Modern management using MDM services and Intune

Home Forums General Chat MJF Chat Modern management using MDM services and Intune

This topic contains 3 replies, has 3 voices, and was last updated by Brad Sams Brad Sams 5 months, 2 weeks ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • Mary Jo Foley
    Mary Jo Foley

    Our next MJFChat, scheduled for Monday October 14, is between me and Jeremy Moskowitz, Founder and Chief Technology Officer of and PolicyPak Software. The subject of our chat is modern management of mobile devices using MDM services and Microsoft Intune.

    What questions do you have for Jeremy about MDM and Intune? No question is too big or too trivial. I’ll be chatting with him on October 14, and will ask some of your best questions directly to him. Just add your questions below and maybe you’ll be mentioned during our next audio chat.


    Hello Mary and Jeremy,

    I am soon to be a manager at a school that is moving to the cloud and reducing there on premises servers. There vision is to use Office 365 with Azure AD but for the future i’d like to move the client desktops and laptops to a cloud managed service like Intune or similar. My question is what is the basic infrastructure requirements to fully utilise cloud services including an MDM service i.e cat 5 network, switches, router and a basic domain controller?


    By the way could you suggest any good courses around this subject.



    Having set up a trial Azure with the 90 day trial of Enterprise Mobility and Security E5 and a custom domain name. What is the process of setting up a user so they can log into Intune. I have set up a user and assigned them a license but still cannot sign into Intune (permissions error).
    Can you help.

    Thank you

    Brad Sams
    Brad Sams

    You can find an audio replay, here.

    Mary Jo Foley : <u>00:00</u> Hi, you’re listening to MJFChat show. I am Mary Jo Foley, AKA your community magnate. I’m here to interview tech industry experts about various topics that you are readers and listeners want to know about. Today’s MJFhat is going to be all about modern management using MDM services and Intune. My guest is Jeremy Moskowitz, a 15 year Microsoft MVP, founder and chief technology officer of and PolicyPak software. Welcome Jeremy.

    Jeremy: <u>00:41</u> Thank you. Thank you. Thank you.

    Mary Jo Foley : <u>00:42</u> Nice to have you on the chat.

    Jeremy: <u>00:44</u> I can’t believe we’re finally doing this, this is super exciting. I’m such a super fan, I’m bursting of a fanboy.

    Mary Jo Foley : <u>00:52</u> Aww, you know what, fave we ever met in person? That’s what I was thinking.

    Jeremy: <u>00:56</u> We met in person. You were like just hanging out with some pals and , I was just like, come on. I’m going to go by the bar and see who is there. Oh my gosh, it’s Mary Jo Foley. Woo.

    Mary Jo Foley : <u>01:07</u> You know what? I feel like I feel like I know you just cause I’ve seen your picture everywhere and I’m like, I know I’ve met this guy before. Right?

    Jeremy: <u>01:15</u> I have that kind of face. I have the face.

    Mary Jo Foley : <u>01:17</u> You do. Oh, and I forgot to mention too, for our listeners, Jeremy just recently published a book. Here’s the title. Get ready. “MDM: Fundamentals, Security and the Modern Desktop using Intune, Autopilot and Azure to Manage, Deploy and Secure Windows 10” . I hope the book is big enough for that title.

    Jeremy: <u>01:37</u> Yeah, yeah. I didn’t publish it. I wrote it. But, you know the Dummies guys, published it. So it’s not just a self publishted book, although I appreciate people who do self-published Amazon stuff. That’s amazing. But this is like a real publisher, you know, real quality editing pictures, screenshots. It’s like a real thing.

    Mary Jo Foley : <u>01:59</u> All right, that’s great. We’re going to just jump right in and get you talking about the subject, you know best. This is kind of a softball open ended question, but I also am interested to hear your answer. What makes device management modern in your view?

    Jeremy: <u>02:17</u> Yeah. That’s not a softball question, I think that’s like that questions legit. So what makes something modern? Well, I think, I think to make it modern, it would be, there’s a couple of different angles. I mean, honestly there’s no really one direct thing. But I think, I think the best way to describe like what modern would be is to kind of like reach over toward the end zone goals.

    Jeremy: <u>02:42</u> Right? So I think the end zone goals are the kinds of things like that would help us, open up new scenarios that don’t exist in traditional management. So the kinds of things that I think are the best kind of targets for modern goals would be to have less stinking servers. Right? Like that’s the first thing. Because if you ask any, you know, organization of any size, like how many servers do you have?

