The Cloud Management Gateway in SCCM Current Branch allows you to manage computers on the Internet without deploying the traditional IBCM infrastructure. Microsoft have made some improvements in SCCM 1702 for the CMG regarding client registration.
This post will not go into how to set up the CMG, you can view Plan for cloud management gateway in Configuration Manager for that information.
This blog post will show you how you can use the CCMHOSTNAME property when manually installing the SCCM client to specify the Cloud Management Gateway management point. This isn’t official documentation from Microsoft, however it does work. The post assumes you have copied over a PKI certificate for the client and installed the certificate, and also copied over the SCCM client installation files.
1 – On a machine that is on the internal network with the SCCM client installed, view the LocationServices.log and search for the Internet Management Point. You can see mine below highlighted in yellow. Copy the name of the Azure Cloud Management Gateway as you will need this for the CCMHOSTNAME property when installing the client
2 – Launch a command prompt to run ccmsetup.exe and run the command ccmsetup.exe /UsePkiCert SMSSITECODE=<SiteCode> CCMHOSTNAME=<CMG copied above>
3 – Keep an eye on C:\Windows\ccmsetup\Logs\ccmsetup.log and ensure it successfully installs “CcmSetup is exiting with return code 0”. My logs in C:\Windows\CCM\Logs now indicate that the client is registered (ClientIDManagerStartup.log) and communicating with the Cloud Management Gateway (CcmMessaging.log). The machine should now appear in the ConfigMgr console. I can also see in the Configuration Manager Properties of the client that it is Internet based
After it has installed successfully, you should see it communicating and retrieving policies.
How do you create the CSR for the client certificate? I am trying with a non-domain joined machine.
LikeLike
You could use something like this https://www.petervanderwoude.nl/post/How-to-install-a-ConfigMgr-Client-on-a-WORKGROUP-computer-when-the-ConfigMgr-Site-is-in-Native-Mode/ but now days I would prefer for machines to be Azure AD joined or hybrid Azure AD joined so you don’t need to worry about the hassle of certificates. This is an older blog post that I wrote before Azure AD authentication came out.
LikeLike
Hi Nick… What if you want to install a new client altogether please.. ? How would you get the CCMHOSTNAME in that case then?
LikeLike
This is an old post. It is much simpler now. You can use the co-management wizard to generate the installation command.
LikeLike
Hi Nick, I’ve just tried this suggestion, it appears to work but I get denied because the client policy setting is set as default not allow clients to use CMG. I don’t have Azure AD or Intune and using a tool called Crowdstrike & Powershell to install the client over net. Our org doesn’t have a VPN so devices are on the internet and have been for some time so I can’t update the client settings. Is there anyway around that or did you encounter this issue?
LikeLike