Covid Co-Management Crisis Part 3: Set it up
If you read Part 2 in this series, then you know what happens now. Here is a rant-free guide to setting up the Cloud Management Gateway for SCCM.
Steps in this guide
*Cloud Management gateway clients can be authenticated via either PKI certificates or Azure AD Authentication. We will leverage the latter. This works with both Azure AD Joined or Hybrid-Azure AD Joined scenarios
Prerequisites
The following prerequisites are required during implementation
Azure AD Connect enabled for Hybrid Azure-AD Join
SCCM Current Branch version 1910
Microsoft.ClassicCompute resource provider registered within Azure subscriptions
Microsoft.Storage resource provider registered within Azure subscriptions
*This will be done for both the Cloud.Compute resource and the Storage resource
Login into https://portal.azure.com with admin credentials
Search the ‘resources’ field for Cloud service
In the ‘DNS name’ field, enter your desired name. A green check will populate if the name is available. No further configuration is needed; we just needed to validate the name availability. Close out of this menu and return to the main Azure homepage
Search the ‘resources’ field for Storage accounts
From the Storage accounts menu, click + Add
In the ‘Storage account name’ field, enter your desired name. If a green check mark populates, it is available. Again, no further configuration needed. Close out of this menu
*Take note of both names tested above. Do not proceed with any configuration- we will need those names later.
Log into your Certificate Authority server with administrator credentials and launch the Certification Authority console.
Right-click on Certificate Templates and click ‘Manage’
Right-click on the Web Server template and click ‘Duplicate Template’
In the ‘General’ tab, enter a display name.
In the ‘Resource Handling’ tab, select the box for Allow private key to be exported.
In the ‘Security’ tab, add the group containing your SCCM site server. Check the box for Read and Enroll permissions. Click OK to create the certificate template.
Launch the Certification Authority console again.
Right click on Certificate Templates > New > Certificate Template to Issue
Select the template we’ve just created and click OK
Next, we will request the newly created certificate on our SCCM primary site server.
*It is recommended that you reboot the SCCM server prior to requesting a new certificate. This will allow the SCCM server to refresh the computer authentication token with the CA.
Log into the SCCM primary site server with admin credentials.
Launch MMC and add the snap in for Certificates > Local Computer.
Navigate to Certificates (Local Computer) > Personal > Certificates.
Right-click on Certificates and select All Tasks > Request New Certificate
Select Next twice on the Certificate Enrollment window.
Select the certificate template we issued and click the ‘more information’ link.
Choose Common Name from the ‘Subject Name’ drop-down
For the value, enter the unique name we verified was available in Step 1.
Click Enroll
After the certificate is enrolled, click Finish.
Now we will export the private key from the certificate that requested.
On the SCCM site server, launch MMC and add the local computer certificate snap in again.
Navigate to Certificates (Local Computer) > Personal > Certificates.
Right-click on our new certificate and select All Tasks > Export.
Click Next on the Certificate Export Wizard and select Yes, export the private key
Verify the following options on the ‘Export File Format’ page- click Next
Enter a password to protect your private key and click Next
Choose a location and save the .PFX file.
Log into SCCM console and navigate to Administration > Cloud Services > Azure Services
Click Configure Azure Services in the ribbon.
In the ‘Configure Azure Services’, provide a name and select Cloud Management.
We need to provide names for the Web app and Native Client app. Once provided, sign in to your Azure tenant with Global Administrator credentials.
Once finished, log into https://portal.azure.com and navigate to Azure Active Directory > Enterprise applications. You will see the two new entries.
Log into SCCM console and navigate to Administration > Cloud Services > Cloud Management Gateway
Click on Create Cloud Management Gateway in the ribbon.
Click Sign In and proceed with your Azure Global Admin account. Select a subscription from the drop down. The Azure AD app name should automatically populate from Step 3. Click Next.
On the next page, click Browse to upload the .PFX cert that was created in Step 2. Enter the password when prompted. Choose the region you want the Azure service to run in.
Create a new Resource Group.
For the VM Instance number, keep in mind that one VM per CMG can support up to 6000 clients, 2000 of them simultaneously. See more information on scaling here.
Make to uncheck the box for Verify Client Certificate Revocation.
Lastly, make sure the box is checked for Allow CMG to function as a cloud distribution point and serve content from Azure storage.
Click Next. Allow several minutes for the service to be provisioned.
Status of the CMG can be confirmed in both Azure and SCCM.
Log into https://portal.azure.com and select All resources. You will see the two new resources (cloud service and storage account) that make up the CMG
Click on the cloud service to see more information.
In SCCM, navigate to Administration > Site Configuration > Servers and Site System Roles
Right-click on the primary site server and select Add Site System Roles
Click Next through the wizard to reach the Specify roles for this server window. Check the box for Cloud management gateway connection point and click Next.
The role should now be listed under Site System Roles for that server
On the Servers and Site System Roles page, select the primary site. Right-click on Management point.
Make sure the box is checked for Allow Configuration Manager cloud management gateway traffic.
*In my instance, I had the dropdown above set to Allow intranet and Internet connections. If you decide to use a dedicated management point for internet clients, that is an option.
Click OK to complete the management point setup.
On the Servers and Site System Roles page, select the primary site. Right-click on Software update point.
Make sure the box is checked for Allow Configuration Manager cloud management gateway traffic.
Navigate to Administration > Site Configuration > Sites.
Right-click on the primary site and select Properties
Select the ‘Communication Security’ tab. Check the box for User Configuration Manager-generated certificates for HTTP site systems.
Ensure the box for Use PKI client certificate (client authentication capability) when available is unchecked.
Click OK
Navigate to Administration > Site Configuration > Client Settings. Right-click on current client and choose Properties
Select Cloud services. Ensure that Allow access to cloud distribution point and Enable clients to use a cloud management gateway are both set to Yes.
Navigate to Administration > Cloud Services > Co-management. Click Configure co-management in the ribbon
Copy the command line arguments from the properties window. We will use these to deploy the client through Intune.
The .MSI client should be located in \\<SCCM-SITE>\Client\ccmsetup.msi
If you’ve gotten this far, I would assume you don’t need to know how to wrap an application for Intune deployment. But, just in case, here you go.
Okay- I’m pretty tired after that. Good luck with the setup.