Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Internet-based Client with ConfigMgr Current Branch

Published bySherman Wheeler Modified over 6 years ago

Similar presentations

Presentation on theme: "Managing Internet-based Client with ConfigMgr Current Branch"— Presentation transcript:

1 Managing Internet-based Client with ConfigMgr Current Branch
Panu Saukko Trainer/Consultant MVP – Enterprise Mobility ProTrainIT Oy

2 Panu saukko Since 1995 Enterprise Mobility, since 2005
Training & consulting @panusaukko

3 Managing internet clients with sccm
ConfigMgr CB Primary Site Use HTTP MP/DP/SUP & other roles configured Need to manage PC clients outside the intranet Primary Site MP DP SUP

4 Different options to manage internet clients
“Pre-release feature is fully supported by Microsoft, but the feature is not yet complete” Internet Based Client Management (IBCM) Traditional way Has been in ConfigMgr since 2007 Support all OSes Cloud Management Gateway (CMG) New in ConfigMgr CB 1610 and updated in 1702/1706 Still Pre-release feature Intune Integrate Intune tenant to ConfigMgr Co-management Same client is managed with both Intune & ConfigMgr Different workloads are managed by Intune or ConfigMgr David James @djammmer

5 Comparison of features
Focus on IBCM & CMG Feature IBCM CMG Intune/Client Intune/MDM Inventory Full Limited Settings management MDM settings Software distribution to computers Medium Only single MSI Software distribution to users Optional No Task Sequences Yes, but no OSD Software Updates Yes Limited for Win10 Remote Assistance Yes, TeamViewer PowerShell

6 CA = Certification Authority
IBCM Intranet DMZ Primary Site MP DP MP DP SUP App Catalog Website SUP App Catalog Roles CA CA = Certification Authority

7 CA = Certification Authority
CMG Azure Cert or AAD authentication Primary Site CMG (MP, SUP) Cloud DP MP DP SUP CMG Connection Point CA? CA = Certification Authority

8 CA = Certification Authority
Co-ManaGement Azure Primary Site CMG (MP, SUP) Cloud DP MP DP SUP Intune CMG Connection Point CA? 1709 or later CA = Certification Authority

9 IBCM vs CMG IBCM CMG Requires HTTPS based MP/DP/SUP at DMZ
Services must published to internet All clients must have certificates Support user based deployments Application Catalog Website point must be published to internet Requires Azure subscription Costs “real” money Need at least one HTTPS based MP/DP/SUP No support for user based deployments Clients require certificates if OS < Windows 10 Windows 10 devices might use AAD authentication No internal servers need to be published to internet

10 What is the most difficult thing?

11 General Certificate requirements
Hopefully you have a working PKI hierarchy that is built correctly! Correct hierarchy for your needs e.g. two-tier PKI: offline root + online enterprise subordinate CA Don’t use SHA1 hashes CRLs are published to internet

12 Different IBCM configmgr certificates
Roles Purpose Exportable private key Name Note ConfigMgr IIS role Server Authentication No Intranet/internet FQDN DP Workstation Authentication Yes Intranet FQDN 2048 max key length MP monitoring Client Based on AD information

13 Configmgr Server certificate templates
Add ConfigMgr Server group & remove Enroll rights from admins Still must be used Remove Microsoft Schannel Providers

14 Certificates Remember to select the right SSL certificate to web site bindings. Don’t forget WSUS web site!

15 ConfigMgr Server role settings

16 ConfigMgr site settings
HTTPS State Flags: 0 = HTTPS or HTTP 31 =HTTPS only. 63 = HTTPS and CRL checking 95 = HTTPS and HTTP for roaming and site assignment. 127 = HTTPS, CRL checking, and HTTP for roaming and site assignment.

17 Internet client installation
Not supported to install from Internet based MP/SUP Command line: CCMSetup.exe /source:C:\Clients /UsePKICert CCMHOSTNAME=srv1.domain.com SMSSIGNCERT=siteserver.cer SMSSITECODE=SA1 FSP=srv1.contoso.com CCMFIRSTCERT=1 Need to use /NoCRLCheck?