    They kinda like grumble into their armpit and say, “Oh, I have 8 billion servers.” And especially the things that are like the SCCM servers and active directory servers and so on. So like just like get getting that count reduced. It would be a primary goal, which in and of itself doesn’t, doesn’t really get anything toward the client, but it is kind of a gist of the goal.

    Jeremy: <u>03:32</u> The second thing would be more direct communication, right? So you’ve got your endpoints and you have a straighter line of sight to them, right? So if you take something like group policy, you just take something like SCCM, it’s at least one hop, maybe two, maybe 12, between the time you click, I want to make it happen. And the time that that client picks it up in modern management world, that’s not true at all.

    In modern management world they’re cloud joins are always on, always connected. They’re, you know, making nice to your MDM service of choice, which we’ll talk about. And then, communication is more direct. So then that that opens up, what I call the kind of new scenarios that you kinda can’t really get, without a lot of you know, grinding and, you know, teeth mashing.

    Jeremy: <u>04:19</u> So the kinds of things that you open up would be like new out of the box experiences and you know, you’ve heard of what autopilot is. And we can talk about that a little bit more down the lane. But you know, that kind of opens up a new out of box experience. And then also like remote wipe, right? So it’s like somebody leaves the company, somebody changes job roles. We’ve all heard about the ghost factory in the basement. Maybe there’s, maybe there’s a better way. So the goal for me, modern management is, you know, is trying to track track the kinds of ways that we’re working today that may be the same as what we’ve done in the past, but also new scenarios that are kind of enlightened and opened up only when you sort of have this kind of cloud connected thing that’s happening.

    Jeremy: <u>05:00</u> So that was kind of a complex answer to kind of a simple question.

    Mary Jo Foley : <u>05:03</u> No, it’s good. That was good. Then when you, when you talk about mobile devices, you don’t just mean iPhones and Android phones, right?

    Jeremy: <u>05:10</u> Yeah. In fact, for me, I’ve never even touched an Android phone. Like, like, wow, I’ve seen people use them on airplanes. I have never even typed on one.

    Mary Jo Foley : <u>05:19</u> Wait, what do you, what are you gonna do at Microsoft comes out with this new Duo phone?

    Jeremy: <u>05:26</u> I think it would have by it. I think I would check it out. I think it’s worth checking out.

    Mary Jo Foley : <u>05:31</u> But what you focus mostly on is managing windows devices, right? Yeah. Right. So for in the book, like some, somewhere in the introduction I say something to the effect of like Androids and iPhones and you know, all sorts of unusual devices are, are, are interesting and nifty and they actually, that is another aspect of what’s cool about modern management is that, um, all these, you know, kind of disparate style of devices can be, um, reasonably well managed under a single what they call pane of glass, which is not exactly accurate, but like when you pick your MDM tool of choice, which again, we can talk more about that.

    Jeremy: <u>06:06</u> The idea is that, you know, your iPhones, Androids, tablets and windows machines are all kind of joining the same universe. The MDM service lets you do so you can partition, you know, who can do what to what devices because they’re all kind of joined. In active directory land, that’s really that’s kind of hard. I mean, there are ways to sort of get your max in there. They’re sorta kind of ways to get your iPhones, if you like, really cram it hard. But it’s not, it’s not its goal. It’s like it wasn’t designed with that in mind. But this modern style method of saying, Oh, I’m going to have these, I’m going to have the end point itself has a little moving part. And that’s really what we’re the MDM engine lives.

    Jeremy: <u>06:50</u> That’s the thing that’s sort of the secret that like the big secret that nobody really talks about for some reason is that an all of these devices including really unusual devices like HoloLens and, probably these nifty devices that we haven’t seen yet that are, you know, on the, on the board for Microsoft, they’ll probably also have an MDM engine in them. And then that is what gives us the magic of being able to join an MDM service of our choice and being able to, you know, manage them from the cloud as opposed to our on prem services apps.

    Mary Jo Foley : <u>07:22</u> Some apps also have an MDM engine in them too. Right?

    Jeremy: <u>07:26</u> Well, so when we talk about apps, we’re typically talking about this other thing called MAM and MAM is sort of like, okay, the app has to be enlightened and it has to be coming from the manufacturer and it has to know about your rules.

