Professional Documents
Culture Documents
When To Use SCCM in The Cloud With A CMG
When To Use SCCM in The Cloud With A CMG
TIP
Microsoft System Center Configuration Manager remains a preeminent tool for system and device management across an enterprise, but it faces
increased challenges for remote devices connecting through the internet.
Microsoft is improving System Center Configuration Manager (SCCM) to meet these remote management challenges, and the cloud management
gateway (CMG) feature offers a convenient means of managing Configuration Manager client devices over the internet. IT can deploy CMG as a
cloud service in Azure, effectively using the CMG as an SCCM management point in Azure.
The goal is to allow the public cloud to support roaming devices without the need for additional local infrastructure or the risks involved with exposing
more local infrastructure to the internet.
Management point: the system role that services normal local client requests for device management and reporting;
Software update point: the system role that services normal local client requests for software updates;
Service connection point: the system role that connects to Azure's cloud service manager component, which operates CMG deployment tasks.
The service connection point also monitors and reports service health and log information from Azure Active Directory; and
CMG connection point: the system role that establishes a continuous, high-performance connection from the local network to the CMG service in
Azure. This connection forwards endpoint client requests from the cloud to the local data center. The CMG connection point also communicates
settings to the CMG such as connection information and security settings.
There are also two major components in Azure that desktop admins need in place:
CMG cloud service: This Azure service authenticates and forwards requests from System Center Configuration Manager to the local CMG
connection point. This service is the Azure side of the CMG link; and
Cloud distribution point: This is responsible for distributing content to internet-based client endpoints.
This entire connection also depends on internet-based client endpoints connecting to the CMG. Certificate-based HTTPS keeps communication
between the internet and client devices secure, while public key infrastructure (PKI) certificates or Azure AD provide the device identity and
authentication.
As an alternative, CMG can help IT admins manage Windows 10 client endpoints joined to the cloud domain through Azure AD. In this case, clients
can authenticate through Azure AD directly and forego the use of PKI certificates.
Using either approach, IT administrators can accomplish a wide range of tasks such as rolling out software updates, implementing endpoint
protection, determining endpoint inventory and status -- also known as device health --, enforcing compliance settings, distributing software to
endpoint devices and handling Windows 10 upgrades. The use of Azure AD also allows administrators to distribute software to the remote user and
not just the remote device.
z
IT professionals could also opt for co-management when it's desirable to manage Windows 10 endpoint clients
using a mix of both SCCM in the cloud -- with CMG -- and Microsoft Intune.
Another use case for CMG and SCCM in the cloud is that administrators can install a Configuration Manager client on Windows 10 endpoints over the
internet. This approach relies on Azure AD for device authentication to the CMG. CMG registers and assigns the client devices that connect in this
case. IT can install the Configuration Manager client manually or through a software distribution platform such as Microsoft Intune. It's worth noting
that Microsoft recently combined SCCM and Intune and rebranded the platform as Microsoft Endpoint Manager.
IT professionals could also opt for co-management when it's desirable to manage Windows 10 endpoint clients using a mix of both SCCM in the cloud
-- with CMG -- and Microsoft Intune. In this situation, IT can configure existing client systems without CMG. For new devices, however, IT admins will
need CMG, Azure AD, Microsoft Intune, Configuration Manager and Windows Autopilot.
Co-management can add complexity to the environment, but it is necessary when an organization chooses to offload some management to the cloud
or other specialized tools. Co-management can allow IT admins to handle Windows Server Update Services software updates as Windows Update for
Business updates. Similarly, IT can address traditional Group Policy Object policies, security settings, SCCM software distribution and SCCM
endpoint protection as Intune baseline policies, Intune security policies, Intune software distribution and Intune endpoint protection, respectively.
A similar scenario occurs with remote office/branch office environments. Traditionally, remote endpoints connect to the primary data center through a
VPN or dedicated WAN, but both connectivity options can be costly and challenging to manage. IT can support low-priority remote locations using
SCCM and CMG, allowing an organization to centrally manage remote resources while providing the data center with the isolation of the public cloud.
Mergers and acquisitions pose serious problems for IT administrators when they must blend multiple IT environments. SCCM and CMG can provide
at least a temporary fix for handling centralized management by joining devices to Azure AD and managing outside devices through a CMG. This will
work well enough as a temporary option until another IT administrator can implement another common management platform.
As one final example, IT can use SCCM and CMG to support more traditional Windows Workgroup client devices. Workgroups often need additional
configuration such as certificates for authentication. SCCM and CMG support token-based authentication and IT can use it for remote workgroup
clients.
Related Resources
9
–DellEMC and Intel®
-ADS BY GOOGLE
dediSTART
Cheap Dedicated Servers
Configure Your Reliable Dedicated Server Now.
dedistart.com OPEN
SearchVirtualDesktop
What are the key differences between DaaS and VPN?
VPN and DaaS can both give remote access to corporate resources, but they differ in key ways. IT admins should consider these ...
About Us Editorial Ethics Policy Meet The Editors Contact Us Advertisers Business Partners Media Kit Corporate Site
Privacy Policy