When to use SCCM in the cloud with a CMG
Organizations can run SCCM in the cloud with the help of a cloud management gateway. IT admins should determine if their organization fits within these use cases before deployment.
Microsoft System Center Configuration Manager remains a preeminent tool for system and device management across an enterprise, but it faces increased challenges for remote devices connecting through the internet.
Microsoft is improving System Center Configuration Manager (SCCM) to meet these remote management challenges, and the cloud management gateway (CMG) feature offers a convenient means of managing Configuration Manager client devices over the internet. IT can deploy CMG as a cloud service in Azure, effectively using the CMG as an SCCM management point in Azure.
The goal is to allow the public cloud to support roaming devices without the need for additional local infrastructure or the risks involved with exposing more local infrastructure to the internet.
Prerequisites for using a Cloud Management Gateway
Using SCCM through the cloud management gateway requires numerous infrastructure components -- both on site and in Azure. There are four principal local services that IT must have in place.
- Management point: the system role that services normal local client requests for device management and reporting;
- Software update point: the system role that services normal local client requests for software updates;
- Service connection point: the system role that connects to Azure's cloud service manager component, which operates CMG deployment tasks. The service connection point also monitors and reports service health and log information from Azure Active Directory; and
- CMG connection point: the system role that establishes a continuous, high-performance connection from the local network to the CMG service in Azure. This connection forwards endpoint client requests from the cloud to the local data center. The CMG connection point also communicates settings to the CMG such as connection information and security settings.
There are also two major components in Azure that desktop admins need in place:
- CMG cloud service: This Azure service authenticates and forwards requests from System Center Configuration Manager to the local CMG connection point. This service is the Azure side of the CMG link; and
- Cloud distribution point: This is responsible for distributing content to internet-based client endpoints.
This entire connection also depends on internet-based client endpoints connecting to the CMG. Certificate-based HTTPS keeps communication between the internet and client devices secure, while public key infrastructure (PKI) certificates or Azure AD provide the device identity and authentication.
Unsupported features with SCCM and CMG
The Cloud Management Gateway can be a versatile option for managing remote devices through SCCM, but it's not perfect. Although the CMG brings many SCCM features to the cloud, there are many SCCM functions that the CMG does not support. Some of the most notable examples of this missing support include Configuration Manager console, client push, automatic site assignment and BitLocker.
Common use cases for SCCM in the cloud
There are numerous use cases for SCCM with CMG in the enterprise. For example, IT can manage traditional Windows 8.1 and Windows 10 client endpoints with a CMG joined to the enterprise domain through Active Directory (AD). In this example, PKI certificates encrypt communication between the enterprise and the endpoints.
As an alternative, CMG can help IT admins manage Windows 10 client endpoints joined to the cloud domain through Azure AD. In this case, clients can authenticate through Azure AD directly and forego the use of PKI certificates.
Using either approach, IT administrators can accomplish a wide range of tasks such as rolling out software updates, implementing endpoint protection, determining endpoint inventory and status -- also known as device health --, enforcing compliance settings, distributing software to endpoint devices and handling Windows 10 upgrades. The use of Azure AD also allows administrators to distribute software to the remote user and not just the remote device.
Another use case for CMG and SCCM in the cloud is that administrators can install a Configuration Manager client on Windows 10 endpoints over the internet. This approach relies on Azure AD for device authentication to the CMG. CMG registers and assigns the client devices that connect in this case. IT can install the Configuration Manager client manually or through a software distribution platform such as Microsoft Intune. It's worth noting that Microsoft recently combined SCCM and Intune and rebranded the platform as Microsoft Endpoint Manager.
IT professionals could also opt for co-management when it's desirable to manage Windows 10 endpoint clients using a mix of both SCCM in the cloud -- with CMG -- and Microsoft Intune. In this situation, IT can configure existing client systems without CMG. For new devices, however, IT admins will need CMG, Azure AD, Microsoft Intune, Configuration Manager and Windows Autopilot.
Co-management can add complexity to the environment, but it is necessary when an organization chooses to offload some management to the cloud or other specialized tools. Co-management can allow IT admins to handle Windows Server Update Services software updates as Windows Update for Business updates. Similarly, IT can address traditional Group Policy Object policies, security settings, SCCM software distribution and SCCM endpoint protection as Intune baseline policies, Intune security policies, Intune software distribution and Intune endpoint protection, respectively.
When would SCCM in the cloud be most helpful for IT?
Expanding endpoint management into a public cloud, such as Azure, can be beneficial in a range of situations. Perhaps the most direct reason to use this approach is the simplified management for remote or roaming endpoint devices such as laptops. With SCCM in the cloud and CMG, a user can connect to the data center from almost any location where internet connectivity is available. The user's connection and authentication take place through the public cloud. This insulates the enterprise data center and its infrastructure, thus enhancing control and security of the data center.
A similar scenario occurs with remote office/branch office environments. Traditionally, remote endpoints connect to the primary data center through a VPN or dedicated WAN, but both connectivity options can be costly and challenging to manage. IT can support low-priority remote locations using SCCM and CMG, allowing an organization to centrally manage remote resources while providing the data center with the isolation of the public cloud.
Mergers and acquisitions pose serious problems for IT administrators when they must blend multiple IT environments. SCCM and CMG can provide at least a temporary fix for handling centralized management by joining devices to Azure AD and managing outside devices through a CMG. This will work well enough as a temporary option until another IT administrator can implement another common management platform.
As one final example, IT can use SCCM and CMG to support more traditional Windows Workgroup client devices. Workgroups often need additional configuration such as certificates for authentication. SCCM and CMG support token-based authentication and IT can use it for remote workgroup clients.