    Jeremy: <u>07:43</u> And if then you do a copy or you try to do a paste, and then tries to like explode it, you know, or detonate the problem. But that’s technically, you know, that you can deliver a MAM directive over MDM, but the MDM kind of enginey/moving-party thing that’s in the iPhone operating system, the Android, that’s in the Surface, that’s it. You know, that that’s what’s in Windows and you know, that’s the guts of what’s in the device.

    Mary Jo Foley : <u>08:09</u> Gotcha. So maybe I should take a step back and have you talk a little bit about what is MDM and how is it different from group policy, which I think group policy is something probably many of the listeners and readers use and know a lot about.

    Jeremy: <u>08:25</u> Sure. Well I still spend a lot of time in group policy land and I just, you know, I think if I had to guess one of the questions of the people who are probably listening to this, because I get it a lot.

    Jeremy: <u>08:37</u> It’s like is group policy dead? Is it going away? Do I have to run to MDM land? And I’m going to just put it right out there and answer. No, it’s not dead. You don’t have to run to MDM land. You have a really, really long runway. Maybe forever. The way to think about this is, first of all, does Microsoft still use it internally?

    Oh yeah, they do. And second is, do they ship a product that currently has active directory? Oh, they do, then you’re probably, you’re fine. So until they turn those two lights off, then there’s nothing to worry about with regards to group policies extended lifetime out there. Now, that being said, it is true that Microsoft’s emphasis is in enlightening these new modern scenarios that you know, and they’re putting their resources into getting MDM, you know, more better.

    Jeremy: <u>09:30</u> But let’s do a quick compare and contrast. So group policy of course requires on-prem active directory.It has a, you know, its protocols are Kerberos and SMB to do the work. Group policy is pulled from a server and it has, you know, 39 categories of interesting material that you can download, stuff like admin templates and folder redirection and all the group policy preferences and also third party tools. Like you know, PolicyPack and other things that you can kind of tack onto your existing group policy.

    So we already know, you know, we kind of like got that pretty well. MDM on the other hand, again can be lots of different device types, which we already talked about. It has the MDM engine in the device. You don’t join, I don’t know, you call, you do what’s called enroll, so you enroll into an MDM service.

    Jeremy: <u>10:18</u> The ironic part is that you actually pick an MDM service of your choice. Now some people are confused about that. They’re like, Oh, is that, is that Azure? Is that Intune? What, what is that? So let’s actually clear that up. So Azure is the directory service. That’s simply the identity that says, who are you and what’s your computer trying to do on my network?

    Right? So it’s the thing that’s like getting you the lock and key about who you are in the first place. But then after that your machine goes backward and enrolls into an MDM service of your choice. Now keep using that same phrase of your choice because there, there is choices. Now I am an MVP in enterprise mobility for Microsoft, which means that I focused and you know, my doing my comings and goings and also the book in Intune.

    Jeremy: <u>11:07</u> But there are choices out there. There’s a VMware Workspace One, there’s Citrix, there is you know, mobile iron. There’s a bunch of cloud-based MDMs that you could use as your MDM of choice. And the thing is, and the here’s like the little dirty little secret that almost nobody kind of like talks about out loud. They’re all basically the same. And the reason why they’re all basically the same is that remember the engine in each of these devices is the engine and the devices. So what’s happening in the MDM service is you’re pushing the buttons and saying, I want to do the things that gets translated to a little piece of XML snippet code. It then downloads the device and the device is like, Oh, I’m trying to do something, I’ll do it. And so because of that, it doesn’t really matter which MDM service you use to perform the work because the work is all the same work.

    Jeremy: <u>12:00</u> Now there is some differentiation amongst the MDM services. Some try to have more clickety click things you can do. Some have some nifty what’s called sidecar extensions, where you can add more features that would not normally be part of the MDM engine, but technically the directives they’re delivering and the thing they’re talking to, it’s all lingua franca and they’re all kind of pushing the same buttons.

    Mary Jo Foley : <u>12:24</u> So, so you are a Microsoft MVP. So I expect you to kind of be favoring Intune when you’re giving people advice about MDM, but if you’re trying to be somewhat unbiased, what does Intune do that some of these others don’t?

    Jeremy: <u>12:41</u> Yes. I hope in my last answer, I was being as thoroughly unbiased as I could.

    Mary Jo Foley : <u>12:46</u> You were. You were even giving away secrets that Microsoft probably would not like out there.

