Ask The Experts: Setting Up a CMG - Cloud Management Gateway

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone and welcome to our in tune education partner ask the expert series so we've had conversations previously about device based subscriptions for office 365 and how to deploy those in Microsoft endpoint manager today we are looking at how to set up a cloud managed gateway in SCCM we understand that with staff and students not being on site there is increased interest in to some access and control of those devices that are no longer on Prem with no further ado let's get started I am so excited that I got Scott Ellison to join our expert series today Scott was my onboarding buddy when I joined Microsoft education he brought me over he taught me all of the stuff that I now know and really gave me the foundation to move forward in understanding in tune and how it's solving a lot of our customer issues I'm around slow logins delays updates all of those things and about two years ago Scott and I sole mission was traveling around the country getting schools excited about modern management within tuned for education and now with the world as it is today we hear from a lot of customers and a lot of partners talking to our customers about embracing cloud-based device management or at least having some sort of access into their devices that are no longer on Prem would have gone home with staff and students and school IT leaders are looking to control some of the settings of the update some of the applications or at the very least have visibility so I am I'm super excited to have Scott with us today welcome Scott thank you Joe glad to be here the first place that I would start in any type of planning scenario for your CMG is to review the docs on Docs Microsoft comm definitely there are some scenario that you do need to be aware of what the what the CMG can do and what it cannot do so just a couple of quick things that you need to be aware of having a cloud management gateway does require an azure subscription if you want to test CMG first you can always go out to to the azure website and sign up for a free trial we provide a two hundred dollar credit so that you can start experimenting with the CMG you can also do other azure services there as well the CMG does address some definitely some scenarios where for Windows device management for both a hybrid Azure ad joint device and also an azure active directory joined device so the scenario is that and it will support both your Windows 8 1 clients and your Windows 10 clients and Windows 7 clients remember are now out of support so hopefully you're not running any Windows 7 and clients in your environment but things that the CMG can leverage or software updates your in point protection your inventory in your client status compliance status compliance settings all of your third-party software distribution as well as so that would you know be any of software updates to things like Java iTunes Chrome on any line of business applications that you have and it can also do an in-place upgrade from one version of Windows 10 to a newer version of Windows 10 like when going from 1809 to 1909 a major feature update so we can do it run tasks sequences over the Internet so it's really good just to review this typology page here look at the different scenarios that we can cover and then also understand that there are some limitations on the cloud management gateway so for example you cannot use client push we cannot push a client to a a device that's over there's the cloud management gateway we do not have support for wake-on-lan or mad Mac Linux and UNIX clients and then there currently is a BitLocker support so there are some scenarios that CMG does not support but for most scenarios that you need to be to do software distribution or do patch management we can do those through a cloud management gateway so just read through this documentation there's also some things that you need to know about certificates we do require either a PKI infrastructure to be in place so there does need to be certificates or you can use a third-party cert with enhanced HTTP which is a feature of config manager so I'm gonna go ahead and jump over here to my site server and Joe and hopefully you can see this and everybody else can as well and we'll just go through our the setup and things that you need to be aware of before your um as you set up that your CMG now the CMG does require to have some certificates available for use now you can either use a your local PKI public key infrastructure for the certificates so if your devices already have a client all certificate on them and you have a web server you can you can generate a certificate for your from your PKI and you'll need to use a web server cert but you can generate that certificate and then use that too for the communication between your clients and your cloud management gateway now let's say you are in a scenario where you don't necessarily have certificates deployed to your devices maybe you don't have a PKI infrastructure you can still use a third-party certificate to enable cloud management gateway now the way that you're going to want to do this is to enable a feature in configuration manager called enhanced HTTP and the way you would do that is you would go into the properties of your this will bring up our primary site properties we would want to click on the communication security tab and then check the box here for use configuration manager generated search for HTTP site systems so again this is will help also facilitate that communication as well but you do need to enable this box if you are going to use a third-party primary cert any of the major certificate vendors like digi cert will be fine you also it is also supported in configuration manager with the CMG that you can leverage a wild-card cert as well so if you already have