Jump to content


bcsdtech

Cloud Management Gateway Setup Questions

Recommended Posts

Hi All,

Currently managing SCCM infrastructure for K-12 School District. Since we are currently on stay at home orders, I've researched Cloud Management Gateway to be able to patch / deploy software to clients over the internet.

We have very few concurrent VPN licenses and the client is not installed on everyone's machine. All Devices are already Hybrid Azure Joined through SCCM.

 

I successfully setup CMG using a cloudapp.net address... IF a user connects through VPN, their client will update and then CMG works great!

So my question is as follows:  How can I get clients to update to use CMG while users are at home and can't VPN in to get the client settings update?

 

Any advice appreciated. Thank you

Share this post


Link to post
Share on other sites

and how have you configured your boundaries with respect to the CMG ?

Starting in version 1902, you can associate a CMG with a boundary group. This configuration allows clients to default or fallback to the CMG for client communication according to boundary group relationships. This behavior is especially useful in branch office and VPN scenarios. You can direct client traffic away from expensive and slow WAN links to instead use faster services in Microsoft Azure.

Note

Internet-based clients don't fall into any boundary group.

In Configuration Manager version 1810 and earlier, the CMG doesn't fall into any boundary group.

 

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway

Share this post


Link to post
Share on other sites

No.. but I thought that was mainly to prevent VPN users from eating network bandwith.

 

CMG is working.... The problem is the user needs to be on site to get the settings which update the client to be able to use a CMG.. I need to figure out how I can do that remotely when no one is on site or connected via VPN.

Share this post


Link to post
Share on other sites

well there is co-management, which allows your clients to be managed both from intune and configmgr, i think that's the next step for you, right now, your clients are only managed by configmgr and therefore cannot get policy from configmgr without being connected to a vpn..

or, you need internet based client management (IBCM) but that requires a lot of PKI setup in place

Share this post


Link to post
Share on other sites

I setup Co-Management as well.. and same thing it works after the client is on site to get the setting.

 

On another site I found this as a possible solution:

add the following values to HKLM\Software\Microsoft\CCM in the registry and restart the client agent:

  1. CMGFQDNs (string): FQDN of the CMG
  2. DisAllowCMG (dword): 0

 

Would have to figure out a way of doing this on clients somehow,.

Share this post


Link to post
Share on other sites

Hey there!

 

Running into the exact same issue as you! Have a ton of users at home, most without VPN connectivity, and wanting to get them on CMG.

 

I tried adding the reg key values remotely, and then restarted the SMS Agent Host, but haven't seen them pop up yet unfortunately, after a couple days. Hoping there is some sort of command I can push to kickstart them to use the CMG.
One other thing I looked at was Bulk Registration Token, which is supposed to help bypass a lot of these things, but only on initial setup from what it seems, and it's only applicable to V 2002.

 

Good luck, I'll be following to see if you find any other solutions!

Share this post


Link to post
Share on other sites
On 4/27/2020 at 10:14 AM, funt3ch said:

Hey there!

 

Running into the exact same issue as you! Have a ton of users at home, most without VPN connectivity, and wanting to get them on CMG.

 

I tried adding the reg key values remotely, and then restarted the SMS Agent Host, but haven't seen them pop up yet unfortunately, after a couple days. Hoping there is some sort of command I can push to kickstart them to use the CMG.
One other thing I looked at was Bulk Registration Token, which is supposed to help bypass a lot of these things, but only on initial setup from what it seems, and it's only applicable to V 2002.

 

Good luck, I'll be following to see if you find any other solutions!

Still no resolution here. please let me know if you figure something out

Share this post


Link to post
Share on other sites

Following.

Also trying to set this up and trying avoid using PKI but stuck on setting up certificates.

I can here searching for a windows noob guide but don't see one.  If there is one, please link.

Thanks!!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...