In the previous article related to the Cloud Management Gateway (CMG) functionality, we talked about the advantages that this solution can bring to companies regarding the management of devices connected directly on the Internet; in this second part dedicated to functionality, I will provide the necessary information configure client systems, install the Configuration Manager client on systems that are not connected to your network and how to distribute the content on the latter.
To fully understand how the CMG functionality allows the management of internet-based systems, a brief overview of the flow is needed:
- The Service Connection Point role connects to Azure in HTTPS on port 443 by authenticating through Azure AD or through an Azure management certificate. At this point, the role proceeds with the creation of the Cloud Management Gateway on Azure; the CMG will expose a cloud service in HTTPS using a Server Authentication type certificate.
- The CMG Connection Point role activates a connection with the CMG via TCP-TLS or via HTTPS. This connection will be kept active and the channel will be established for bidirectional communication.
- The client connected to the Internet will connect to the CMG in HTTPS on port 443; as regards the authentication methodology, starting from the 2002 version, the following modes are available:
- Azure Active Directory
- Client Certificate;
- The CMG will forward the communication coming from the client to the connection established with the CMG Connection Point present on-premise. It is not necessary to open any ports inbound on the firewall side.
- The CMG Connection Point will forward the communication received to the respective Management Point and/or Software Update Point.
The first step for a complete management of external systems to the company is to instruct the Configuration Manager client to use the CMG for communication with the infrastructure and access this service as a content repository.
Below you can find the main steps for this type of configuration:
- Open Configuration Manager console with an account with administrative rights.
- Access the Administration section and select the Client Settings node.
- Select the default policy called Default Client Settings and, from the ribbon at the top, select the Properties option.
- From the left section, select the Cloud Services option.
- Verify that the Enable clients to use a cloud management gateway and Allow access to cloud distribution point options are configured to Yes; otherwise proceed with the appropriate modifications.
- Confirm any changes by pressing the OK button.
Once the client has implemented these configurations, it will be able to communicate with the Configuration Manager infrastructure without requiring a direct connection with the on-premise environment.
In the event that the system is unable to contact a Domain Controller or an on-premise Management Point, this will set its location as Currently Internet and will use the CMG service to communicate with its site.
CM client installation on Internet-based systems
Starting with the 2002 version of Configuration Manager, a new authentication method called Token-based has been made available that allows systems to register using a specific token.
In previous releases, clients needed a Client Authentication type certificate to authenticate; obviously managing the provisioning of this requirement was complex especially on those situations where there was no on-premise PKI infrastructure or where the systems were constantly connected to the internet.
It is possible to request the authentication token in the following 2 ways:
- Connection to the local network;
- Bulk registration;
Taking advantage of the connection to the local network, the CM client registers with the respective Management Point which in turn will provide a unique token (associating it with a self-signed certificate present on the client) necessary for subsequent communications; at this point, when the client establishes a connection via the Internet, it will use the token provided by the Management Point to communicate with the CMG.
The second way of issuing the authentication token is bulk registration; through the use of a “generic” token, it is possible to install the Configuration Manager client on systems that are unable to connect to the internal network.
It is important to underline that this token is different from the one indicated in the previous method; this token will be used exclusively to establish the first communication with the Configuration Manager infrastructure. During this initial process, the Management Point will provide another token which will be unique for each client and which will be used for all subsequent communications.
Below are the steps necessary to proceed with the issue of the token for bulk registration and subsequent installation of the CM client on an off-premise system:
- Log into the Primary Site of your infrastructure.
- Open a command prompt in administrative privileges.
- Access the path bin\x64 present within the Configuration Manager installation directory.
- Execute the following command: BulkRegistrationTokenTool.exe /new /lifetime 10080
Through the / lifetime parameter it is possible to set the validity period of the token; the default value is 4320 (3 days) while the maximum value that can be set is 10080 (7 days).
- Copy the token that will be generated as the output of the above command.
- To install the CM client on a system connected to the Internet, the FQDN of the CMG is also required and must be entered in the installation command line; to get the address, follow the steps below:
- From a device on which the Configuration Manager agent is already installed, open the Control Panel;
- From the System and Security section, open the Configuration Manager applet;
- Access the Network tab and press the Configure Settings button;
- Copy the content inside the Internet-based management point (FQDN) field;
- At this point, to install the CM client it is possible to connect to the device connected to the Internet and execute the following command:
ccmsetup.exe /mp:<URL CMG> CCMHOSTNAME=<FQDN CMG> SMSSiteCode=<site code> /regtoken:<bulk token>
To obtain the URL of the CMG, it is only necessary to add the suffix https: // to the FQDN of the CMG copied previously. Below is an example of the command line to be executed:
ccmsetup.exe /mp:https://emmprdcmg.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=emmprdcmg.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=CM1 /regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHkiOiJTQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlRlbmFudElkIjoiQ0RDQzVFOTEtMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiOiJkYjU5MWUzMy1wNmZkLTRjNWItODJmMy1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV0aDI6Y2RjYzVlOTEtMGFkZi00YTI0LTgyZDAtMTk2NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c2VydmljZSIsImV4cCI6MTU4MDQxNbUwNSwibmJmIjoxNTgwMTU2MzA1fQ.ZUJkxCX6lxHUZhMH_WhYXFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv625SCfNfsqxhAwRwJByfkXdVGgIpAcFshzArXUVPPvmiUGaxlbB83etUTQjrLIk-gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3ri-LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg-6EVYRcCA
Distribute software via CMG
To allow you to distribute your packages/applications to systems outside the company through the Cloud Management Gateway, you only need to add your CMG as a Distribution Point for the content you want to make available; in this regard, we report below the main steps:
- Open Configuration Manager console with an account with administrative rights.
- Access the Software Library section, expand the Application Management folder and select the Applications or Package node based on the desired type.
- Select the application or package and from the ribbon at the top select the Distribute content option.
- Within the Content Destination section, press the Add button and select the Distribution Point option.
- At this point, select the CMG and confirm with the OK button.
- Complete the wizard and wait for the content to be replicated on the Cloud Management Gateway.
Once the content has been replicated on the Cloud Management Gateway, clients will be able to retrieve the installation binaries directly from the Internet and will be able to install applications even without a direct connection with the Configuration Manager infrastructure.
Here are some useful references to the official Microsoft documentation:
- Manage clients on the internet with Configuration Manager
- Cloud management gateway: Log file reference
- About client installation parameters and properties in Configuration Manager
This article has provided the necessary information to complete the management process through the Configuration Manager for off-premise systems. As previously reported, Microsoft has recently been focusing its efforts on an increasingly simplified management of remote devices: proof of this is certainly the continuous introduction of features related to the integration between the cloud environment and the on-premise one.