Applies to: Configuration Manager (current branch)
This article answers frequently asked questions about Cloud Management Gateway (CMG). For more information seeCMG impressed.
Do I need any certificates?
Yes, at least one, and maybe another, depending on your project.
Server authentication certificate: CMG creates an HTTPS service that Internet clients connect to. The service requires server authentication to build a secure channel. For this purpose, you can obtain a certificate from a public provider or issue it from your Public Key Infrastructure (PKI). For more information seeCMG server authentication certificate.
Client Authentication Certificate: Depending on your CMG environment and design, you can use PKI certificates to authenticate clients. This authentication method does not support user-facing scenarios, but it does support devices running any supported version of Windows. For more information seeConfigure client authentication for the CMG: PKI certificate.
When using this client authentication method, you must also export the trusted root chain of the client certificate. You will then use this certificate chain when creating the CMG and CMG connection point.
HTTPS enabled management point: Depending on how your site is configured and the client authentication method you choose, you may need to configure Internet-enabled management points to support HTTPS. For more information seeConfigure client authentication for CMG: Enable the management point for HTTPS.
Do I need Azure ExpressRoute?
NO.Azure ExpressRouteallows you to extend your local network to the Microsoft cloud. ExpressRoute or other such VNet connections are not required for CMG. The CMG project enables Internet clients to communicate via Azure with on-premises systems without additional network configuration. For more information seeCMG impressed.
Do I need to maintain or provision an Azure VM?
NONE. The CMG project uses Azure as a Service (PaaS). Using the provisioned subscription, Configuration Manager creates the necessary VMs, storage, and network. Azure secures and updates your virtual machines. You do not need to monitor these VMs. Azure VMs for CMG are not part of your on-premises environment like Infrastructure as a Service (IaaS). CMG is a PaaS service that extends the configuration manager environment to the cloud. For more information seeSecuring PaaS implementations.
As CMG acts as a proxy for customer communications, it does not process, store or retain any customer data. The communication path over the Internet always uses the HTTPS protocol. For added security, configure the management point for HTTPS. Also configure the client site's ability to encrypt storage and status messages. For more information seePlan security: signing and encryption.
How can I ensure service continuity during service updates?
When you scale your CMG to include two or more instances, you automatically benefit from domain updates in Azure. SeeHow to update a cloud service.
I already use IBCM. If I add CMG, how will customers behave?
If you have already implementedonline customer management(IBCM), you can also implement CMG. Users get policies for both services. While browsing the Internet, they randomly select and use one of these Internet services.
Do user accounts need to be in the same Azure AD tenant as the tenant associated with the subscription hosting the CMG cloud service?
No, you can deploy CMG in any subscription that supports Azure cloud services.
To clarify the terms:
- Azure ADtenantis a summary of user accounts and application registration. A tenant can have several subscriptions.
- AzureSubscriptionseparates billing, resources and services. It is associated with one tenant.
Advice
For more information seeSubscriptions, licenses, accounts and tenants for Microsoft cloud services.
This question is common in the following scenarios:
When you have separate Active Directory and Azure AD test and production environments, but a single centralized Azure hosting subscription.
Your use of Azure has grown organically across teams.
If you are using a Resource Manager deployment, you must join the Azure AD tenant associated with the subscription. This connection allows Configuration Manager to authenticate to Azure to create, deploy, and manage the CMG.
If you use Azure AD authentication for users and devices managed through CMG, you must enroll in this Azure AD tenant. For more information about Azure cloud management services, seeConfigure Azure services. After each Azure AD tenant joins, a single CMG can provide Azure AD authentication to multiple tenants, regardless of hosting location.
Example 1: A tenant with multiple subscriptions
User identities, device registrations, and application registrations reside with the same tenant. You can choose the subscription that CMG uses. You can deploy multiple CMG services from one location in separate subscriptions. The site has a one-to-one relationship with the tenant. You decide which subscriptions you want to use for various reasons, such as billing or logical separation.
