Jason, don't know where you find the time to answer all these questions (cloning??) but it is much appreciated.
I did good deal of searching but couldn't really come up with a definitive answer in regards to how the field laptop would act when in the office. Thanks for pointing out the issue with my original statement, makes it crystal clear now! Thanks From: [email protected] [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Thursday, June 15, 2017 4:57 PM To: [email protected] Subject: [mssms] RE: Intune standalone vs hybrid. Yes, almost. "If the field laptop does come into the office it would be able to access the one SCCM server in Azure (set with HTTPS) and also the rest of the SCCM servers we have on-prem that are set for HTTP" This depends upon how you installed the client agent on these systems. If you set them "Internet-only" then yes. If you did not set the to "Internet-only", then they will gracefully switch over and use the internal HTTP roles when they detect that they are not on the Internet. Internet detection is based upon a global catalog query - if it succeeds, then the client will use Intranet roles; if it fails, then it'll use the Internet roles. You configure a client to be "Internet-only" by setting the CCMALWAYSINF property to 1 on the ccmsetup command-line during client agent installation. Boundaries play no part in this. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of SCCM FUN Sent: Thursday, June 15, 2017 11:02 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Re: Intune standalone vs hybrid. Got you, it makes sense. So basically the 2k laptops we have in the field that are domain joined, but are never in the office. We could do the following. Stand up server in Azure with following roles: -DP -MP -SUP Laptops would be setup with certs/IBCM and they would access the SCCM server via the internet in Azure when in the field. The one site system in Azure we would specify an FQDN for the site system for use on the internet with roles as below: DP role - HTTPS - allow internet-only connections MP Role - HTTPS - allow internet-only connections SUP Role - Allow internet-only connections If we setup as above since only the field laptops use HTTPS/Certs the laptops would be the only devices accessing the Azure system. We don't want the desktops in the office (no certs, they only use HTTP) ever accessing the SCCM server in Azure as they should only access the on prem SCCM servers. If the field laptop does come into the office it would be able to access the one SCCM server in Azure (set with HTTPS) and also the rest of the SCCM servers we have on-prem that are set for HTTP. If the boundaries are setup correctly the field laptops would only access the on prem SCCM servers which are HTTP only when they are in the office. That sum it up? Thanks ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Jason Sandys <[email protected]<mailto:[email protected]>> Sent: Tuesday, June 13, 2017 11:49 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Intune standalone vs hybrid. Sure. The site system can easily be hosted in a cloud IaaS provider such as Azure (or even AWS). I don't think I'd use a cloud DP in that case though but would instead simply use that same IaaS based site system to host the DP. * "I know MP/SUP needs to be in DMZ for ICBM to work correctly" This is not a correct statement. DMZ placement is a security decision and has nothing to do with actual functionality. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of SCCM FUN Sent: Monday, June 12, 2017 9:27 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Re: Intune standalone vs hybrid. OK, last question, but might seem weird. Let's say we say forgot about all this and we just want to go ICBM and not use the cloud management gateway (political not technically issue here) could we host MP/SUP on Azure with a Cloup DP also on Azure? I know MP/SUP needs to be in DMZ for ICBM to work correctly, but could we just skip putting servers in our company DMZ (again its political and not technical issue) and just host MP/SUP on Azure (since it is internet facing). Thanks ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Jason Sandys <[email protected]<mailto:[email protected]>> Sent: Monday, June 5, 2017 9:07 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Intune standalone vs hybrid. Not really true. Yes, there are some limitations, but these are mostly lesser used things and mostly coincide with what isn't supported over IBCM (because CMG is just IBCM hosted in Azure). You get all of the core functionality like software updates, software distribution, and inventory. Yes, I'ts technically pre-release, but a lot folks are using it already in the production environments. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Lindenfeld, Ivan Sent: Monday, June 5, 2017 4:32 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Intune standalone vs hybrid. According to current documentation you only get a few features with CMG. The only ways to get full SCCM client functionality is IBCM or Remote Access. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of SCCM FUN Sent: Monday, June 05, 2017 3:04 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Re: Intune standalone vs hybrid. Great article. Sounds like if you go either version standard or hybrid you don't get the rich functionality of SCCM client. I also read somewhere Intune only has like 10 built it reports and if you want more reports you need to go hybrid? Cloud management gateway in conjunction with cloud DP would be pretty great for us I think. CMG seems to only be pre-release, curious when that will be production. ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Jason Sandys <[email protected]<mailto:[email protected]>> Sent: Monday, June 5, 2017 11:05 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Intune standalone vs hybrid. Domain joined is irrelevant. Hybrid implies MDM management though which isn't generally suited for enterprise systems (yet). Why not use Internet Based Client Management that's built into ConfigMgr? See https://home.configmgrftw.com/managing-remote-systems/ for a mostly complete rundown of your options. The only thing missing is the ability to host the IBCM components in Azure as an Azure service using he new Cloud Management Gateway introduced with 1610. [https://i1.wp.com/home.configmgrftw.com/wp-content/uploads/2016/12/RemoteWorker.jpg?resize=580%2C387&ssl=1]<https://home.configmgrftw.com/managing-remote-systems/> Remote Systems Management in Configuration Manager ...<https://home.configmgrftw.com/managing-remote-systems/> home.configmgrftw.com<http://home.configmgrftw.com> Managing remote systems, i.e., those not directly connected to your internal network, is a challenge best not overlooked for multiple reasons including security. With ... J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of SCCM FUN Sent: Monday, June 5, 2017 8:59 AM To: mssms <[email protected]<mailto:[email protected]>> Subject: [mssms] Intune standalone vs hybrid. Read bunch of stuff and I'm more confused then when I first started looking. We have 25k Windows devices and out of that number we have about 2k domain joined laptops who are in the field. They are always an issue for everything (patching, software deployment, etc). I thought I read somewhere saying intune stand alone can't manage domain joined devices so we would need by default to go hybrid. I don't like the idea if we did intune standalone we would need to use sccm console for sccm devices and intune for intune devices so I think we would need to go hybrid either way. Am I right about domain joined means hybrid right away? Also it looks like with stand alone you only get like 10 reports compared to sccm which has lots of reports. ________________________________ NOTICE: The information contained in this message is proprietary and/or confidential and may be privileged. If you are not the intended recipient of this communication, you are hereby notified to: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately.