a wild-card SSL cert potentially for your domain and you do the correct DNS entries that may that will also be an option for you as well so once you enable the in the HTTP that also is going to light up some other functions around code management which will be doing a video in about a week or two on Co management between configuration manager and in tune but that also lights up some other scenarios where you can do things like sync your collections into an azure ad group that's one of the requirements that feature needs to be enabled for that now cloud management gateway has been around for a long time it's been around for about three or four years it was initially in our 1610 release of configuration manager and over time the cloud management gateway has been modernized to take advantage of things like as a resource manager and all of the new features we've merged the role of the cloud distribution point into the cloud management gateway but the functionality and and what it does pretty much has remained pretty consistent and we've been able to add more functionality to it so let me first by start going on what do we need to do once we've enabled our HTTP and we have our Azure subscription and we have our cert available what do we need to do from the configuration manager side to enable cloud management gateway so for the most part all of the actions that you're going to take are gonna be done within the configuration manager console so the first thing that you're going to want to do is you're going to want to enable attack your a 3d tenant to communicate with your configuration manager site server so one of the things that is a full admin and you will also need credentials that are global administrators is to do what we call a cloud attach or be able to have your site server talk to as your Active Directory so if you come into here under the administration node and right-click on Azure services you will be it will start a wizard that allows you to do what's called a cloud attach so you can configure your Azure services and this is where you add your Azure Active Directory tenant to your configuration manager site this allows your configuration manager clients to authenticate to the site using Azure Active Directory so I'm not going to go through the wizard but let me just kind of show you what this creates so as part of the set up it is going to create two applications within Azure ad one is a web application that will serve as a web app and then we also create a Native Client app for four that is used for authentication so we create these two applications here and in part of Azure Active Directory you will need to be a global admin in order to create these or have someone log in from the config manager console with the global admin credentials once that those azure ad apps are created then you will be able to perform discovery on on Azure Active Directory this is where we can go and we can look for as rady users we can also look for a gerrate e groups and then we can create once those resources are discovered they are stored in our configuration manager database and then from that point we can run reports on those we can build collections we have those resources available to us and then also you can enable the option if you want to do an azure ad group collection sync so what this basically entails is it gives us the ability to sync our configuration manager collections and merge those into an azure active directory group so once we onboard our tenant as you can see here I just called mine Azure ad discovery but you can name this anything you like you'll see that it has the Associated cloud service you'll see that down here in the lower portion of the the config manager console that I have both Discovery enabled for majority users and my Azure ad groups now as far as configuring that how often discovery is to run that's based on your organizational preferences I usually recommend depending on the size of your site and the load that you already currently have once a week should be sufficient to just understand that we also do Delta discoveries every 5 minutes so it should pick up any new or modified attributes during that time so once we then have our azure ad attend tenant connected then we can proceed with installing our cloud management gateway now the next thing that we'll want to do is come down here to the cloud management gateway and run the wizard to be able to add a CMG to our network so all of our communication traffic goes out over port 443 there aren't that many different ports that you need to open up most organizations will allow most network traffic to the internet on outbound so what will end up happening is we'll go through the cloud management gateway wizard and we're going to be asked to sign in using our Adric retentions so as you can see here I'm gonna take a quick second here and we are going to let this pop in here and I'm going to use my account here so at this particular account that I'm signing in with on this as your subscription is a configure is a is not necessarily a global admin in my environment I am a global ID but the PERT the individual that is signing in to set up the configuration manager gateway also needs to have a contributor permission that is available to deploy the cloud management gateway service excellent question Joe so it does need to be yes so you d need please sign as administrator account to access your subscription config manager will obtain the subscription information and configure the contributor permission so require to deploy the service because again in certain organizations you might have some folks that are in different roles sorry about that okay so as you can see here I've started the cloud management gateway wizard and if you look at it right here a cloud management gateway can be deployed in both your Azure a public cloud and it can also be deployed