Example 2: Multiple tenants
In other words, your environment has more than one Azure AD. If you need to support user and device identities in both tenants, you must associate a seat with each tenant. This procedure requires each tenant's administrative account to create application records in that tenant. A single site can then host CMG services for multiple tenants. You can create a CMG in any available subscription in any tenant. Devices that are Azure AD joined or hybrid joined can use CMG.
If the user and device identities are in one tenant, but the CMG subscription is in a different tenant, you must sign up for both tenants' sites. Technically, a client application is not required for a second tenant that only has CMG service. The client application provides user and device authentication only to clients using the CMG service.
How does CMG affect my VPN-connected clients?
Mobile clients that connect to your environment via VPN are often registered as accessible on your intranet. They attempt to connect to local infrastructure such as management points and distribution points. Some users prefer to have these roaming clients managed by cloud services, even if they are connected via VPN.
You can also bind a CMG to a boundary group. This action forces these clients not to use local site systems. For more information seeSet up border groups.
How does the configuration of management points affect internal clients?
To secure sensitive traffic sent by CMG, configure at least one management point to use HTTPS or configure your website to support enhanced HTTP.
Then, when you set up CMG, if you use PKI certificates for HTTPS communication on a CMG-enabled management point, selectOnly allow clients with internetin the management point properties. This setting ensures that internal clients continue to use HTTP management points in your environment.
If you are using Extended HTTP, you do not need to configure this setting. Clients still use HTTP when communicating directly with a CMG-enabled management point. For more information seeImproved HTTP protocol.
What are the differences in client authentication between Azure AD and certificates?
You can use Azure AD or a client authentication certificate for devices to authenticate on the CMG. You can also use tokens issued by the Configuration Manager page for authentication.
If you manage traditional Windows clients with an Active Directory domain-joined identity, they need PKI certificates to secure the communication channel. These clients can include any supported version of Windows. You can use all features supported by CMG, but software distribution is limited to devices only. Install the Configuration Manager client before the device connects to the Internet or use token authentication.
You can also manage clients running Windows 10 or later with a modern identity, hybrid, or cloud-only domain joined to Azure AD. Clients use Azure AD for authentication instead of PKI certificates. Using Azure AD is easier to set up, configure and maintain than more complex PKI systems. You can perform all the same software management and distribution activities for the user. It also provides additional methods to install the client on a remote device.
Microsoft recommends joining devices to Azure AD. Internet devices can use Azure AD for authentication using Configuration Manager. It also enables device and user scenarios regardless of whether the device is online or connected to an internal network.
For more information seeConfigure client authentication.
Should I use a scaled virtual machine pool deployment?
Yes, if your site is version 2107 or later. This is no longer a pre-release feature and is recommended for all users. If you have an existing classic CMG implementation, you canconvert it to a virtual machine benchmark set.
If your site is version 2010 or 2103, the scaled virtual machine pool setup method is a pre-release feature. It is only intended for customers with a Cloud Solution Provider (CSP) subscription.
Important
From version 2203, the ability to deploy CMG ascloud service (classic)is removed. All CMG implementations must usevirtual machine scale set. For more information seeRemoved and deprecated features.
For more information on setting up CMG as a virtual machine benchmark set, seeSchedule a CMG.
Does content-enabled CMG use Azure CDN?
NONE. Azure Content Delivery Network (CDN) is not currently supported. A CDN is a global solution for fast, high-bandwidth content delivery by storing content in strategically located physical nodes around the world. For more information seeWhat is Azure CDN?.
Should I do anything about deprecating Azure AD Graph API and Azure AD Authentication Library (ADAL)?
DOES NOT. You may have seen the following blog post and are wondering how it relates to Configuration Manager:Update your applications to use the Microsoft Authentication Library and the Microsoft Graph API. This post applies to any developed code that uses these authentication libraries. Configuration Manager has used the Microsoft Graph API and the Microsoft Authentication Library (MSAL) in some places for several years. All other components are updated in Configuration Manager version 2107 with the extensionset updates. If you are up to date with the versions of Configuration Manager, you do not need to do anything else.