    Mary Jo Foley : <u>12:51</u> Right? Right. Don’t tell everybody. Exactly. So, right, that’s where organizations that have MDM services can differentiate. There is a way to sort of like if we kind of look closely a Honda and a Toyota and like a Subaru. I mean come on, they’re all pretty close, but there’s some differentiation if you like squint a little bit. Same kind of idea. Okay. So in Intune land, like I said, they had this idea called the sidecar service. The sidecar service is a little, extra piece of running code that will hook into windows directly. It doesn’t hook into anything else. It will enable you to do things like install what’s called wind 32 apps. We all know what those are like the wind zips of the world, the Acrobat, you know, acrobats of the world, those kinds of things.

    Jeremy: <u>13:40</u> Where before, the idea of installing, you know, wind zip dot XC with slash install slash you know, directory ABC, that’s not a thing the MDM engine can do. OK. So they built it as a little sidecar engine and the other guys probably, you know, have, have a similar idea of that too. But I’m saying that that is where the differentiators can start to appear in these MDM guys.

    Mary Jo Foley : <u>14:07</u> Gotcha. Okay. So we’ve talked about MDM. We’ve talked about Intune and we’ve talked about Group Policy. Can you use MDM and Group Policy together or is it an “or” or is it an “and”.

    Jeremy: <u>14:21</u> It actually can be an “or” or an “and”. I haven’t had any coffee yet this morning, so that’s a bad sentence right there. But yeah, that’s hard. Yeah. Like Bill Clinton, tell me what is is, right.

    Jeremy: <u>14:36</u> So you can have a machine that is both what’s called MDM enrolled and also on prem joined. It has a really nifty, you get to use as a cocktail parties. I like to say in the book it’s called DJ Plus Plus. It’s pretty cool, right? DJ Plus Plus. So it means your domain joined but more, right. So you can get directives from both houses. So you can get a Group Policy directive if you want. And you can also get an MDM directive. Now my advice in the book and also like in real life would be, you know, you can do that, but you know, try to not get directives targeting the same thing. I’m going to make something up real quick. Let’s call it KillQuartana you don’t want to try to KillQuartana using Group Policy and KillQuartana you know, using MDM, that’s not good.

    Jeremy: <u>15:32</u> Now there is something in the MDM, moving part to try to negotiate that. It’s not on by default. You have to actually set it on and you can only set it in one direction, which is that you can only declare that MDM is going to win. If you don’t set it on, what happens instead is that the value becomes unknown. So you can’t know if you turn it on in one house and turn it off in another house. You can’t actually know what the state is going to be. Which is problematic for most people. So that is why they have this idea of like forcing MDM to win over Group Policy. But the point is, is like I would try to stay away from that, trying to poke the bear from two different, you know, ways.

    Mary Jo Foley : <u>16:15</u> Yeah.

    Jeremy: <u>16:16</u> That’s probably not in your best interest. So yes, you can do both. That’s how it works.

    Mary Jo Foley : <u>16:20</u> Okay, good. I remember, I think it was last year, Microsoft started talking about co-management. The idea of concurrently managing Windows 10 devices with Config Man and Intune, how does that fit in here with, you know, making a choice between MDM and Group pPlicy and existing tools and new tools.

    Jeremy: <u>16:41</u> Well, okay, that’s a pretty broad, so let me start off with what is co-management and what’s the like what’s the goal and all that stuff. Now, right there, there are people who are better suited to answer the parts about, SCCM than I am. I’m going to give it a shot. CauseI’m not purporting to be Mr.SCCM propeller head level. That’s my bailiwick. But that being said, the idea behind co-management is that you can marry up your SCCM to your Intune and then there’s, what’s this idea called workloads.

    Jeremy: <u>17:14</u> And the idea of a workload is there are different categories of functionality that you can achieve in either SCCM or Intune. Well, golly, if you want to do some and SCCM and some an Intune, there’s is nifty slider thing and you’re saying, instead of managing my updatesm my windows updates using SCCM that I used to do, I’m going to say goodbye to that and make Intune do it, but leave the other workloads, you know, working fine and SCCM. So on the one hand, it gives you the ability to sort of, you know, co-manage, use SCCM, the right tool for the right job and or Intune for the right tool for the right job, or at some point maybe cut the cord and say goodbye to SCCM. I think that’s what they’re going for there from a group policy perspective.