18 Installing client management gateway

19 Prerequisites Global administration rights to Azure
Need to create new objects to Azure Right Subscription ID for your Azure tenant Azure management certificate Can be any trusted certificate HTTPS based site roles (MP, DP, SUP) Need certificates from internal CA Certificates for CMG/Cloud DP Could be from local CA or from globally trusted certificate provider

20 Azure Costs1 Virtual machines Outbound data transfer Content storage
CMG: A2, 2 cores, 3.5 GB RAM: $0.16/h = $3.84/d One CMG supports ~2000 clients Cloud DP: 2 x A0, 1 core, 0.75 GB RAM: $0.04/h = $0.96/d Note: You have to pay even though virtual machines are stopped! Outbound data transfer First 5 GB/free, then $0.087/GB (5 GB – 10 TB) Estimate 100MB/client/month for polices with 60 min polling interval Count: # of clients x package/application sizes for content download Content storage Mostly size of packages/applications 1 Central US list prices

21 Different CMG certificates
Roles Purpose Exportable private key Name Key length Note Cloud DP Server Authentication Yes Internet FQDN 2048 max Use a public cert provider? CMG Cmg-name.cloudapp.net Azure Management Cert E.g. Server Authentication Any name 2048 min Can be self-signed

22 Management certificate to azure
Provides “admin” rights to Azure  ConfigMgr uses it to deploy services to Azure Any certificate will do Self-signed or from a CA Need a file with and without a private key Upload a new certificate to Azure (.cer) if you don’t have an existing mgmt. cert

23 Deploying CMG Azure Public/Govt Cloud CMG Cert
Trusted root & subCA certs Need to run a script if using a subCA CRLs published to internet?

24 Monitoring CMG installation
Log: cloudmgr.log Status messages: SMS_CLOUD_SERVICES_MANAGER

25 Other settings Install Cloud Management Gateway Connection Point site role Allow CMG traffic to MP/SUP

26 CMG installation with certificates
Command line: cmsetup.exe /UsePKICert /NoCRLCheck /source:c:\path /mp: CCMHOSTNAME=CMG123.CLOUDAPP.NET/CCM_Proxy_Mutual Auth/ SMSSiteCode=007 Requires that a client cert is available and CA root cert is installed! Works with any supported OS!

27 Find CMG clients QUERY:
select SMS_R_SYSTEM.Name from SMS_R_System where SMS_R_System.ResourceId in (select resourceid from SMS_CollectionMemberClientBaselineStatus where SMS_CollectionMemberClientBaselineStatus.CNAccessMP like '%.cloudapp.net/%')

28 Client agent settings

29 Installing cloud DP

30 Cloud dp Enable internet clients to get content
Intranet client can use Cloud DPs as a backup source Must be used with CMG and can be used with IBCM With IBCM you can publish a normal DP Internet clients normally download software updates from Microsoft Update 3rd party updates can be distributed to cloud DP Like a normal DP Content is encrypted by ConfigMgr before sending to cloud DP Azure scaling options

31 Deploy cloud dp Cloud DP Cert (Real FQDN)

32 Monitoring cloud dp installation
Log: cloudmgr.log Status messages: SMS_CLOUD_SERVICES_MANAGER

33 Cloud dp name resolution
CNAME: clouddp01.cm15demo.com CNAME 53b0c764e3de4022ab31601a.cloudapp.net

34 Enable azure ad authentication

35 AAD authentication for configmgr clients
Clients don’t need to have a computer specific certificate Need to trust CMG/Cloud DP cert  need to import root CA certs if using internal CAs Requires Windows 10 that is joined to AAD Can be also domain joined User must be logged on by AAD account AAD Authentication can also be used on intranet

36 prerequisites MP must have ASP.NET 4.5 (& other default options) installed HTTPS based MP? CMG to support internet clients Create Web app & Native Client app to Azure ConfigMgr uses apps that to have access to Azure Azure AD User Discovery

37 Create Azure Services & Enable azure AD discovery (1)
Import if Azure admin has already created the app Create if no app exists. Need Azure global admin rights