in your US government cloud so most education customers are going to work in an ad for public cloud most of your regular k12 s are most of your higher education customers will be in a public cloud scenario there may be some university projects that may be required to use government clouds so you can also deploy the config manager gateway in the azure gov cloud when you sign in here with an administrator account you do need to have a config manager well like I said we'll find the application that you created back when you attach to your Azure Active Directory tenant and then it will also here find the subscription that is linked to your account so once we do that we'll click Next and this is the pages pretty much where we have the setup of the configuration manager gateway so the first thing that it's going to ask is you need your certificate file for the the PKI for this cloud service so as you can see here it's going to ask for a PS pfx file so this was the one that I originally set up my cloud management gateway with so I'm going to click on this and as you can see I did export out the private key which is important when you're fulfilling the certificate request and you import it into your server that you made the request do export out the private key and so it will ask for a password you'll need to password protect that out and so if you'll notice here there's a couple of things that it's looking for so first is you will import your certificate and then you will have to give it a service name so this is important now we default when you create the cloud management gateway it will default to a service name using whatever you name it with cloud app net so if you don't plan on using an alternate DNS name like in this case I've used a alternate name you know scholar Scout CMG dot scholar scholar Scout net if you want to use an alternate DNS state DNS name make sure that you put that in your certificate you'll also want to use your deployment name in that cert as well so in this particular that does not require this is something I chose to do so again you don't have to necessarily use your vanity domain but you're more than welcome to in but just make sure that you make it as subject alternate name in the certificate request so again with CMG being a pass a plication we're gonna all services are going to end up with cloud out net when you then create the service you're going to be asked if you want to use an existing or create a new resource group so let's say in this particular case I wanted to create a new resource group one of the things that's important is selecting where what region that you want to deploy your cloud management gateway in now for most k-12 since most of your most riyer devices are going to be localized meaning they'll be in the general county or may be that you support we typically recommend that you pick the data center that would be closest to your physical location if you if you do support devices that might be around the world you can deploy multiple instances I've called management gateways to different regions so but for most cases most organizations will just have one call management gateway in the region that's probably closest to them so in this particular case I could pick East US and again you can also in this case you can use an existing resource group what a resource group is is that it's going to be a collection of your VMs your virtual machines your your networking and all the things that are associated with that particular instance of an application that you're running so you can pick a use you can use an existing one or create a new one and then you can also decide how many VM instances that you want to create now one thing that's important is because this is a platform as a service application you're not you don't have to worry about installing the virtual machine or configuring the operating system Microsoft takes care of that for you so any of the patching that needs to be done to the to the operating system that's all handled by us so again you're just running the we're just providing the platform you're just enabling a service on it and it with the number of instances on a virtual machine one instance should be enough for most organizations depending on your size if you get up above you know 20 30 thousand you may need to add additional virtual machine instances to handle your load though it's a very scalable so by just clicking the up arrow I can scale the number of virtual machine instances that have to be enabled but what is you the first time that you deploy your CMG you probably just want to start out with one instance do your testing see if you need to add more instances based on your performance load or how much communication that you have going back and forth and then you can scale that up or scale it down depending on the time of year now what's also very cool about a cloud management gateway is the comment but Gateway can also function as a distribution point so we have back a few several releases ago with config manager they built the CMG functionality in the CMG that can function as a distribution point as well so that it can also serve up content through use it utilizing the azure storage so again I'm using a certificate before so it won't allow me to proceed because of the service name so I'm gonna cancel out and show you a couple of other things that screens in the setup process that you will need to go through so again as you can see here in this setup process I have I used the resource group called upgrade readiness I have I see mg is configured they also function as a cloud DP I have one VM instance and of course here is the certificate that I've imported and again I've in my case I used a third party certificate and then I also gave it a use my vanity domain as the service name for the instance if you do choose to use that vanity domain you will