In the recently released version 1806 for SCCM Current Branch there have been a number of improvements to the Cloud Management Gateway (CMG). You might have noticed these in the Technical Previews. More information about new features can be seen here https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1806
Some of the nice new features for the Cloud Management Gateway:
Download content from a CMG – You can now allow the cloud management gateway to function as a cloud distribution point. This is one less cloud service virtual machine running, which saves costs. You can now right click on your cloud management gateway, view the properties, click settings, and check the box “Allow CMG to function as a cloud distribution point and serve content from Azure storage”
Or if you were to deploy a new CMG, you can view the checkbox below.
Trusted root certificate isn’t required with Azure AD – In the screenshot above, you will notice that you aren’t required to provide a trusted client root certificate anymore. This isn’t required when you use Azure AD for authentication.
CMG Connection Analyzer – This was in an earlier technical preview release and will help a lot of people. The Connection Analyzer allows you to troubleshoot connecting to your CMG. In the example below I have signed in as an Azure AD user and tested the connection. This was useful after configuring “Use Configuration Manager-generated certificates for HTTP site systems” in the screenshot below. After checking that box, I was able to leave my management point in HTTP mode and allow CMG traffic, and run through the tests to confirm that everything is working fine.
Use Configuration Manager-generated certificates for HTTP site systems – As mentioned above, this feature is awesome. After checking the box below on your site server, you can leave your management point in HTTP for cloud management gateway traffic, and not have to worry about installing PKI certificates.
Once the checkbox above is enabled, you will see that you can enable CMG traffic on your management point in the screenshot below.
If you also open IIS manager, you will see on the https binding that the SMS Role SSL Certificate is now selected. If you remove this certificate or change it, you will notice that the test in the Connection Analyzer above called Testing the CMG channel for management point will fail.
You will also find a nice Cloud Management dashboard in the Monitoring node to find some stats.