    Jeremy: <u>17:59</u> Like I said, I sort of had this idea of co policy management, right? So the idea that there is what we kind of talked about earlier of you know, who wins in Group Policy land and MDM land. So it’s sort of like you do sort of need to know, how to turn that on, how it reacts and sort of be smart about, what happens when you started rolling machines and you have group policy because something’s gonna win and you may not know what it is by default.

    Mary Jo Foley : <u>18:28</u> Okay. That helps. Thanks. Microsoft autopilot, the automatic provisioning service that they’re touting these days, how does MDM fit in with this and, or how should it fit in?

    Jeremy: <u>18:43</u> Sure. Let’s talk about the best case stories first.

    Jeremy: <u>18:48</u> Let’s go with like the brochure slicky brochure stuff first. So the idea is, you buy a palette of machines from Dell or Lenovo or your favorite vendor that that is participating. Okay. And you know, man, what a pain in the neck it is to take that pallet, take a perfectly beautiful operating system that’s already been provisioned on it by the manufacturer, which is probably the best it’s ever going to be. In the old day. You’d bring that pallet up in, in house, go to the ghost factory in the basement, smoke it, do some manual touching to that machine to get it ready for, you know, , Fred out in the field and then ship it over to him and, in a FedEx box. And then he opens it up and like, hopefully it works the first day, right? Like that’s the, that’s the old style.

    Mary Jo Foley : <u>19:34</u> Okay.

    Jeremy: <u>19:34</u> So what autopilot’s trying to do is try to like flip this whole pro, like take all of that and just say goodbye to all that. So now you buy a pallet of Dells or IBM’s or whatever it is from your participating vendor. They have magic purple fingers that go into your Azure tenant and will tell your Azure tenant, which in there called hardware IDs or a, you know, some kind of specialty hardware ID that signifies which of which machines we’re talking about so they know that they’re yours and not some other persons.

    So they go into your Azure and tell your Azure automatically these machines are are going to be shipped. Now once those ideas are in there, you can associate them with various groups. You can, you can know that ShipIt number one is for the sales team and because the sales team is all around the world but acts exactly the same, you can maybe drop ship those machines directly to the sales team and in there in their house or in Starbucks or whatever, they can open it up and magic occurs.

    Jeremy: <u>20:39</u> It automatically knows when windows is starting for the very first time to look up into the internet, look into brain, find your Azure tending to go, this machine belongs to you. Okay, so it now knows that you bought that machine specifically because of the hardware ID. And then the MDM stuff kicks in right after that. So the MDM stuff that would kick in would be like, you know, kill Quartana and do a desktop background and deploy this software and um, connect me to my one drive and all the stuff like that you would want to get to, to do. And there’s nothing for the user to do except sit there and wait for software to be installed and for the computer to be done, they just click, click next, next, next and you’ve got a machine that’s, that’s the dream. Right.

    Jeremy: <u>21:28</u> Does that dream ever match reality though? Well, there are some challenges with the dream. It does work as advertised.

    Mary Jo Foley : <u>21:37</u> Okay.

    Jeremy: <u>21:37</u> So in fairness, but there is a couple of known things that are challenges that I’m sure they’re working on kind of ironing out like the last mile problem. One of them is this idea of like, okay, let’s say you’ve got a machine that , you know, if you need to be domain joined plus plus if you need to be on prem domain joined and also,, MDM enrolled, you kind of have a little bit of a problem cause if you just drop ship it to Fred Fred’s house, Fred has no way to do, to do that domain join part because Fred can’t see the domain controller. So that’s, that’s problematic.

    Jeremy: <u>22:14</u> So that might be something that I have to iron out. Now as a stop gap measure, there’s this nifty idea called white glove, ooh white glove sounds pretty typical, right? So what does white glove, white glove is, this is my word, not Microsoft’s word, but I hope they use it. I call it an interception. Okay. So you imagine the football’s being thrown from the vendor before it gets to Fred. It goes to you. Okay. So the football gets to you, you crack it open. We know who it’s provision for already cause you’ve already married Fred’s ID to Fred and so on, like you know, the computer and then a couple things can happen. The first thing that can happen is that instead of having Fred wait for all that software to download, you just crack it open. You do the waiting for him, right?

    Jeremy: <u>22:53</u> Because the software might have been updated from the time that, you know, it could take awhile for office to install and all that stuff. So you could just like have that roll forward. And if you, intercept that computer, at a place where you can do the domain joined stuff, well then you’re able to do that and kind of, you know, move it onward to Fred. So this kinda gives you an advantage. But then you still have that that stopped. Nobody likes to have stopovers when they’re traveling.