need to create a DNS in your DNS whoever your DNS provider is you will need to create an a record and a cname record for that as well now in the alerts tab this is where you can set up your monitoring of the M of the data transfer and in your storage for your cloud management gateway so for the first section here is that you can turn on a 14-day threshold and you can see set an alert to stop a service if you create a critical threshold the thing that's important to understand about the cost of account management gateways that you have not only your your 8 the number of a 2 virtual machines but it's also your egress of data from the azure data center as well as the amount of storage that are is being used by your cloud distribution point so you can set alerts for both the cloud management gateway and your storage so these are going to be like guardrails to make sure that they're not that's spending more than they want to spend absolutely so you know if you're in a k12 type scenario in most canoe in most cases you would probably during the school year you'll be upping the number of virtual machines that you have maybe in the summer time since you're refreshing those devices or storing those devices you can scale back that virtual machine as well and it's cool so this high school can change how many virtual machines one even if the device is off-site or does the device need to be on-site in order to get the new policy that there's multiple VMs that is so the device hasn't hat does not have to be on-site in order to get the the device isn't going to know anything about the number of virtual machines running in the background so the virtual machines is just to be able to handle all of your client connections and be able to load balance and be able to handle the capacity of connections to the cloud management gateway so as long as CMG is already deployed the IT administrator can turn it up and turn it down as far as features and and bandwidth without actually seeing the device correct fantastic yeah yeah the the device just does have to talk to the management point you know the to get the initial policy so it does need to be on your internal network or script would need to be run to modify the client installation properties to make the client aware that it is able to communicate with the cloud management gateway now we do have a new feature in the 2202 release of configuration manager where you can do a bulk token enrollment using a workgroup device and it can register over a cloud management gateway so that's a new feature it recently just came out I haven't had time to play around with that but for the most part initially to get the initial configuration most devices have to be on on your on your network they get the policy update to know that there is a CMD available for for it to communicate with and then on the content tab this is where this is going to show what content is currently deployed to our distribution point so here I just have a configuration manager client package a couple of things that I want to talk about specifically related to content most of the content that you should store on a CMG should only be either related to a lot of business applications or a third-party patching all of your config manager clients should be if that utilize the CMD should be configured to go out to Windows Update to pull the content down and then if you're managing Office ProPlus you would definitely want to make sure that that's configured to use the content delivery network that's available that way it will save on your CMG cost and it will also save on your storage cost as well now once you also have this so when you're ready to deploy the CMG if you want to monitor to the deployment you can come into CM trees and you can open up a log called cloud man MGR log this is going to be found in the Program Files Microsoft configuration manager logs folder this will log can be used to monitor the deployment of your CMG and then also just ensure that your CMG is running appropriately so definitely one if you're into the config manager log files you can see it as it deploys and you can see if any errors are in here so again this is one of the log files that you definitely want to monitor when you're going through your deployment so once we have our config manager our CMG deployed you will see down here that it will pop up here in this list again you can have multiple CMG instances but for most organizations when CMG's instance should be sufficient to meet most use cases and then of course you should have a status of ready here as well now a couple of other things that will need to be installed as part of the CMG so on a site system you which could be either your site server or it could be another configure in May your server that holds a specific config menu to roll like a management point you do need to install the cloud management gateway connection point you will just come in to the server you want to deploy it to and click on add site systems and start the wizard and that will take you through the role that you would want to install that server on once that's that role has been enabled then you will need to come into to other site system roles so first of that being your management point and you will want to enable your allow your management point to be able to use the CMG for any of its traffic and then you'll also want to use that with do the same with the software update point again check the box to allow config manager cloud management gateway traffic so this enables both of these both of these site systems to accept traffic from the cloud management gateway so pretty much at that point what we've done just to recap we have attached Azure ad up to our configuration manager our we've attached our config manager site up to Azure Active Directory we've deployed our cloud management gateway and then we've configured we have