Breadcrumbs

Setup Overview (InTune)

Contents of this Page

  1. Overview Diagram

  2. Overview of the High Level Setup Steps

  3. Links to Detailed Setup documentation and SME involvement

Overview Diagram

CI Sync for InTune to SN - High Level Topology (inc Step Bubbles).png

Overview of the High Level Setup Steps

Each of the high level steps reference the CI Sync Detailed Setup Instructions. After reading the High Level Steps below we recommend visiting the Detailed Steps Oveview Page here Overview.

#

Component

High Level Supporting Notes

1

Enterprise Application object in Entra ID

  1. The CI Sync SaaS setup process requires you to create an Enterprise Application object in your Entra ID.

    1. This object controls authentication of your users to the CI Sync Web UI (of your customer specific CI Sync instance).

  2. You will need to grant one/two users (those people who need to schedule sync jobs) to the Enterprise Application.

  3. Full details of the above are described in S2 - Enrol CI Sync SaaS to your Entra ID of the Detailed Setup Instructions.

2

CI Sync Agent Managed Service Identity (App Registration)

  1. You will need to create this App Registration object in your Entra ID.

    1. This object controls authentication between the CI Sync Agent (Windows Service) to the CI Sync SaaS data ingestion API (of your customer specific CI Sync instance).

  2. You can use either Client Secret or Certificate based Authentication when configuring this object.

  3. Full details of the above are described in S3 - Create an Entra ID App Registration for CI Sync Agent Authenticationof the Detailed Setup Instructions.

3

3a) InTune Managed Service Identity (App Registration)

  1. You will need to create this App Registration object in your Entra ID.

    1. This object controls authentication of the CI Sync Agent (Windows Service) to your InTune cloud repository.

  2. You can use either Client Secret or Certificate based Authentication when configuring this object.

  3. Full details of the above are described in of the Detailed Setup Instructions.

3b) InTune Cloud Repo as a data source for the CI Sync Agent

  1. There are no specific setup steps performed within InTune itself.

  2. The InTune Managed Service Identity (App Registration) described above is all that’s required for the CI Sync Agent to authenticate to InTune with read access only.

  3. Full details of the above are described in of the Detailed Setup Instructions.

4a

CI Sync Agent SQL Topics

  1. The CI Sync Agent requires a modestly sized SQL database (this DB is used for delta sync management and is referred to as the “RecVer” database.

    1. The CI Sync Agent installation will automatically create this database, or a DBA can create in advance. 

    2. The detailed setup instructions describe how the RecVer database is setup/used.

  2. The CI Sync Agent ReadWrite access to the CI Sync RecVer SQL Database (cisee_recver). 

    1. You can use either SQL Native Login or Windows Integrated Security for the CI Sync Agent (i.e. the Windows Service) to authenticate to the SQL server hosting the database. 

    2. See diagrams on the sub pages of SQL Authentication Diagrams (InTune) (showing how agent authentication works and how it interacts with SQL).

  3. Finally, Syncfish recommend SQL Standard Edition so you can schedule two important SQL Maintenance Plans against the CI Sync RecVer DB. 

    1. See the Syncfish Knowledge Base Article titled: How-to - Configure SQL Maintenance Plans on SQL database(s) for SQL based Source Systems Plan.

4b

CI Sync Agent (Windows Service)

  1. The CI Sync Agent does not need to run on a dedicated VM.

  2. The following specs are what Syncfish internally to test synchronizations of very large datasets on a regular basis. 

  3. We use an Azure VM of “Standard D2 v3” with 2 x vCPUs, 8 GiB RAM, 127 GiB SSD (max throughput of 60 MBps & Max IOPS of 500) Standard SSD LRS, Windows Server 2019 (or 2022). Adding 16GB of RAM will boost performance.

  4. The CI Sync Agent requires outbound HTTPS to the Internet for access to (a) InTune and (b) the integration API of your CI Sync SaaS instance.

  5. See also the diagrams on the subsequent pages (that show how agent authentication works and how it interacts with SQL).

    1. CI Sync Agent and SQL are on the same server (LSOP HL Setup)

    2. CI Sync Agent and SQL are on separate servers (LSOP HL Setup)

  6. Full details of the above are described in S4 - Install the On-Prem Multi-Source Agentof the Detailed Setup Instructions.

