Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:
- Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
- Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.
This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.
In my lab, I currently have the following certificates:
- Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
- Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
- Certificate for my Cloud DP which was created by Digicert.
- Certificate for my CMG which was created by Digicert
- Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.
Azure AD User Discovery:
First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.
Right click Azure Services and select Configure Azure Services. Select Cloud Management.
Select Browse next to Web App and click on Create to create the web app in Azure.
Give everything a name, then sign into Azure AD and click on OK.
Follow the same steps for the Native Client app. Once created, click OK.
You can configure the polling schedule by clicking on Settings. Next Next finish…
Now we need to grant the permissions in the apps we created in the Azure portal. Login to https://portal.azure.com Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created
Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.
Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.
Cloud Management Gateway:
Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.
Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.
I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here
Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname>.domain.com to <cmgname>.cloudapp.net
Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.
Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.
To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here
Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings
Cloud Distribution Point:
First, login to the Azure portal https://portal.azure.com then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.
In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.
Type in your Azure subscription ID and then browse to select the Management certificate. Click Next.
I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname>.domain.com to <clouddpservicename>.cloudapp.net. If you need to create a certificate from your CA, then see the steps Here.
Click on Next then finish the wizard.
Install the SCCM client from Intune:
In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386
In the Azure portal (https://portal.azure.com) go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.
Fill in the required details including the command line arguments.
Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.
Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.
On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.
The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.
I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.
I will deploy the application to my Cloud Distribution Point.
On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.