deployed the cloud management gateway connection points site system role and we've enabled our management point software update point to accept traffic from the cloud management gateway at that point we're then able to enable our client settings so what's important here with the client settings is this is going to allow us to set which devices can actually use the cloud management gateway so if you can see right here I'm going to go into I have a separate client settings policy that I've deployed to a specific group of devices again this is totally optional but this is just how I set mine up in my test environment so if you notice here under cloud services we have a few settings so one we can enable access to a cloud distribution point so this will allow any of our devices who are not currently on our internal now to access our cloud distribution point and then of course we can enable clients to use the CMG so again this could be you could target this twos let's say you have a collection that had all laptops and didn't have any kind of desktop based on the chassis we can come in here and we can specify which devices we actually want to have access to our cloud management gateway so again come in here and configure custom your device settings for that once you're finished with your device settings and the cloud management gateway has received its policy the way that you can tell that you successfully have deployed your cloud management gateway is look at a particular client so in this particular case you can go into your control panel and you'll be able to find your cloud management gateway targeted to a specific collection so what I'm gonna do is I'm going to take one of my hybrid Azure ad joint or my hybrid Azure ad joint devices and I'm going to show you what that looks like so we're gonna log in so Windows 10 device here and we're gonna open up the control panel hey Scott quick question are you Batman I am Batman so if you notice here on this on this video are in this virtual machine I have the config Manager client properties up you will if I and if I click on the network tab you'll see here that here is the cloud the URL for my cloud management gateway so this client is in that collection that I deployed my client agent settings to and you can see right here that SSC energy is my cloud management gateway and that it's in there now one way that you can definitely test to ensure that your call management gateway is communicating correctly is if you look here under your connection type now again this device right now is a virtual machine it's on an internal network but you could also test this off your network or you could do it with an azure ad join device you could say that this device is currently in Internet so again this right now is intranet so its internal but then if you took it off your network and then do any kind of completion it should say Internet so the CMG so we our CMG is up and running our clients can start communicating and at this point it's really you can start deploying your software you can start doing your policy you can come in here to your assets and compliance and be able to see all of your devices that are online so these two devices are here even though they're on the internet if they were on the internet we then could do our run our you know remote actions on these devices we could then trigger hardware inventory software inventory and again there are some limitations that you cannot do with CMG for example you cannot run the CM pivot information that is not something you can do we currently don't do not support using the config manager remote control although that is and in one of our technical previews right now and has been for some time that feature currently is still not in a production build of configuration manager one last thing I do want to point out especially as more organizations have gone to remote device management you might have more users today on a virtual private using a virtual private network than they have previously there's a couple of things that you can do to take some of that load off of your VPN infrastructure and that is configure your about any clients that are on the VPN to be able to use your cloud resources so if I were to go back and you're here under administration and expand out hierarchy configuration and look at boundaries we can actually come in to our boundaries here and set up some options sorry it's under boundary groups we can actually set up our clients to be able to use cloud resources so what we would do is want to come here to boundary groups click on our options tab and then check this box here it says prefer cloud based sources over on Prem sources this way if we do have a client that roams within the boundaries of a of our our VPN subnet for example we can have that box checked and we can and that will tell the client to go out to use the cloud management gateway instead of our internal distribution points and there were four we can prevent our devices from over saturating our VPN links our internet connections out to the internet so this was a quick overview on cloud management gateway again we're gonna be posting the links down in the description things that you need to plan for as part of your cloud management gateway deployment this also will set you up for future cloud attack scenarios with configuration manager so in our next video that I'm gonna be doing with Joe we're gonna do an overview of code management and what we're close that you can move back and forth between config manager and Intune and this will also enable some other scenarios for example let's say that you have an azure active directory joined device you've enrolled this into Intune and now you want in tune to be able to become part of your configuration manager site the cloud management gateway allows for that scenario to occur because the config manager client