10 configuration. Troubleshooting device issues may also be cumbersome when a device is simultaneously managed by traditional AD GPOs and modern CSPs. Having a strategy about which tools should manage specific components becomes important for minimizing workload and configuration transition further down the line.

If you are committed to moving to modern management, you should begin by using CSPs over GPOs to implement their policies where possible. Microsoft provides a GPO migration tool, but this should only be a general guide toward aligning a set of CSPs. It is by no means a comprehensive migration tool, as there is no one-to-one relationship between every GPO and CSP. Due to the differences between GPOs and CSPs, the process of migrating to modern management can be an ideal time to start fresh with CSPs and create a security policy design based on a new approach of managing devices from the cloud.

Furthermore, if devices have been traditionally managed for some time, they likely have built up a complex set of GPOs that may be difficult to rationalize into modern management techniques. This may be yet another reason to consider completely wiping the device during its transition to modern management. Effectively, you're eliminating years of "policy baggage" on that device.

Application management

The decision about whether or not to move applications directly to modern management depends on the complexity of your application estate and how long it would take to modernize it. Many times, IT is responsible for managing devices, but the apps are owned by various business units. This introduces different priorities for moving computer users to modern management. Additionally, there are usually financial and regulation-related challenges. If the budget is to modernize in one year, for example, perhaps pushing through app modernization is the better choice. However, if app modernization will be much slower, then co-management can bring some of the benefits of a modern solution much sooner.

Also, many apps are business critical and have so much legacy interaction that their modernization will cause a great deal of business upheaval. App modernization can be costly in disruption as well as dollars due to the necessary changes required in back-end systems. The result is often a stalemate where the environment stagnates and modernization is continually deferred.

It really comes down to how long you think it will take to modernize all of your apps:

• Short time: Go straight to modern.
• Long time: Use an interim solution — but what are the costs?

So if apps cannot be modernized quickly and expediently — less than 2 years is a good rule of thumb — co-management can help you gain some benefits of modern management during the interim without incurring enormous cost and complexity. Co-management allows you to deploy your legacy applications until they can ultimately be modernized and managed by Intune.

There are two primary reasons why Intune cannot manage an application: installer complexity (e.g., complex MSIs) and the need for embedded Kerberos authentication. Options for preparing an application for Intune management include the following:

• Modernize the app. A modernized app is written and packaged as a Universal Windows Platform (UWP) app, and modernizing an app is more than just packaging it in a way that can be delivered via Intune. A modern app generally is a rewrite of the legacy application, taking into consideration the business processes and a new way of interacting with users. This choice can deliver the greatest value to the business, but it does cost the most. Additionally, decisions about app modernization largely depend on the gains for the organization. The business must perceive value beyond merely being able to deploy an application using a different format and a different delivery tool. The modernized app must be better in some way, whether that is in user experience or ease of management.

• Package the app with the MSIX container. Microsoft recently introduced the MSIX packaging standard. According to company statements, this is the go-forward packaging approach. While this does not necessarily produce "modern" apps, it does seem to provide a relatively straightforward way to package Win32 apps in a format that Intune can deliver. It remains to be seen how effective this will be for complex MSI repackaging and deployment or how broadly the MSIX app format standard will be adopted by enterprise customers.

• Deploy using Intune management extension (aka SideCar) using PowerShell scripts. Intune management extensions allow Intune to execute PowerShell. These scripts can be written to download and install Win32 applications. However, there are challenges with storing the Win32 application payloads on a cloud-facing location, as well as handling return codes and user interaction. These challenges can be overcome, but this technique is not yet widely accepted. Microsoft is continually investing in this technology and will likely resolve challenges in future versions.

• Deploy via a third-party tool (use caution). Several third-party tools are available to deploy Win32 applications. These typically require additional licensing, introduce alternative packaging standards and many times require extensive repackaging. The alternative packaging standards can result in a technological "dead end." Moving away from such third-party tools can require more repackaging efforts in the future. Use caution in considering use of a third party tool, especially considering recent Microsoft developments in technologies such as MSIX.

Network and security

Since co-management requires modern management as a part of the solution, it's important to consider the related impact on your network and security.

Modern management is generally synonymous with cloud-centric device management, so your device is managed over the internet, not over your corporate network. Using cloud-centric methods requires you to reconsider your network model. This is also the case when using co-management.

You must carefully review the required bandwidth of your sites to the internet so that employees do not experience performance degradation when their devices are managed from the cloud.

Regarding security, modern management introduces several new techniques that must be integrated in your approach, including information, identity, application and threat protection, as well as endpoint security. As detailed discussion of these techniques is beyond the scope of this document, please see the DXC Technology paper, Secure, protected enterprise data on mobile devices, for further explanation.

Conclusion

While co-management brings tremendous flexibility, you must carefully consider whether it is the right choice for your business. Identify how you use ConfigMgr today. Consider the benefits or disadvantages that co-management might bring to your organization, including policy and application management and the impact on your network and security approach.

Alternatives to co-management do exist but have risks in enterprise-level scaling, proprietary tools and user experience. At the same time, Microsoft continues to invest in Intune, making co-management less of a long-term solution.

Under the right conditions, co-management as an interim solution can help transition your organization to a modern managed environment, delivering benefits of cloud-centric management and access to legacy applications and services.

DXC stands ready to advise you on your path to modern management, including the use of co-management where it makes sense. We will help you determine the best solution, implement it in your environment and support your organization into the future.