    Mary Jo Foley : <u>23:20</u> Right.

    Jeremy: <u>23:21</u> But this is the, this is the stopover method and if that’s what you want to do, I suspect that over time this is something, I mean everybody knows that that domain join thing is problematic because you can’t see the domain controller. Who knows, maybe they’ll, maybe I’ll exercise that and work it out.

    Mary Jo Foley : <u>23:40</u> Hmm. Okay. So you’ve mentioned in a couple spots during our chat, updates and windows update. I’d like your take on how you think the Windows 10 servicing strategy is evolving and how you think it will impact or should impact IT Pro strategies around MDM.

    So I’m talking about you know, these feature updates that come out well twice a year I was going to give you months, but that’s changed over time. We used to be one month and now it’s a different month. Also just updates in general, you know, cumulative updates and all.

    Jeremy: <u>24:19</u> Well, I think what’s nice actually is I think they kind of got the memo that it’s been a pain in the neck for most people and they really backed off, which is good. I mean like I wasn’t sure, like I’m a, I’m a free thinker.

    Jeremy: <u>24:33</u> I think people tend to think problems through and they try to lead with having people’s general best, you know, best interests in mind. And so like when they sort of announced the servicing schedule, at first I was like, okay, wait, let’s see how bad it’s really going to be. And then like, okay, it turns out it wasn’t so good. Alright. So, so they really backed off on it. And just to set the stage for folks who kind of maybe didn’t get the memo and I hope I get this right and I’ll have it in front of me, but, you know, what happens, I think now is that, the big bang new features show up, you know, kind of in the fall and then kind of like, lots and lots of bugs and kind of like little low hanging fruit touch-ups show up in like March and like the spring.

    Mary Jo Foley : <u>25:17</u> It’s actually in reverse.

    Jeremy: <u>25:18</u> Thank you. I knew I’d get it wrong.

    Mary Jo Foley : <u>25:20</u> No, no, but you know, it’s been so confusing because it keeps changing.

    Jeremy: <u>25:25</u> And then one of them, one of them last 18 months, the other one last 18 months.

    Mary Jo Foley : <u>25:29</u> 18 months is the spring and 30 is the fall. So yeah, that keeps changing too.

    Jeremy: <u>25:38</u> You know this stuff right off your fingertips. Exactly right. So I think what’s good is that like this does give people who can kind of grok that schedule the ability to make decisions about how they want to you know, how they, how they want to articulate their updates. And I think it’s good for some people at your company to always be updating. I think like you don’t want to get caught on the hop to find out that your specialty scanner app just refuses to work properly. And that takes down your accounting department.

    Jeremy: <u>26:11</u> Like you should always have one guy who suffers like, sorry guys. And again, you’re the guy.

    Mary Jo Foley : <u>26:17</u> He’s the canary.

    Jeremy: <u>26:19</u> Yeah. And I go over this in excruciating detail in the book about like this idea of rings and how you can dictate a particular how you can articulate like 1% or your canaries and like 5% is your pilots and like 20% is your . Like I go into the strategy, you know that when I sat down and analyzed it and talked to folks at Microsoft and other MVPs and like what’s working, I kind of wrote it all down because like I can’t keep it all in my head and that’s why God invented paper.

    Mary Jo Foley : <u>26:49</u> So. Yep. That’s great. That’s actually a great recommendation because I know a lot of people I talk to are very confused still about how to do rings inside their company. They know they should be doing it, but they’re not exactly sure how to do that.

    Jeremy: <u>27:04</u> And there’s, and here’s the thing, I, the, one of the things that kind of caught me off guard as I was, as I was writing that part of the book was like, Hm, wait a minute. So a, there’s different vocabulary for the Office team, Windows Team, One Drive Team one drive team, and there’s another one in there. So like there are like four different things you need to keep track and they actually don’t have the same shared vocabulary.

    They actually have different, some of them have different schedules. Some of the same schedule. Yeah. Okay. So you know the advice there that’s in the MDM book actually can work retroactively for a group policy people as well because it really is the same. You’re actually manipulating the same piece of the operating system that you’re saying, which is kind of nifty.

    Jeremy: <u>27:46</u> This is actually another one of those secrets which is like people think Windows update for business or this whole idea of windows updating is this magical cloud driven service that will kind of like orchestrate when machines upgrade. It’s actually totally exactly not how it works. The way that like doesn’t seem like that’s how it will be. How it would work. Like Oh we will dictate when things update.