  7. After installing the CI Sync Agent you perform two additional steps:

    1. Register the CI Sync Agent with your customer specific CI Sync SaaS Instance. See S5 - Register the Multi-Source Agent & Setup Source Connections

      of the Detailed Setup Instructions.

    2. Add the InTune as a source system that CI Sync can read from. See in the Detailed Setup Instructions.

5

DEV/TEST ServiceNow

  1. You will need to create a user account (web service account only) for your customer specific CI Sync instance to use for authentication.  The user/web service account can use Basic Auth or OAuth.

  2. Syncfish provide a list of OOTB roles to be assigned to the account.  These are least privileged roles that allow read/write to CMDB tables and several other reference tables.

  3. For performance reasons Syncfish recommend two settings are made in ServiceNow (an API timeout value is increased, and a dictionary value is set on the CMDB). 

  4. Full details of the above are described in S6 - Configure your ServiceNow for CI Sync of the Detailed Setup Instructions.

6

CI Sync SaaS

You then do the following using your Non-Production ServiceNow Instance (e.g. ServiceNow DEV or TEST)

  1. You will add a Destination Connection (i.e. to your ServiceNow) in your CI Sync SaaS instance using the CI Sync Web UI. 

    1. See S7 - Add your ServiceNow Instance as a Destination for CI Sync of the Detailed Setup Instructions.

  2. You will run your first Sync job (a small one to start with) and then run additional sync jobs.

    1. See S8 - Run a small first Sync (then run more)of the Detailed Setup Instructions.

  3. You will assess the resulting data in your non-Production ServiceNow instance.

  4. Once you are satisifed your non-production results/data is satisfactory you will progress to Production (see #8 below).

7

PROD ServiceNow

The transition to synchronization into your Production ServiceNow instance is very simple:

  1. You repeat the activities mentioned in #5 above.

    1. Add a User Account (with the relevant roles).

    2. Check the REST API timeout setting and check the CMDB dictionary setting.

  2. You repeat the activities mentioned in #6 above.

    1. Add a Destination Connection (i.e. to your Production ServiceNow) in your CI Sync SaaS instance using the CI Sync Web UI. 

    2. Run your first Sync job (a small one to start with), review the results/data and then run additional sync jobs.

Important Information about Non-Production vs Production Synchronization

Before sync’ing to production we recommend you inform the Syncfish Team. This ensures Syncfish are aware in case you need extra assistance and also means Syncfish can advise how to check whether any specific CI Sync configuration settings need to be promoted from your CI Sync Test Config to your CI Sync Prod Config.

Step-by-Setup Setup Process and SMEs Required

Step #

Additional Details

Link

SME Audience

Estimated Time to Complete the Step

Step 1

Review the Pre-Installation Checklist

Here

All SMEs

10 minutes

Step 2

Enrol the CI Sync SaaS application into Entra ID

Here

AAD Admin

5 minutes

Step 3

Create an Entra ID App Registration for the CI Sync Agent

Here

AAD Admin

5 minutes

Step 4

Install the Multi-Source CI Sync Agent (on a VM)

Here

Infrastructure SME
On-Prem AD Admin#1

5 minutes

Step 5

Register the CI Sync Agent, then Setup one/more Source System Connections

Here

Source System Admins
AAD Admin#2
SQL DBA#3

20 minutes

Step 6

Configure ServiceNow to be ready for CI Sync

Here

ServiceNow Admin

5 minutes

Step 7

Add your ServiceNow destination connection

Here

CI Sync Admin

5 minutes

Step 8

Run a small first synchronization and then progressively run more larger syncs

Note: In addition to the instructions via the “here” link, Syncfish highly recommend reading the following page before your first sync

FAQ - What are the Top Tips when first synchronizing data to my non-PROD CMDB?

Here

CI Sync Admin
ServiceNow Admin
Source System Admins


Other recommended sections to read


Appendix A

Understand how the CI Sync Agent Authenticates to SQL Server

Here

Infrastructure SME
SQL DBA#3


Appendix B

Review SQL DB Health and Configure SQL Maintenance Plans

Here

SQL DBA#3


 Footnotes

#1

On-Prem Active Directory SME only required if your SQL server is hosted separately (remotely) from the server that will run the CI Sync Agent.

#2

Entra ID SME is required if you intend to use synchronization source connections for cloud hosted products which require an Entra ID App Registration (service principal) for authentication.

#3

A SQL DBA is required if the person performing the CI Sync Agent installation does not have SQL sysadmin rights on the relevant SQL server.