I have created a Video tutorial for helping the SCCM admins to create custom policies in SCCM/ConfigMgr Current Branch using OMA DM/OMA URI. Following are the topics covered in the video “How to Create and Deploy Custom Policies using OMA URI and SCCM CB Hybrid“.
1. How to create SCCM CB Configuration Items
2. How to create custom policies within Configuration Items
3. How to create SCCM Configuration Baselines
4. How to Deploy Configuration Baselines to a user collection via MDM channel to Windows 10 device
5. How to troubleshoot on Windows 10 machine any issues related to MDM management
6. End user experience of Windows 10 after deploying the custom policies
SCCM Video Tutorial How to Create and Deploy Custom Policies using OMA URI and SCCM CB Hybrid
Few months before, I created a blog post o this topics and you can read that post from here.
To Manage iOS and Mac OS devices via Intune and Hybrid SCCM CB, we need to have APNs cert. In this Video tutorial, we can see, how to get the certs from Apple and How to upload it to SCCM CB for a hybrid solution. How to Create Apple Push Notification Service (APNs) Certificate to Manage iOS and Mac OS X devices via Intune. You must have an apple id/user name and password to upload and download the certs for SCCM CB hybrid. More detailed Videos are coming up in my YouTube Channel Subscribe here.
Following is the location and file where I saved the downloaded cert from SCCM CB hybrid environment C:\Users\anoop\Documents\Apple Cert\Apple_Cert_4_How_2_Manage.csr
Go to following website !! Apple Website :- https://identity.apple.com/pushcert/
At the end of this process, you would be able to manage iOS and Mac OS device via Microsoft Intune and or SCCM CB hybrid environment !!
We are going to look at 3 topics in this post. 1. How to Create Compliance policies usingIntune and SCCM CB Hybrid environment. 2. How to deploy Compliance policies and 3. Differences between the compliance policy settings !! I have created a quick and dirty video tutorial to explain all these steps and the video is embedded in this post as well 🙂 First and foremost the compliance policies work along with Conditional Access policies. To have the permission to access corporate resources like Mails, SharePoint online etc… the device must compliant to the policies which we set ! SCCM CB and Intune Compliance policies can be deployed only to users not to device collections or groups.
How to Create SCCM CB Hybrid Compliance Policy ?
As you can see in the following picture : – In SCCM CB, we can specify the type of compliance policy that you want to create. There are two options 1. Compliance rules for devices managed with SCCM clients 2. Compliance rules for devices managed without SCCM clients (that can be MDM clients etc…). More over, it gives the granularity to select the different device platforms like Windows 8.1, Windows 10 mobile, iOS and Android and KNOX etc… Very useful option in SCCM CB Hybrid compliance settings ! All the steps to create SCCM CB compliance policy is explained in the video tutorial above.
How to create Compliance Policy using Intune?
As you must have noticed one general compliance policy for all the platforms. There is no option to create different compliance policies for different device platforms like iOS, Android and Windows. Yes, in Intune compliance policies, we don’t have option to select a specific OS platform. The three common segregation available are 1. System Security 2. Device Health and 3. Device Properties. All the steps to create Intune compliance policy is explained in the video tutorial above.
How to Deploy Compliance Policies using SCCM CB Hybrid ?
Yes, compliance policies can deploy only to User Collections, not to device collections in SCCM. No DEVICE Collections in drop down menu !!Yes, this makes sense because compliance policies are associated with conditional access policies in BYOD and CYOD scenarios. And another point is granularity which SCCM CB provides in terms of Compliance rules/policy evaluation schedule.You can change the Compliance policies evaluation schedule !!! By default SCCM CB compliance policy evaluation schedule is 23 hours. You can change and customize it according to your needs. All the steps to deploy SCCM compliance policy is explained in the video tutorial above.
How to deploy compliance policy using Intune?
Yes, compliance policies can deploy only to User Groups in Intune, not to device groups. Moreover, there is no granularity given in the scheduling of the compliance policies if you compare it with SCCM CB. Rather Intune provides a global settings for all the compliance policies which we create for that tenant. Check out the Intune compliance policy settings… what is that?? It’s compliance status validity period ……Nice !! It’s global setting – We can’t specify 31 days for one compliance setting and 20 days for another compliance settings !! All the steps to deploy Intune compliance policy is explained in the video tutorial above.
Difference Between Intune vs SCCM CB Hybrid Compliance Policies
Following are the differences which I have notices Intune vs SCCM CB Hybrid Compliance Policies :-
– There is no option to select specific supported platform in Intune. However, with SCCM CB, we can create platform specific compliance policies.
– There is no Granularity in Deploy Scheduling options with Intune. However, lot more scheduling options available for SCCM CB compliance policies.
Outcome/Result of Compliance policies – Windows 10 device
Following is an example of Windows 10 machine which is AAD and MDM joined but it’s not in compliance. This is because the device encryption is not enabled on the windows 10 machine.
Following is an example of Windows 10 device which is compliance with the policies which an organization set. Once the Windows 10 is compliant, the user can access corporate mail and other resources.