    No, not how it works at all. What’s happening instead is that you’re just telling your end point machines how long to wait before actually achieving an update. So it’s sorta like bulls in the bullpen and holding them back, holding back the reigns and then cutting the cord and bang, letting them go. So it’s much less elegant than like some magical orchestration that’s happening in the cloud. You just simply dictate to your client and points like, these machines have this amount of weight, this machines have this amount of weight and these, we should have this amount of weight.

    Jeremy: <u>28:41</u> And if you have no weight, well that means you’re getting it today. Right? So that would be your Canary people, so yup.

    Mary Jo Foley : <u>28:47</u> Exactly. All right. Now, now I’ve got a kind of a big question here. This is from one of our listeners, Rob.

    Jeremy: <u>28:55</u> Vague or big?

    Mary Jo Foley : <u>28:56</u> Big, Rob Copestick. So here’s his scenario. He said, I’m soon to be a manager at school that is moving to the cloud and reducing their on premises servers. Their vision is you use Office 365 and Azure AD but for the future I’d also like to move the client desktops and the laptops to a cloud managed service like Intune or similar. So my question is what is the basic infrastructure requirement to fully utilize cloud services like an MDM service? He’s actually asking, here I am, I want to get in, how do I start and how do I think about what I should do in a perfect world?

    Jeremy: <u>29:38</u> Right. That’s funny. I interpreted that a little bit differently than you did, which is good. We can talk about it. Like I interpreted as I want to go all in on the cloud.

    Mary Jo Foley : <u>29:47</u> I mean he’s like, I’m setting up from the beginning so I want to do it the right way.

    Jeremy: <u>29:51</u> Right. And I think that’s a really interesting perspective and not one that I think is common. So if you take a look at like a thousand companies, I don’t think it’s very common for a thousand companies or some percentage of those thousand companies to say like, screw it. We’re going to say goodbye to all of our, all of our on prem infrastructure and rebuild from the ground up as if it never happened, I think is common for a company that exists today or tomorrow to say like, screw it, we’re not going to build an on prem 80 domain controller.

    Jeremy: <u>30:23</u> Like that makes sense to me. Yeah. But I think it’s rare for a company to declare that they’re like, I’m outta here. Right. I don’t think that’s, that’s not super common, but it does happen. Okay. So with that in mind, the good news for him is like, yeah, you can do what I call parallel worlds here. You can literally, pretend you like have like two companies that are really running side by side that have no really no connection at all. I mean, if you really want to get out of the infrastructure business, and I do describe how to do this in the book. You can, you can take on-prem shares and make them into SharePoint, blobs basically. And then you can map a drive over to them and it’ll pretend in quack as if it were like a really like a SMB share, but it’s really happening over a SharePoint and one drive, which is pretty nifty.

    Jeremy: <u>31:13</u> So like that’s one, you know, one part of it. Then the other part is you might as well just like figure out a way to like get new machines and have a rolling upgrading, get rid of old laptops and smoke them and put new laptops in there and enroll them into MDM land. And don’t even don’t do that domain join plus plus thing, just like get them into MDM land. By the time you’re done, you know, you’re doing this rolling upgrade, you should be able to say goodbye to your on prem infrastructure provided you really have no, you know, requirements that are going to hold you back there. But again, not something I’d recommend for most people. Most people, I would say, you know, there’s, there’s value in running side by side or doing domain joined plus plus and, and so on and keeping group policy and on prem AD for various things.

    Jeremy: <u>31:59</u> If you want to go all in, I think you can do it, but, you know, be prepared for the bumps. And also remember, you’re while there are some companies that are doing it, you’re, you’re, you’re the, the, you’re moving West man, and as such, you’re gonna catch a catch a cold and they’re like it’s gonna be hard for you in some ways because some of these new styles, some of these new things,, have not, there’s some undiscovered country out there, so just be aware that, you know.

    Mary Jo Foley : <u>32:33</u> Does he need to worry about like any infrastructural components he needs to buy? Like he’s, he actually actually asked in the question about things like, do I need anything specific around a cat five network switches, routers, domain controllers. I mean, does he have to even worry about that if he wants to really kind of go Greenfield?