can be deployed via in tune and then it can register back through the cloud management gateway and then being both in both enrolled in both the Intune service and then it also be part of a configuration manager at the same time so cloud managed gateway to me seems like it has a very low floor high ceiling it's very easy to get into an education customer does need to have an azure subscription but they can sign up for a free two hundred date or two hundred dollar trial write that I am and with that trial they can go in and start to experiment with how they would set that up and configure it and they can keep things really light as far as your usage especially if you're trying to control things like Windows Update and office updates all of which can come through our own content delivery networks and don't need to be locally hosted by the school so they can keep the amount of data really light but still have some reach into these devices that are off Prem something that schools need to be aware of and our partners who are working with schools is that the devices need to be on-site in order to get that CMG updated policy otherwise they're not going to know that this this new CMG exists for them is that a good summary yeah that's a very good summary in just a couple of points if they also have a virtual private network or VPN service deployed to those devices and they have their VPN subnets within the boundaries of the config manager site and the VPN subnets are allowed to talk to config manager as well then they should be able to get that policy through the VPN but again in most cases especially in a k-12 most schools are not going to have a VPN deployed VPN solution deployed and really the the whole point of a CMG and I guess while we're doing a lot of these videos now is because you know as you know Joe we're both living in some uncertain times you know we haven't you know as we both been involved in education for you know you yourself being a former teacher we haven't really seen this type of environment come up we haven't lived through this so we're doing these videos here today to really give our k12 and higher ed customers things to think about what they need to plan for because you know we don't know how long this is going to be going on hopefully we can return to somewhat somewhat version of normal now but I think it's also going to enable new scenarios especially as we may have more of our staff our faculty and staff working from home on a more regular basis now then previously we've had so don't just don't think about it in a student device scenario but also think about this in a faculty and staff scenario as well that being able to manage those devices there's teacher device is that go home over the summer time during a regular school year you have no reach to those devices this provides that reach that you need so and a lot you brought up a lot of good key points you can keep this really light you don't have to put any type of content out there on the cloud management gateway we have a lot of customers that don't but one of the things they like is the ability to be able to show compliance reports they can get their patching up and they have real they can get a much better cleaner picture reporting because they have a mechanism when devices aren't on the network to be able to communicate in that's fantastic thank you so much for joining I think our partners are better off board I know a lot of our customers are tuning in to this YouTube channel as well to get these videos just because it's so it's so important to them right now I'm in order to respond to the current world as well as prepare for anything else to happen next in to future-proof themselves so thank you so much Scott for joining and I'm sure we'll have you back to talk about how to establish co-management linking SCCM to microsoft endpoint manager to get the best of both worlds so thank you so much for joining thanks Joe
Info
Channel: Intune With Education
Views: 1,925
Rating: undefined out of 5
Keywords: sccm, cmg, mem, m365, o365, cloud, management, gateway, school, edu, scott, ellison, joe, cicero, microsoft, education, it, device, wsus
Id: 4lc81pQOMIU
Channel Id: undefined
Length: 39min 0sec (2340 seconds)
Published: Mon May 04 2020
Related Videos
Cloud Management Gateway (CMG) Community Session with the Patch My PC Team
Patch My PC
9.4K
SCCM ConfigMgr CMG Architecture Decisions | Cloud Management Gate Questions by 👌Rajul OS | FAQs
Anoop C Nair
6.4K
Introduction to Cloud Computing
Eli the Computer Guy
1.4M
Windows 10 Servicing Plans and In-Place Upgrades In Microsoft SCCM
Patch My PC
56K
Golang Tutorial for Beginners | Full Go Course
TechWorld with Nana
19K
How To Setup Cloud Management Gateway (CMG) in Microsoft SCCM to Manage Internet Clients
Patch My PC
66K
Azure AD App Registrations, Enterprise Apps and Service Principals
John Savill's Technical Training
57K
How does a USB keyboard work?
Ben Eater
1M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.3M
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
293K
Automation - #6 - Azure Update Management
Azure Academy
20K
Part 11: ConfigMgr (SCCM) HTTPS/PKI Configuration
TekNex Solutions
6.4K
Setting SCCM Cloud Management gateway step-by-step in my lab using certificates from internal CA PT1
AnubhavinIT
7.7K
Real life migrations to Azure and how they did it.
Microsoft Mechanics
20K
Day #2 Free Intune Training via HTMD Teams Channel - 🔰 Set MDM Authority - 📌MDM Auto Enrol Episode#2
Anoop C Nair
4.7K
Bitlocker Encryption using Intune for On-Premise Machines, save keys in Azure AD, setup in 5 minutes
AnubhavinIT
4.5K
HH10 - Enable Co-Management (CoMgmt) Part 2 - ConfigMgr (SCCM/MECM) Lab Tutorial
CloudManagement.Community
357
Deep Dive Token-Based Authentication for Cloud Management Gateway in Configuration Manager
Patch My PC
5.2K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.