Microsoft has been hard at work making client management even more cloud friendly, now you can do device sync and device actions from within the Microsoft Endpoint Manager Admin Center.
In a previous blog post I showed you how you can enable tenant attach in Configuration Manager Technical Preview 2002.2. If you haven’t already, please check out the steps in that post before continuing.
In that blog post you enabled the tenant attach feature and as part of that you were informed that the wizard would create an Azure AD application. You can see that application in Azure AD.
Note: The keen eyed among you will notice that I have three (ConfigMgr) apps listed below but only the first is valid, the other two were likely the result of my first failed attempt at installing the feature and they do not have any API permissions.
So Let’s look in Intune, I mean, let’s look in the Microsoft Endpoint Manager Admin Center (or MEMAC).
browse to https://aka.ms/memac and expand your devices.
The device named MININT-01MIIG3 is currently active in my lab, so let’s work with that one.
To understand where that device came from, you can look at the collection I pointed to in ConfigMgr when I setup the Tenant Attach (All Windows 10) and here’s a view of that collection.
You can see our active client right there.
So let’s try an action ! The following actions are available:
- Sync Machine Policy
- Sync User Policy
- App Evaluation Cycle
Click on Sync Machine Policy in the MEMAC console.
Once done, you’ll see the action status in the MEMAC console (probably pending).
Look for a line that reads:
Received new nofitication. Validating basic notification details...
And after you’ve tried a few syncs you’ll see the status of your actions in the MEMAC console. If yous are currently still listed as pending check the troubleshooting section below.
Note that in this version you’ll only see a max of three device actions status listed, so, if you for example trigger a new Sync Machine Policy action, the Device action status will simply overwrite the last matching status with your current action.
If Device action status remains in a pending state for a long time look at the CMGatewayNotificationWorker.log on the ConfigMgr server for a failure (at the time when you initiated the action in MEMAC) like this.
Unauthorized to perform client action
- Setup Azure AD Connect on the ConfigMgr server
- Setup Cloud Management to sync Azure Directory Users to AD
Once you have done those correctly you’ll see the log reporting as follows:
Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: ..