FOTOLIA

TIP

When to use SCCM in the cloud with a CMG

Organizations can run SCCM in the cloud with the help of a cloud management gateway. IT admins should determine if their organization fits within these use
cases before deployment.

Stephen J. Bigelow, Senior Technology Editor

Published: 10 Nov 2020

Microsoft System Center Configuration Manager remains a preeminent tool for system and device management across an enterprise, but it faces
increased challenges for remote devices connecting through the internet.

Microsoft is improving System Center Configuration Manager (SCCM) to meet these remote management challenges, and the cloud management
gateway (CMG) feature offers a convenient means of managing Configuration Manager client devices over the internet. IT can deploy CMG as a
cloud service in Azure, effectively using the CMG as an SCCM management point in Azure.

The goal is to allow the public cloud to support roaming devices without the need for additional local infrastructure or the risks involved with exposing
more local infrastructure to the internet.

Prerequisites for using a Cloud Management Gateway

Using SCCM through the cloud management gateway requires numerous infrastructure components -- both on site and in Azure. There are four
principal local services that IT must have in place.

Management point: the system role that services normal local client requests for device management and reporting;
Software update point: the system role that services normal local client requests for software updates;
Service connection point: the system role that connects to Azure's cloud service manager component, which operates CMG deployment tasks.
The service connection point also monitors and reports service health and log information from Azure Active Directory; and
CMG connection point: the system role that establishes a continuous, high-performance connection from the local network to the CMG service in
Azure. This connection forwards endpoint client requests from the cloud to the local data center. The CMG connection point also communicates
settings to the CMG such as connection information and security settings.

There are also two major components in Azure that desktop admins need in place:
 CMG cloud service: This Azure service authenticates and forwards requests from System Center Configuration Manager to the local CMG
connection point. This service is the Azure side of the CMG link; and
Cloud distribution point: This is responsible for distributing content to internet-based client endpoints.

This entire connection also depends on internet-based client endpoints connecting to the CMG. Certificate-based HTTPS keeps communication
between the internet and client devices secure, while public key infrastructure (PKI) certificates or Azure AD provide the device identity and
authentication.

Unsupported features with SCCM and CMG

The Cloud Management Gateway can be a versatile option for managing remote devices through SCCM, but it's not perfect. Although the CMG brings many
SCCM features to the cloud, there are many SCCM functions that the CMG does not support. Some of the most notable examples of this missing support
include Configuration Manager console, client push, automatic site assignment and BitLocker.

Common use cases for SCCM in the cloud

There are numerous use cases for SCCM with CMG in the enterprise. For example, IT can manage traditional Windows 8.1 and Windows 10 client
endpoints with a CMG joined to the enterprise domain through Active Directory (AD). In this example, PKI certificates encrypt communication between
the enterprise and the endpoints.

As an alternative, CMG can help IT admins manage Windows 10 client endpoints joined to the cloud domain through Azure AD. In this case, clients
can authenticate through Azure AD directly and forego the use of PKI certificates.

Using either approach, IT administrators can accomplish a wide range of tasks such as rolling out software updates, implementing endpoint
protection, determining endpoint inventory and status -- also known as device health --, enforcing compliance settings, distributing software to
endpoint devices and handling Windows 10 upgrades. The use of Azure AD also allows administrators to distribute software to the remote user and
not just the remote device.

z
IT professionals could also opt for co-management when it's desirable to manage Windows 10 endpoint clients
using a mix of both SCCM in the cloud -- with CMG -- and Microsoft Intune.

Another use case for CMG and SCCM in the cloud is that administrators can install a Configuration Manager client on Windows 10 endpoints over the
internet. This approach relies on Azure AD for device authentication to the CMG. CMG registers and assigns the client devices that connect in this
case. IT can install the Configuration Manager client manually or through a software distribution platform such as Microsoft Intune. It's worth noting
that Microsoft recently combined SCCM and Intune and rebranded the platform as Microsoft Endpoint Manager.

IT professionals could also opt for co-management when it's desirable to manage Windows 10 endpoint clients using a mix of both SCCM in the cloud
-- with CMG -- and Microsoft Intune. In this situation, IT can configure existing client systems without CMG. For new devices, however, IT admins will
need CMG, Azure AD, Microsoft Intune, Configuration Manager and Windows Autopilot.

Co-management can add complexity to the environment, but it is necessary when an organization chooses to offload some management to the cloud
or other specialized tools. Co-management can allow IT admins to handle Windows Server Update Services software updates as Windows Update for
Business updates. Similarly, IT can address traditional Group Policy Object policies, security settings, SCCM software distribution and SCCM
endpoint protection as Intune baseline policies, Intune security policies, Intune software distribution and Intune endpoint protection, respectively.

When would SCCM in the cloud be most helpful for IT?

Expanding endpoint management into a public cloud, such as Azure, can be beneficial in a range of situations. Perhaps the most direct reason to use
this approach is the simplified management for remote or roaming endpoint devices such as laptops. With SCCM in the cloud and CMG, a user can
connect to the data center from almost any location where internet connectivity is available. The user's connection and authentication take place
through the public cloud. This insulates the enterprise data center and its infrastructure, thus enhancing control and security of the data center.

A similar scenario occurs with remote office/branch office environments. Traditionally, remote endpoints connect to the primary data center through a
VPN or dedicated WAN, but both connectivity options can be costly and challenging to manage. IT can support low-priority remote locations using
SCCM and CMG, allowing an organization to centrally manage remote resources while providing the data center with the isolation of the public cloud.

Mergers and acquisitions pose serious problems for IT administrators when they must blend multiple IT environments. SCCM and CMG can provide
at least a temporary fix for handling centralized management by joining devices to Azure AD and managing outside devices through a CMG. This will
work well enough as a temporary option until another IT administrator can implement another common management platform.

As one final example, IT can use SCCM and CMG to support more traditional Windows Workgroup client devices. Workgroups often need additional
configuration such as certificates for authentication. SCCM and CMG support token-based authentication and IT can use it for remote workgroup
clients.
Related Resources

Virtual Desktop Toolbox

–SearchDataCenter.com

Simplify desktop management and reduce costs by up to 40%

9
–DellEMC and Intel®

Computer Weekly – 4 June 2019: GDPR one year on – is it working?

SearchEnterpriseDesktop
g
–ComputerWeekly.com

m Dig Deeper on Desktop management

A guide to Microsoft Endpoint Manager licensing and cost

By: Robert Sheldon

How to deploy Microsoft Endpoint Manager step by step

By: Peter van der Woude

What admins need to know about CMG client authentication

By: Daniel Engberg

Explore the benefits behind SCCM tenant attach

By: Daniel Engberg

-ADS BY GOOGLE

dediSTART
Cheap Dedicated Servers
Configure Your Reliable Dedicated Server Now.

dedistart.com OPEN

VIRTUAL DESKTOP WINDOWS SERVER

SearchVirtualDesktop
 What are the key differences between DaaS and VPN?
VPN and DaaS can both give remote access to corporate resources, but they differ in key ways. IT admins should consider these ...

Comparing Windows 365 vs. Azure Virtual Desktop

While Azure Virtual Desktop and Windows 365 both offer a virtual desktop service from Microsoft, major differences exist between ...

About Us Editorial Ethics Policy Meet The Editors Contact Us Advertisers Business Partners Media Kit Corporate Site

Contributors Reprints Answers Definitions E-Products Events Features

Guides Opinions Photo Stories Quizzes Tips Tutorials Videos

All Rights Reserved,

Copyright 2008 - 2022, TechTarget

Privacy Policy

Do Not Sell My Personal Info