Some people confuse the information in this blog post with the Azure AD application registrations that Configuration Manager uses for various cloud-related services. These application registrations are principals for cloud-based services that do not directly use these authentication libraries. If the Azure Global Administrator manually created Configuration Manager registrations in Azure AD, they can double-check that these registrations have permissions toMicrosoft diagramAPI. They do not need permissionAzure AD-diagramAPI. For mere information seRegister Azure AD applications manually.
FAQs
How to configure management point for CMG? ›
On the Home tab of the ribbon, in the View group, select Servers with Role. Then select Management point from the list. Select the site system server you want to configure for CMG traffic. Select the Management point role in the details pane, and then in the Site Role group of the ribbon, select Properties.
Which site system role handles CMG deployment? ›The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks.
What is CMG in SCCM full form? ›Cloud Management Gateway (CMG) is a Microsoft Endpoint Configuration Manager extension (MECM, previously – SCCM or System Center Configuration Manager) that provides remote device management even when the users are outside the corporate network.
How does CMG work? ›The CMG uses a certificate-based HTTPS web service to help secure network communication with clients. Internet-based clients connect to the CMG to access on-premises Configuration Manager components. There are multiple options for client identity and authentication: Azure AD.
How to configure System Center Configuration Manager? ›- Open SQL Server Management Studio.
- Right click the top SQL Server instance node.
- Select Properties.
- In the Memory tab define a limit for the minimum and maximum server memory. Configure and limit the memory to 80% of your server available RAM. In my case I have 16GB available. Minimum 8192. Maximum 12288.
In the Configuration Manager console, go to the Administration workspace, and select the Distribution Point Groups node. In the ribbon, select Create Group. In the Create New Distribution Point Group window, enter the Name, and optionally a Description for the group. On the Members tab, select Add.
What is the difference between site system and site server? ›Site system = A server that you install a site OR site system role onto. Site system server = A server that hosts one or more site system roles, but doesn't host a site.
What ports does Cloud Management Gateway connection point use? ›| Client | Protocol | Port |
|---|---|---|
| CMG connection point (virtual machine scale set) | HTTPS | 10124-10139 |
| CMG connection point (classic cloud service) | TCP-TLS | 10140-10155 |
| CMG connection point (classic cloud service) | HTTPS | 443 |
| CMG connection point (classic cloud service) | HTTPS | 10124-10139 |
In the Configuration Manager console, go to the Monitoring workspace, expand System Status, and select the Component Status node. In the Component group of the ribbon, select Start, and then choose Configuration Manager Service Manager.
What is the difference between CMG and co management? ›Re: co-management without CMG
CMG and co-management are complementary. CMG enables remote management by ConfigMgr of Internet-based systems. Co-management enables the management of systems by both ConfigMgr and Intune simultaneously. It does not connect ConfigMgr to Intune or route/proxy ConfigMgr traffic via Intune.
Is CMG a PaaS or SAAS? ›
The CMG is a PaaS that extends your Configuration Manager environment into the cloud.
How do I check my CMG certificate? ›- Sign in to the Azure portal.
- From the Azure portal home page, select Create a resource under Azure services.
- Search for Virtual machine scale set. ...
- Select the Subscription and Resource group that you'll use for the CMG.
- In the Virtual machine scale set name field, type the prefix that you want.
CMG members are assigned a skill level of Novice, Amateur or Expert. Your skill level is based on a multitude of factors such as win percentage, amount of games played, earnings and more. This system was designed to help match members of similar skill against one another.
What are the hardware requirements for CMG? ›CMG only supports 64-bit operating systems and hardware; customers using 32-bit systems should use the 2012 release or older. CMG no longer tests, ships or supports software releases on the Windows† XP operating system. Customers using Windows XP are recommended to use the 2014 release or older.
