New Hybrid Features in Configuration Manager 1706

A Friday is not just a Friday for a Configuration Manager Consultant or Administrator. At least once or twice a month it can be one where we get some gifts from the Configuration Manager Product Team. Yesterday was again a day that a nice gift “was released”; Update 1706 for System Center Configuration Manager! You know where the average Configuration Manager Consultant or Administrator is during such a weekend, yes upgrading their lab and/or production environments to the latest Current Branch! Already looking forward to the adoption statistics from Brad Anderson and David James 🙂

Also this release Microsoft made investments for some really cool and handy additions to Configuration Manager were released either in preview or production. In this blog I would like to highlight the new Hybrid (Configuration Manager connected with Microsoft Intune) additions that came with 1706, and yeah the new Hybrid features are just a small part of the complete list of new features in 1706!

As we know, when having Configuration Manager in place you can easily manage also your mobile devices / modern devices by connecting it to Microsoft Intune.

Check Conditional Access Compliance

Microsoft added the option to trigger conditional access compliance check on device collection level. Reviewing the compliance state can be done via the “List of devices by Conditional Access State” report which is already available for some time.

New Client Notification Option

Checking the Conditional Access Compliance on demand from the console can help users to get compliant and get access to the services protected by conditional access earlier.

Entrust as certificate authority for PFX Certificates (hybrid only)

Until 1702 PFX Certificates could only be deployed via SCEP from the local Certificate Authority. Entrust is a commercial Certificate Authority. To be able to use this feature you need to configure the Certificate Registration point to support Entrust as the Certificate Authority.

Enable support for Entrust CA

Next you need to configure an Entrust MDM URL and an account name to make sure that you have an account at Entrust.

Select Entrust

While creating the certificate profile you are able to choose Entrust and the Certificate Registration Point so that you are able to issue certificates via the Entrust CA.

Read more about the solution of Entrust here.

New Android for Work features

Android for Work, is that the future or do we stick with MAM without enrollment? Not sure but for now Microsoft added the ability to create and deploy app configuration policies for Android for Work. Also, apps can be deployed as available apps and installed from the Company Portal.

App Configuration for Android for Work

New Compliance Policy Settings

In Microsoft Intune stand alone the ability to check if USB Debugging or installation of unknown sources on Android devices could already be checked via compliance policies. As from now, Configuration Manager is up to par and is also able to check devices on those compliance rules.

New Android Compliance Policies

Enrollment restrictions conditions

As from the start with Configuration Manager you were able to restrict access based on device platform level.

iOS Enrollment restriction
Android Enrollment restriction

As from now we are also able to control is personally owned iOS and Android devices may be used to enroll into Configuration Manager Hybrid and therefor may be used to access company resources.

Support added for Cisco IPSec VPN on iOS

Configuration Manager Hybrid supports already a massive range on VPN vendors, way more than Intune standalone. To support even more solutions, Microsoft added support for Cisco IPSec VPN on iOS.

Cisco IPSec VPN support added

Windows 10 – device restrictions / configuration settings

Windows 10, managed the modern way, was already well managed through device configuration policies in earlier versions of Configuration Manager Current Branch. Besides what we already could do Microsoft added things like controlling Device Name Modification, System Time Modification and more. (besides everything we can already do via CSPs)

More and more settings Windows 10 added

Besides device settings, also settings for the Store, Windows Information Protection and Microsoft Edge are added.

As you see the Configuration Manager Product Team has made major investments to add a lot of features to the Configuration Manager hybrid scenario, which is awesome!

See a complete list of the new features here.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Intune support reminder for Windows Phone, iOS and Android

Next Post

Quick Intune tip: use device restrictions to get control!

Related Posts