In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

After the Cloud Management Gateway is installed, we can now continue to configure the Management point and Software Update point.

Change Site properties

  1. Go to Site PropertiesClient Computer Communication
  2. Site system settings: HTTPS or HTTP
  3. Check the check box User PKI client certificate (client authentication capability) when available
  4. Uncheck “Clients check the certificate revocation list (CRL) for site systems, if you didn’t publish your CRL to internet.”

 

Configure Internet Information Service (IIS)

  1. Do the following configuration on your Management point and Software Update point servers
    In my case, I need to configure IIS settings for CM01.zit.local and CM02.zit.local
  2. Open Internet Information Service (IIS)
  3. Open Default Web Site, and choose Binding on the right panel
  4. Edit https

  5. Set the SSL certificate for https, choose the ConfigMgr Web Server certificate that we created on part 2

  6. Open WSUS Administration, and choose Binding on the right panel

  7. Edit https

  8. Set the SSL certificate for https, choose the ConfigMgr Web Server certificate that we created on part 2

  9. Select the virtual directories APIRemoting30, In Features View, double-click SSL Settings
  10. On the SSL Settings page, select Require SSL and click Apply in the Actions pane.

  11. Repeat the previous step for the following virtual directories:

    ClientWebService
    DSSAuthWebService
    ServerSyncWebService
    SimpleAuthWebService

     

  12. Configure the health monitoring feature of WSUS to use SSL.

    “C:\Program Files\Update Services\Tools\WsusUtil.exe” configuressl <Intranet FQDN of the site system server>

  13. Remember do the same configurations on all your servers that are using HTTPS.

 

Configure Management point and Software Update point

We will use https for both servers (CM01 and CM02), but only allow CM02 to use clould management gateway traffic

  1. Open Management point properties
  2. Change Client connection from HTTP to HTTPS
  3. For CM01.zit.local, DO NOT Check the checkbox Allow Configuration Manager cloud management gateway traffic.
    For CM02.zit.local, Check the checkbox Allow Configuration Manager cloud management gateway traffic.
  4. For CM02.zit.local, Choose Allow intranet and Internet connections
  5. For CM02.zit.local, Choose Allow mobile devices and Mac computers to use this management point

  6. Click OK to complete
  7. Open Software update point properties
  8. Check the checkbox Require SSL communication to the WSUS server
  9. For CM01.zit.local, DO NOT Check the checkbox Allow configuration Manager cloud management gateway traffic
  10. For CM02.zit.local, Check the checkbox Allow configuration Manager cloud management gateway traffic
  11. For CM02.zit.local, Choose Allow Internet and intranet client connections


  12. Click OK to complete
  13. On CM02.zit.local, open SMS_CLOUD_PROXYCONNECTOR.log, in my logs it shows:

    ReportOnlineConnections – state message to send: <Connections ServerName=”CM02.ZIT.LOCAL” Time=”11.21.2017 23.39.35.019″><Connection ID=”665d0ea6-xxxxx”

  14. In Admin console, Open Cloud Management Gateway, role endpoints tab show which server’s service are using cloud management point.

Configure Client settings to allow client use cloud services

  1. IMPORTANT: DO NOT modify Default Client settings.
    In ConfigMgr 1706, Enable client to use a cloud management gateway is Enabled by default, if you want set it disable, create a new Device policy to do that.
    For more information see this.
  2. Create a new Device settings policy, set Client PolicyEnable user policy requests from Internet clients to Yes.
    Deploy it to All Systems collection.


    If you don’t make this setting, you will see this in PolicyAgent.log when client is on internet connection.

    Skipping request for user policy assignments for client residing on internet due to agent configuration for authority ‘SMS:ZIT’.

  3. Create device collection name Pilot Co-Management, add few domain joined testing devices to this collection for test Co-management.
  4. Create user collection name MDM Users, and add few Intune testing users to this collection.
  5. Create new Device settings name Default Machine Settings (Allow Cloud) for enable clients to use cloud distribution point and could management gateway, set it as priority 1.
    Deploy it to Pilot Co-Management devices collection

  6. Create User Settings name Default Users Settings (Allow Cloud) for enable clients to use cloud distribution point and cloud management gateway, set it as priority 2
    Deploy settings to MDM Users users collection

Verify Client gets correct settings

  1. Put the testing device to internal network (device must be added to Pilot Co-Management collection, don’t put your client on internet connection yet), run machine policy and user policy.
  2. After policies are applied, check General tab, confirm that Client certificate is PKI, connection Type is Currently intranet

  3.  Check Configuration manager Properties – Network, it should shows client Internet-base management point (FQDN) settings

  4. To verify that client’s management point configuration, you can also run the following PowerShell command on the client computer:

    Get-WmiObject -namespace root\ccm\locationservices -class SMS_ActiveMPCandidate

  5. (OPTIONAL) You can force the client to always use cloud management gateway regardless of whether it’s on the intranet or Internet.
    (I wouldn’t do that on domain-joined machines)

    If you want to do that, set the following registry key on the client computer:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1

  6. Put the device on internet connection
  7. Restart SMS Agent Host service
  8. Wait for a while, open Configuration Manager Properties, you show see Connection Type changed to Currently Internet.
    You should notice that Management point information is gone.

  9. In cloud management gateway server (CM02.zit.local), SMS_CLOUD_PROXYCONNECTOR.log shows MessageID when client try to communicate with CM02.zit.local.

  10. You will see some applications or packages in Software Center.
    NOTE: Because of Application catalog (including software approval requests) is not supported in cloud management gateway, user targeted new deployments will not show up in Software Center.

  11. Check if client gets correct Software Update point settings:
    Open LocationServices.log on client, you should see WSUS Path is assigned to Internet-base management point (FQDN)

    Open registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, you should see Windows Update settings are changed.

  12. Let’s run Software Updates Scan cycle:

 

NOTE: There is not need to assign this CM02.ZIT.local (cloud gateway connected Management point and Software Update point) to any boundary groups.

In Part 5, we will continue configure Cloud Distribution point

More details about monitor client on cloud management gateway, see this

Log files for troubleshoot cloud management gateway, see this

(650)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

There are no comments.

Leave a Reply