Whereas many staff have transitioned to a remote work routine, IT’s job hasn’t wavered: maintain firm units maintained regardless of where they’re.
The coronavirus pandemic sent untold numbers of staff to work at home, making it harder to ensure work laptops keep compliant and uphold a safety baseline. To assist with this endeavor, you need to use the Cloud Administration Gateway (CMG) function in System Middle Configuration Supervisor (SCCM). A standard SCCM challenge is that if the shopper’s VPN connection goes down or isn’t being used, then the shopper exhibits as “unknown” in the SCCM console. Using a CMG will resolve this drawback, but you’ll have to determine which of the three shopper authentication options will work greatest based mostly on your specific needs and setup.
How do shoppers talk with the CMG?
As a result of the purpose of a CMG is to connect internet units to SCCM, you have to secure the shopper communication with the service. Internet shoppers shouldn’t have contact with the on-premises management level in SCCM. Shopper connections by way of VPN rely as an intranet connection moderately than an web connection.
Historically, you’d use certificates delivered from the PKI. Nevertheless, SCCM administrators have two further authentication decisions: by way of Azure Lively Listing (AD) or token-based mostly authentication. You are not restricted to at least one authentication selection; every shopper can use a unique authentication technique.
What you could find out about CMG Azure AD authentication
Azure AD shopper authentication works for each Azure AD joined and hybrid-joined units. That is Microsoft’s suggestion if you use a CMG and have to authenticate the shoppers.
Requirements for Azure AD authentication are:
- units that run Home windows 10;
- units joined to Azure AD or hybrid joined;
- SCCM configures the shopper settings;
- .NET Framework 4.5 is installed on the SCCM management point; and
- for hybrid identities, enable consumer discovery methods in SCCM.
What you must find out about CMG PKI authentication
To safe shopper authentication by means of certificates delivered by means of an inner PKI is another selection for CMG shopper authentication.
This state of affairs matches if:
- you have already got a PKI infrastructure to distribute certificates to your units;
- you don’t require consumer id help — only units are supported; and
- your shoppers generally hook up with the intranet by way of the workplace or VPN.
What you have to find out about CMG token-based mostly authentication
In this technique, shopper authentication is secured by way of authentication tokens, delivered from SCCM by means of the intranet or the internet.
Requirements for token-based mostly authentication are:
- SCCM 2002 or later;
- SCCM shoppers have to be on the identical SCCM model as the primary website for full help;
- an lively Azure subscription;
- international admin rights in Azure;
- a server authentication certificates; and
- a singular DNS identify for the CMG.
Why do you have to use token-based mostly authentication?
Microsoft introduced token-based mostly authentication for the CMG with SCCM 2002.
Token-based mostly authentication doesn’t depend on certificates or a connection to Azure AD. Subsequently, it’s a appropriate shopper authentication technique once you can’t meet these conditions in other authentication options.
Some situations that token-based mostly authentication solves are:
- shoppers on the web seldom hook up with the local intranet;
- shoppers can’t be a part of Azure AD; or
- shoppers haven’t any option to receive certificates.
The advantages of token-based mostly shopper authentication are:
- it removes the requirement of a shopper authentication certificates;
- co-management just isn’t wanted for the CMG setup; and
- the system does not want to hitch Azure Lively Listing.
Shoppers register for an authentication token with either inner community registration or bulk registration over the internet.
The shopper authentication token renews every month and stays legitimate for ninety days. There isn’t any requirement to hook up with the interior community to renew this token.
How token registration works
Inner community registration is the default conduct for token-based mostly authentication and does not require any configuration work from directors.
Token registration happens via the interior network from the on-premises SCCM management point when a shopper connects to the interior community and verifies that the gadget uses a self-signed certificate.
For web-solely shoppers, you should use a bulk registration token. With this technique, the shopper by no means wants to hook up with the intranet. This feature is tailored for sure situations, reminiscent of mergers and acquisitions.
This can be a separate token than what SCCM delivers. The bulk registration token’s function is multifold: it makes the primary communication between the shopper and the CMG over the web and authenticates the shopper with the CMG by way of the self-signed authentication certificate. Once that occurs, the CMG service sends the system a singular shopper authentication token, which is used for any additional communication.
The bulk registration token’s validity is short. It isn’t saved on the location or shopper. You can’t renew bulk registration tokens. You’ll be able to monitor the bulk registration tokens and take away them as required immediately from the SCCM console.
You’ll be able to bulk register units with the BulkRegistrationTokenTool.exe software situated within the binx64 folder of the SCCM main website server set up.