How much do CMG admins make? ›Average CMG Financial Administrative Assistant yearly pay in the United States is approximately $56,215, which is 37% above the national average.
How do I manage clients in Configuration Manager? ›In the Configuration Manager console, go to the Assets and Compliance workspace, and select the Devices node. Select one or more devices, and then select one of these client management tasks from the ribbon. You can also right-click the device.
How do I deploy Configuration Manager? ›In the Configuration Manager console, go to the Software Library workspace, expand Application Management, and select either the Applications or Application Groups node. Select an application or application group from the list to deploy. In the ribbon, select Deploy.
How do I run SCCM cycles through Configuration Manager? ›- Right-click Start and select Run.
- Enter the command “control smscfgrc” and click OK.
- On the Configuration Manager properties window, switch to Actions tab.
- The Actions tab lists all the SCCM action cycles.
In the Configuration Manager console, go to the Software Library workspace. Select the content type that you want to update. For most object types: On the Home tab of the ribbon, in the Deployment group, select Update Distribution Points. Then select OK to confirm that you want to update the content.
How do I create a package in Configuration Manager? ›In the Configuration Manager console, go to the Software Library workspace, expand Application Management, and select the Packages node. In the Home tab of the ribbon, in the Create group, choose Create Package.
How do I create a collection in Configuration Manager? ›
- To create a device collection, select the Device Collections node. Then, on the Home tab of the ribbon, in the Create group, select Create Device Collection.
- To create a user collection, select the User Collections node.
Apache web server software: Apache web server or Apache HTTP server is an open-source server that processes user requests and delivers web assets and content via HTTP.
What is the correct difference between application server and web server? ›A Web Server is a server which accepts a request for data and sends the relevant document in return, whereas an Application Server contains an EJB container component as well to run the enterprise applications.
What is the difference between server and web server in point? ›The difference between a Server and a Web server is that the server is a central vault where computer programs and data are stored and gotten to by the customers in the network, while a Web Server is a PC program or a PC that runs the application.
How do I view CMG in Azure? ›Go to the Administration workspace, expand Cloud Services, and select the Cloud Management Gateway node. Select the CMG in the list pane. View the traffic information in the details pane for the CMG connection point and the site system roles it connects to.
What is the port number for cloud service? ›Each NAT IP address on a Cloud NAT gateway offers 64,512 TCP source ports and 64,512 UDP source ports.
What ports are required for cloud key? ›Ports 80/tcp, 3478/udp, 8543/tcp and 11143/tcp are needed for UniFi Cloud access (they won't be needed them if Cloud Access is disabled).
How do you check if patch is installed by SCCM? ›In the Configuration Manager console, navigate to Monitoring > Overview > Deployments. Click the software update group or software update for which you want to monitor the deployment status. On the Home tab, in the Deployment group, click View Status.
How do I check my patch compliance in SCCM? ›- Launch Console.
- Navigate to \Monitoring\Overview\Reporting\Reports.
- Sort the reports by Category.
- Right-click on the related report “Software Updates“.
- Select the RUN option.
- Open Configuration Manager console.
- Navigate \Assets and Compliance\Overview\Devices. ...
- Select a Device (Prod-Win20 is the device).
- Check the botton of the console – there are different tabs available: ...
- Click on Collections tab to find out the collection members of a device.
Is CMG required for co-management? ›
When your devices are on the internet, co-management requires the Configuration Manager CMG. The CMG enables your internet-based Windows devices to communicate with your on-premises Configuration Manager deployment.
What is CMG system? ›CMG Suite. The CMG Suite provides a suite of services for office users, attendants, and administrators that supports your organization with real-time presence information, activity setting, calendar-based routing, conference bridges, and automatic speech attendant functionality.
What is co-management vs coexistence? ›When you concurrently manage Windows 10 or later devices with both Configuration Manager and Microsoft Intune, this functionality is called co-management. When you manage devices with Configuration Manager and enroll to a third-party MDM service, this functionality is called coexistence.