38 Create Azure Services & Enable azure AD discovery (2)
Can use any URLs/URIs Can use any URL One or two years

39 Create Azure Services & Enable azure AD discovery (3)

40 Create Azure Services & Enable azure AD discovery (4)
Logon to Azure Portal  Azure AD  App registrations Check that apps have been created Select both apps  Required Permissions and Grant Permissions to AAD

41 How to make sure aad discovery is working?

42 Client installation command
ccmsetup.exe /NoCRLCheck /mp: CCMHOSTNAME=CMGCM15DEMO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/ SMSSiteCode=SA1 SMSMP= AADTENANTID=e2f55da3-7c96-442f-a150-ec6ac937cadf AADTENANTNAME=”ProTrainIT demo” AADCLIENTAPPID=66dea5b0-4c d4a71b666 AADRESOURCEURI=

43 Client installation command
AADCLIENTAPPID from Azure Portal Client installation command AADResourceURI from Azure Portal or when you installed created the app AADTENANTID & AADTENANTNAME from Azure Portal /NoCRLCheck is needed if CRLs are not published to internet For /mp & CCMHOSTNAME run PowerShell command with admin rights on any client: PS D:\> gwmi -namespace root\ccm\locationservices -class SMS_ActiveMPCandidate | format-list MP MP : srv001.santa.local MP : CMGCM15DEMO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/ /mp with prefix! ccmsetup.exe /NoCRLCheck /mp: CCMHOSTNAME=CMGCM15DEMO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/ SMSSiteCode=SA1 SMSMP= AADTENANTID=e2f55da3-7c96-442f-a150-ec6ac937cadf AADTENANTNAME=”ProTrainIT demo” AADCLIENTAPPID=66dea5b0-4c d4a71b666 AADRESOURCEURI= SMSMP is your intranet MP SMSSiteCode is your site code

44 Notes about AAD Authentication
Only ccmsetup.exe is needed to the client Ccmsetup.exe can download source files from CMG Need to trust CMG’s cert Add your CA’s root cert to client’s Trust Root Certificates before installing client CERTUTIL -addstore -enterprise root "c:\dir\root.cer" ADALOperationProvider.log is the client log file

45 co-management requirements
ConfigMgr TP1709 Windows client Cloud Management Gateway (and AAD authentication?) Seperate Intune tenant MDM Authority = Intune No ConfigMgr hybrid environment

46 Enabling Co-management
/NoCRLCheck?

47 Summary Need to understand certificates
Use IBCM to manage Internet clients if Don’t like cloud services No problem to publish DMZ resources to internet Use CMG if Already have services in Azure Want less on-prem infra If only Windows 10 devices AAD authentication is simpler, no client certs required Remember co-management

48

Download ppt "Managing Internet-based Client with ConfigMgr Current Branch"

Similar presentations

Gold Sponsors Bronze Sponsors Silver Sponsors Taking SharePoint to the Cloud Aaron Saikovski Readify – Software Solution Specialist.

Gold Sponsors Bronze Sponsors Silver Sponsors Taking SharePoint to the Cloud Aaron Saikovski Readify – Software Solution Specialist.
You’ve Got a Cloud- Familiar Tools to Manage IT Bob Hunt Sr. IT Pro Evangelist

You’ve Got a Cloud- Familiar Tools to Manage IT Bob Hunt Sr. IT Pro Evangelist
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Internet Based Client Management

Internet Based Client Management
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.

Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.
Implementing Native Mode and Internet Based Client Management.

Implementing Native Mode and Internet Based Client Management.
Senior Technical Writer

Senior Technical Writer
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Howard A. Carter III Senior Consultant Microsoft Consulting Services

Howard A. Carter III Senior Consultant Microsoft Consulting Services
System Center 2012 Configuration Manager Overview User Group June 2012 2012.

System Center 2012 Configuration Manager Overview User Group June
OM. Brad Gall Senior Consultant

OM. Brad Gall Senior Consultant
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security
Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312.

Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Intro to Datazen.

Intro to Datazen.
ConfigMgr! Intune! Azure!ConfigMgr! Intune! Azure! Understanding Cloud Based Management Options Steven Rachui

ConfigMgr! Intune! Azure!ConfigMgr! Intune! Azure! Understanding Cloud Based Management Options Steven Rachui
Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.

Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.

Similar presentations

Ads by Google