In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

Setup Cloud Management Gateway is not prerequisite for Co-Management, but if you want to deploy ConfigMgr client to AAD Devices from Intune and use ConfigMgr functionality for AAD devices, you will need setup Cloud Management Gateway.

This post is for Scenario 1: Use Co-Management for Azure AD joined machines

In part 3 we are going to run through the process of adding the Cloud Management Gateway in ConfigMgr.

IMPORTANT:

  • Before you continue this, please sure you have created all the certificates what is needed in part 2
  • This capability does not enable support for Azure Cloud Service Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP does not support. For more information, see available Azure services in Azure CSP.

Set up the Azure Services app in Configuration Manager Cloud Services

This connects your Configuration Manager site to Azure AD and is requirement for allow Azure AD joined machine authenticate with ConfigMgr.
Azure AD User Discovery is configured as part of Cloud Management Azure service.

  1. Right-Click on Azure Serves, click on Configure Azure Service

  2. Choose install Cloud Management, give name as: Cloud Management (or anything that you like)

  3. Click on Browse… to add Web app

  4. Click on Create, you should see this dialog
    Homepage URL and Add ID URI is automatic assigned
    If it is empty, input the following information as bellow picture.

  5. Click on Sign in… and logon to your Azure tenant

  6. Choose the ConfigMgr-ServerApp that you just created, then click OK.

  7. Click on Browse… to create Native client app
  8. Click on Create, you should see this dialog
    Reply URL is automatic assigned, if it is empty, input the following information as bellow picture

  9. Click on Sign in… and logon to your Azure tenant

  10. Choose the ConfigMgr-ClientApp that you just created, then click OK

  11. Click on Next.. Next.. to complete the wizard.

  12. Grant permissions for these two Apps we just created.
    Go to Azure Portal, Click on Azure Active Directory – App registrations.
    Find these two Apps we just created, click on Required permissions

    Then click on Grant Permissions, then click OK.
  13. Choose Azure ServicesCloud Management, right-click Azure Active Directory User Discovery, choose Run Full Discovery Now

  14. Check status from SMS_AZUREAD_DISCOVERY_AGENT.log


    If you didn’t do step.12 Grant permissions, you will see error message like this:

Setup Cloud Management Gateway (Option 1, classic services deployment)

  1. Right-click on Cloud Management Gateway, choose Create Cloud Management Gateway

  2. Choose Azure environment: AzurePublicCloud
    Subscription ID: Your Azure Subscription ID
    Management certificate: Choose the AzureManagement.pfx that we created on part 2

  3. Region: The Azure region where the cloud service will be hosted
    Certificate file: Choose CMG.pfx what we exported on part 2
    Service FQDN should automatic assigned base on your certificate subject name, So as Service name.
    Uncheck Verify Client Certificate Revocation

  4. Click on Certificates uploaded to the cloud service: Certificates…
  5. Click on Add, choose RootCA.cer that we created on part 2
    NOTE:
    If you have subordinate CA, add them as Intermediate Certification Authorities.

  6. Next..Next..Next..Close to complete the setup.
  7. To view the status, check CloudMgr.log or from Admin console.
    It took about 20 minutes to finish installation in my test environment

 

Setup Cloud Management Gateway (Option 2, Azure Resource Manager deployment)

Start with ConfigMgr Current Branch 1802, there is new option deploy Cloud Management Gateway: Azure Resource Manager deployment

  1. Choose use “Azure Resource Manager deployment”, click Sign In

  2. After you sign in with your Subscription admin account, you should able to see your subscription ID, Azure AD app name, and Azure AD tenant name.

  3. Choose create new resource group or use existing group.
    Click Browse, choose the cloud management gateway certificate what we created in Part 2

  4. Click on Certificates uploaded to the cloud service: Certificates…
  5. Click on Add, choose RootCA.cer that we created on part 2
    NOTE:
    If you have subordinate CA, add them as Intermediate Certification Authorities.

  6. Next..Next..Next..Close to complete the setup.
  7. To view the status, check CloudMgr.log or from Admin console.
    It took about 20 minutes to finish installation in my test environment


Configure Cloud management gateway connection point setup

  1. Log on to server CM02.zit.local
  2. Add Site System Roles, choose Add Cloud management gateway connection point

  3. Next, it should give you cloud management gateway name. Click Next to start install cloud management gateway role.

 

The Cloud Management Gateway is now configured, we will need to configure the Management point and Software Update point to use the gateway.

Continue on Part 4 (Management point and Software Update point)

Log files for troubleshoot cloud management gateway, see this

More details about Cloud Management gateway, see this

(3933)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

There are no comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.