What replaced SCCM? ›Microsoft Intune is a cloud-based endpoint manager that includes patching capabilities. As Intune is able to perform the same tasks as SCCM, many businesses might prefer Intune over SCCM as they migrate more services to the cloud.
What is difference between Intune and SCCM? ›Intune is a cloud-based solution that allows you to manage company-owned and personal devices, while SCCM is a more traditional on-premises solution.
How do I renew my CMG certificate in SCCM? ›- Ensure that you have your new and valid server certificate (pfx file ) on the SCCM Server.
- In the SCCM Console.
- Go to Administration / Cloud Services / Cloud Management Gateway.
- Right-click your CMG and go to Properties.
| Certificat | Name | Target |
|---|---|---|
| Cloud Distribution Point (.PFX) (.CER) | ConfigMgr Cloud-Based Distribution Point Certificate | ConfigMgr Cloud DP installation Azure Management Certificate |
| Root Certificate (.CER) | All | Validate certification path |
| Sub Certificate (.CER) | All | Validate certification path |
Check CMG Role EndPoint Status
Go to Administration > Cloud Services > Cloud Management Gateway, select CMG Service Name and select Role Endpoint tab at bottom of screen. You will see the communication status for Management Point and Software Update Point for CMG.
Configure SCCM CMG Client settings
Under Administrations/Client Settings, under Cloud Services make sure Enable clients to use a cloud management gateway is set to yes. Once configure, deploy your client settings to the desired clients. If you plan to use Cloud Distribution Point, it is also configured here.
- Navigate to: Configuration Manager console > Administration > Site Configuration > select the Sites node.
- On the Home tab of the ribbon, select Hierarchy Settings.
- On the General tab, select Clients prefer to use management points specified in boundary groups.
How do I get to configuration management? ›
The simplest method to open the console on a Windows computer is to go to Start and start typing Configuration Manager console . You may not need to type the entire string for Windows to find the best match.
How to set up the administration service in Configuration Manager? ›In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. In the ribbon, select Hierarchy Settings. On the General page, select the option to Enable the Configuration Manager console to use the administration service.
How many management points can you have in SCCM? ›Management point
Each primary site supports up to 15 management points. Don't install management points on servers that are across a slow link from the primary site server or the site database server. Each secondary site supports a single management point that must be installed on the secondary site server.
The Assigned MP is the MP in the primary site that the client has selected. The Resident MP is the one the client agent is actively communicating with.
What is the difference between MP and DP in SCCM? ›MP:- It is a primary point of contact between Configuration Manager Clients and the Configuration Manager Site server. DP:- It is a point that stores packages for clients to install.
Which type of tool is used for configuration management? ›Popular open source configuration management tools include Chef, Puppet and Ansible. Most CM tools support Linux, Windows, Unix and mixed-platform environments.
What is the main purpose of configuration management? ›Configuration Management helps prevent undocumented changes from working their way into the environment. By doing so, CM can help prevent performance issues, system inconsistencies, or compliance issues that can lead to regulatory fines and penalties.
What is the main objective of configuration management? ›The objective of Configuration Management is to define and control the components of an IT service and its infrastructure, and to maintain accurate configuration information. The Configuration Management process manages service assets to support other Service Management processes.
Where are SCCM client source files stored? ›The client installation source files are located in the <installation path>\Client folder on the Configuration Manager site server.
Which command is used to install SCCM client? ›Use the CCMSetup.exe command to install the Configuration Manager client.
How to connect SCCM to Active Directory? ›
- In the Administration workspace in SCCM, expand Security, right-click Administrative Users, and select Add User or Group.
- In the list of Assigned security roles, add the appropriate security roles. ...
- Add the appropriate security scope for the group and click OK.
Configuration Managers are responsible for the Configuration Management process and the Configuration Management Database (CMDB). They maintain all configuration items in the CMDB. Configuration Managers maintain information about configuration items required to deliver an IT service, including their relationships.