Hello,

Forest Discovery has intrigued me by opening up so many possibilities to manage clients. I was wondering if the below scenario can be possible:

Company X is a service provider which caters to various customers by managing their on-premise ConfigMgr environment which includes Internet Based Client Management and Cloud Services.

Company A: Is a small enterprise with 5000 client base located across various countries and cities, say majorly in Europe. They approach Company X for service.

Company B: Is a medium enterprise with 10000 client base located across various countries, say in Asia. They approach Company X for service.

Now Company X, would like to evaluate if they can:

1. Have a consolidated, highly scalable and available ConfigMgr infrastructure.

2. Use the infrastructure as a Managed Service.

3. Provide all the features of ConfigMgr

4. Not to have a ConfigMgr infrastructure at Company A & B premises. Everything exists in Company X premises. Clients of Company A & B are managed transparently.

5. Just Add Forest Discovery of Company A & B. Publish site information in Company A & B forest.

6. Can we segregate the data on SQL based on Forest

7. Can we implement Nomad on top to boost Application Deployment, OSD and SUP?

8. I am sure we will be able to segregate Boundaries, Client Settings, Deployments, SUP, Collections etc...

Please advice. Thanks in advance

Rajiv

Hi

If you are looking for real multi-tennant functionality the answer as I see it would be no - it cannot be done.

And even though it is possible to configure Forest Discovery to collect information about resources in Company A and Bs forests there is still a long way to go in order to actually administer them as single entities.

You cannot segregate the data in the ConfigMgr database based on forest but you could to some degree control WHO was able to see and use it using RBAC.

You could implement a Central Administration Site in Company X (Service Provider) and then create child primary sites for Company A and Company B respectively. Company X would then be able to administer both child primary sites. But most of the data will no be segregated i.e because of the way ConfigMgr works.

Some data is Global in nature i.e a Collection with a membership rule, and that will replicated to all sites in the hierachy no matter where if originated. You would still be able to control (using RBAC) WHO could see it using RBAC. I have not tried the above suggestion but it is the only thing that I can think of that comes even close to what you are asking. Furthermore it would be an administrative nightmare and you would normally (as in always) only use a CAS it you have more than 100.000 devices to manage.

You could implement a Central Administration Site in Company X (Service Provider) and then create child primary sites for Company A and Company B respectively.

... which would require a two-way trust between (X and A) and (X and B).

You could implement a Central Administration Site in Company X (Service Provider) and then create child primary sites for Company A and Company B respectively. Company X would then be able to administer both child primary sites. But most of the data will no be segregated i.e because of the way ConfigMgr works.

Not really... At least not "by design" In 2007 yes but not in 2012.

I considered doing this in 2007. It wasn't worth the effort. There are cloud based solutions that offer this. Dell has one they will let partners resell. I can't recall the name of it. InTune could also be a candidate for this business model.

Hello Michael,

Thanks. Yes, we plan to use the following:

a. RBAC extensively for segregating access to object for Company A and B

b. In order to segregate data, do you think we would need to build a whole set of customized reports? I think its possible, but kind of a herculian task.

c. How about having a Nomad or Adaptiva One Site on Company A and B to consolidate hardware or may be use any one server to have MP.

d. if there is no trust between the forest of Company A/B and Company X, then can I still manage resources?

Please advice.

Thanks,

Rajiv

b) reports are subject to RBA starting with R2.
c) cannot be answered without knowing all details about the infrastructure
d) yes

We do not intend to use Windows Intune. Company X being a service provider wouldn't want to nest the service contract. I guess it might be possible with 2012, but I am finding a challenge to segregate the data for Company A and B on the CAS, which is not possible at all. May be use Distributed views to control what replicates to CAS from Primary for each of the company. That means having a dedicated primary for each of the company.

Rajiv