    Jeremy: <u>32:54</u> No, not really. I mean have nice fast wireless and there are some scenarios in autopilot, especially around signage that require, like if you want a digital signage to work with autopilot, that’s a thing you can do, which is pretty amazing. Like, Hey, I wanna not go to Duluth. I want to instead just drop ’em, drop a big old digital sign and have Joe the handyman, plug it in and do nothing. That’s a thing that’s supported in Autopilot. But in order to do that, you have to have hardware connections. So, other than that, you know, having good connectivity, hardwired and wireless.

    Mary Jo Foley : <u>33:33</u> You’re ready. Right.

    Jeremy: <u>33:39</u> Right.

    Mary Jo Foley : <u>33:39</u> All right, last question for you here. For people like Rob and others who are kind of just getting in here, what do you advise they do to learn about and keep current with what’s happening in MDM? You can recommend your own resources, but anything you want to suggest there?

    Jeremy: <u>33:59</u> Yeah, I will. Do you have show notes where you publish? We do. We were gonna publish a transcript. Yep. Okay, great. So, well there’s, I unfortunately, I don’t know what the name of the darn thing is, but there’s a, there’s a Twitter, group, I think that’s what they’re called, Twitter groups that have all the enterprise mobility MVPs that are constantly describing nifty tricks and updates and magic tricks that they’re doing. That’s a great resource I learned from the other guys too. They’re so smart.

    Jeremy: <u>34:31</u> They hurt my brain. There was way smarter than me, the other guys and gals that are on there. They are just like brilliant, super brilliant. So like I’m always learning from the other MVPs. So that’s a great resource. But again, I don’t have it directly in front of me, so I can’t exactly tell you what it is.

    Mary Jo Foley : <u>34:47</u> We can add it.

    Jeremy: <u>34:48</u> Yeah. And then, you know, like I said, following their blogs. The other one that’s really nifty is a Mike Niehaus. The guy who’s like Mr.Autopilot. Now Microsoft, he’s got this blog called, I think it’s called the OOF it’s like out of office blog or something.

    Mary Jo Foley : <u>35:04</u> I saw that too. I think he’s calling it out of office hours or something like that. Yeah, office hours.

    Jeremy: <u>35:09</u> I don’t know. Okay. I’m sure he’ll listen to this, but he is like maybe the most prolific person, I don’t know how he’s able to do his real job and his blog in excruciating detailed to like level 11 Ninja style.

    Mary Jo Foley : <u>35:24</u> I know.

    Jeremy: <u>35:24</u> And on his, not Microsoft blog about what’s happening in autopilot and so on. It’s like, it’s not fair. It’s like I want. So long story short, that’s another great one that I really like. It can’t hurt to pick up my book, which is the MDM fundaments book, which will give you a real good base hit experience about pretty much everything to try.

    If you are, you know, domain joined and want to do, you know, get some MDM love. Or if you’re like our friend with the question where you just want to wipe and start again, this will also help you. I kind of thought about that in mind. The other part about the book that is good is that it does not suggest you need any SCCM at all. Like I have, there’s no pre-recs at all to having SCCM to, to do anything at all.

    Jeremy: <u>36:16</u> So I don’t expect that you have that. Then that’s good because it’s a low barrier to entry. You know, and also in my GP answers training class, which is still mostly Group Policy stuff, it also has two big lectures on MDM as well to sort of get you, you know, killer in group policy and today land and forward-thinking about what’s happening tomorrow land as well. So that’s at my I do live training and also online training as well. Kinda think if there’s anything else that would, that’ll be helpful with, I think those are like my top ones. Like I said, the MVP list of Twitter. Mike Niehaus’ out of office stuff. My MDM book and you know, the group policy training with the side of MDM.

    Mary Jo Foley : <u>37:00</u> Great. Those are, those are all great. So thanks and thank you so much for doing this chat, Jeremy. It was really fun to reconnect with you and hear all the latest, so appreciate it.

    Jeremy: <u>37:10</u> This is great. Super fun for me too. Thank you.

    Mary Jo Foley : <u>37:12</u> Nice. And listeners, we’re gearing up for our next MJFChat right now. I’ll be posting the information on Petri and that will be your signal to send in any questions you might want to ask before we do the chat. All you have to do is go to the MJ FChat area in the forums on and submit your questions right there. In the meantime, if you or someone you know might make a good guest for an MJF chat, please don’t hesitate to drop me a note. My contact information is available on Petri. Thanks again.

    • This reply was modified 5 months, 2 weeks ago by Brad Sams Brad Sams.
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.