Microsoft SCCM
The Microsoft SCCM integration brings Windows device data from your existing SCCM (now MECM — Microsoft Endpoint Configuration Manager) deployment into Manage1to1 and lets your help-desk staff trigger remote actions on those devices without leaving a support ticket.
Unlike the cloud-based MDM integrations (JAMF Cloud, Google), SCCM almost always lives on-premise behind your district firewall. To respect that, the integration uses a small agent that runs inside your network, polls SCCM locally, and sends data outbound to Manage1to1 — there is no inbound connection from Manage1to1 into your network.
This integration is only meaningful if your district already runs SCCM/MECM. It does not replace SCCM — it surfaces SCCM data inside Manage1to1 so your help-desk staff can act on it.
What You Get
Once the agent is reporting:
- Per-device SCCM panel on the device profile, showing last logon user, OS version, IP/MAC, manufacturer, model, AD site, AD OU, and last hardware inventory date
- Stats and reports — Windows OS version distribution, manufacturer breakdown, agent reporting freshness, stale devices report, low disk space report, and a last-logon summary
- Remote actions issuable from the help-desk ticket Options tab:
- Lock Device — locks the workstation
- Restart — forces a graceful restart
- Force Inventory Refresh — pushes SCCM to re-collect device data
- Wipe Device — destructive remote wipe (off by default; see below)
Before You Start
You will need:
- An existing SCCM/MECM site
- A Windows server inside your network where the agent can run (typically the SCCM site server itself, but any Windows server with the right access works)
- Outbound HTTPS from that server to your Manage1to1 instance
- An IT staff member to install the agent (this is the only part that touches a server — everything else is web UI)
Step 1: Generate an API Key
- Navigate to Settings → MDM Settings
- Click Activate on the Microsoft SCCM card if it isn't already active
- Click Advanced Settings on the same card
- Click Generate API Key
- Copy the key shown in the popup — this is your only chance to capture it
The API key is only displayed once when generated. Copy it immediately and hand it to the IT staff member who will install the agent. If lost, generate a new one — the old one will keep working for 24 hours so you can update the agent without downtime.
Step 2: Install the Agent
The agent is a PowerShell script that you download once and configure with the API key from Step 1. The full installation walkthrough — including the configuration file format, scheduled-task setup, and prerequisites — ships with the agent download itself in README.txt.
Hand the API key and the agent download to your IT team. They handle the rest. You'll know it's working when the Devices Reported count on the SCCM Advanced Settings page shows a non-zero number and the Last Agent Push timestamp updates.
Step 3: Choose Which Fields to Display
The SCCM module collects fourteen fields per device. By default, all of them appear on the device profile. You can hide fields you don't want shown (or rename their labels for your district's vocabulary) on the SCCM Advanced Settings page.
- Navigate to Settings → MDM Settings → SCCM → Advanced Settings
- Scroll to the Device Profile Fields card
- Uncheck any fields you'd like to hide
- Override labels in the Display Label column (optional)
- Click Save Field Display
Disabled fields are still collected by the agent — they just don't render on the device profile. You can re-enable them at any time.
Configuring Remote Actions
The SCCM integration introduces two new admin permissions:
| Permission | Allows |
|---|---|
| SCCM: Issue Device Actions | Lock, Restart, Force Inventory Refresh |
| SCCM: Wipe Device | Wipe Device (separate because it's destructive) |
Assign these to the appropriate roles in Settings → System Settings → Roles & Permissions. The lumped action permission is granted by default to roles that already hold "Disable Device" — the wipe permission must be granted manually.
Once an admin has the appropriate permission AND the assigned ticket has a linked device that the SCCM agent has reported on, an SCCM Remote Actions card appears on the ticket. The buttons queue actions for the agent to execute on its next poll.
Enabling the Wipe Action
The wipe action is off by default. To enable it:
- Navigate to Settings → MDM Settings
- Click Manage on the Microsoft SCCM card
- Set Allow Wipe Action to Yes
- Click Save
Even with the toggle on, the wipe button will only appear for admins who hold the SCCM: Wipe Device permission. When clicked, the admin must retype the device's serial number to confirm before the wipe is queued — a misclick can't trigger a wipe.
Wipes are destructive and irreversible. The agent delegates the actual wipe workflow to a script your IT team supplies — your district decides what "wipe" means (BitLocker key destruction, OSD task sequence, third-party erase tool, etc.). If no wipe script is configured on the agent, queued wipes will fail and report back as such.
Reports
Three SCCM-specific reports surface under Reports → MDM Reports:
- Stale Devices (30+ days) — devices the agent hasn't reported on in over 30 days. Useful for finding lost or off-network endpoints.
- Low Disk Space — devices running below 10% free disk
- Last Logon Summary — per-device last logon user, AD site, and AD OU. Useful for ownership reconciliation.
Three SCCM-specific stats appear on the MDM Stats dashboard:
- Windows OS Versions — pie chart of OS version distribution
- Manufacturers — pie chart of Dell / HP / Lenovo / etc.
- Agent Reporting Freshness — Fresh / Stale (30–89 days) / Critical (90+ days) / Unknown
Key Rotation and Expiration
API keys expire after 365 days. Manage1to1 will email administrators with the System Settings permission as the expiration approaches — at 30, 14, 7, 3, and 1 days out — so there's time to rotate.
To rotate:
- Navigate to Settings → MDM Settings → SCCM → Advanced Settings
- Click Rotate Key
- Copy the new key and update the agent configuration
The previous key keeps working for 24 hours after rotation, so you have a window to update the agent without any downtime.
You can also revoke a key immediately if you suspect it's been compromised — that takes effect on the agent's next poll.
Troubleshooting
The Devices Reported count stays at zero. The agent hasn't successfully pushed yet. Confirm with your IT team that the scheduled task is running, the agent has the correct API key, and outbound HTTPS to your Manage1to1 instance is allowed by your firewall.
Devices show "unmatched" in the agent log. The serial numbers SCCM reports don't match the serials in Manage1to1's device records. Check that the device serials in Manage1to1 match what SCCM has — this is most often a casing or whitespace difference.
An action sits in "pending" forever. The agent only checks for new actions on each scheduled run. Wait for the next run, or have your IT team trigger the scheduled task manually.
An action shows "failed" with a permission error. The agent account needs admin rights on the target device for actions like Lock, Restart, and Force Inventory Refresh. Confirm with your IT team that the agent's service account has the necessary access.