What is multi-organisation management?
Multi-organisation management is when an NHSmail organisation has a device management plan which includes other organisations; either you manage other organisations’ devices, or another organisation manages your devices.
Any organisation managing its own devices and the devices of other organisations is referred to as a ‘parent organisation’. Organisations who have their devices estates managed by another organisation – a Parent organisation – are referred to as ‘child organisations’.
An example of multi-organisation management could be an Integrated Care Board (ICB) who manage the device estates of local GP Practices.
Organisations will need to confirm which type of organisation they are when completing the Intune Registration Form:
Manages only their own devices
Manages their own devices and the devices of one or more organisations
Has their devices managed by another organisation
Managing multi-organisations on NHSmail Intune
There are two models for managing multi-organisations on NHSmail Intune:
Model 1 – Central Management
In this model, the parent organisation is onboarded using their ODS code and child organisations are onboarded via Local Azure Active Directory groups as required.
The benefits of this model is that it is easier for a parent organisation to manage the child organisations as all devices are managed through the parent organisation’s ODS code, RBACs and Scope Tags.
High-level overview of Model 1:
Model 1 is the default onboarding option for multi-organisations as it will be sufficient for most multi-organisation use cases.
Benefits of Model 1:
- Flexibility for parent organisations to add / remove child organisations as there is a consistent configuration and policies throughout all the organisations
- Child organisations can be onboarded at any time as an Azure Active Directory Group
- Less individuals required to manage this simpler configuration
- Only 1 Onboarding Request Form needs to be submitted
Model 2 – Devolved Management
In this model both the parent organisation and child organisations will be onboarded through their own separate ODS codes and will therefore also have separate RBACs and Scope Tags. This distributes authority to all the Local Admins for their own organisations.
High-level overview of Model 2:
In the Devolved Management Model example above, BB1 is the parent organisation. BB2, BB3 and BB4 – as child organisations – all have admin rights for their own organisations but cannot access the other child organisations.
BB1 as the parent organisation will have visibility of and the ability to manage their child organisations (BB2, BB3 and BB4).
Additional requirements for onboarding to Model 2:
- Each organisation will require their own EMS E3 and AADP2 licences
- If intending to onboard iOS devices, each organisation will need to separately link their Apple Business Manager (ABM) to the NHSmail Intune tenant
- All organisations will need to submit a separate Onboarding Request Form to be technically onboarded successfully to Model 2
Next steps and further information
If you are interested in multi-organisation management and would like to discuss how to technically setup your multi-organisation so that all relevant parent and child organisations have the required permissions / visibility, please complete the NHSmail Intune registration form and the team will be in touch. and the team will be in touch.
For more information on onboarding and using NHSmail Intune as a multi-organisation, please see the NHSmail Intune Operations Guide.
|Last Reviewed Date||16/12/2022|