Deep Dive Token-Based Authentication for Cloud Management Gateway in Configuration Manager

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

You are on it. Thanks for this!

👍︎︎ 2 👤︎︎ u/barf_the_mog 📅︎︎ Apr 02 2020 🗫︎ replies

Captions

hi my name is Justin shoppin I'm the founder here at patch PIPC we develop a third-party application and patching solution for Microsoft configuration manager and in tune in this video we're gonna actually be reviewing one of the new features that came out around cloud management gateway within configuration manager current branch build 2002 so that actually released today April 1st 2020 now if you haven't set up cloud management gateway or this is your first time looking at it you're gonna want to actually start with the video that you should now see in the top right of this video that's gonna be a guide that goes over how to set up cloud management gateway and how you can use that to manage devices out on the Internet this specifically is actually gonna be talking about some of the improvements that you can do for actually installing a client out on the Internet so we're gonna be talking about the new feature in 2002 that allows you to use a token based authentication to enroll clients that are out on the internet now what the token-based authentication allows you to do is it allows you to enroll a client that does not have a certificate or that is not enrolled in Azure ad to authenticate so typically up until this point you would have needed to have a client authentication certificate that's used to validate that the client has access and can talk to cloud management gateway in order to register and get policy the other option was if you used her ad that could also be used as a source of authentication for getting that client registered and talking but that could be quite challenging in some scenarios so for example one of the scenarios where token-based authentication will be quite helpful is there's actually a post on Reddit last week that talked about a scenario where somebody had servers in a DMZ and they just wanted them to be managed directly out on the internet through cloud management the issue was they were only workstation machines and they were kind of in this owned DMZ so if you were going to try to get client based certificates from like an internal PKI that can be pretty challenging to go through and you know request the serve from a domain join machine go out and X with the private key and try to get it imported it could just be you know pretty cumbersome to get that all going another scenario that could be quite helpful is if you have machines already out on the internet maybe their workgroup or maybe their domain join but they just never got policy to be able to talk through the internet with CMG or they never had the correct certificates in place you can now install the client using this token directly over the Internet so let's actually go into the token-based authentication section that talks a little bit more about this so the way that this is going to work is you need to generate your token on your top-level site server so if that's a caste that would be the top level of the caste or if that's a standalone primary you would go to the primary and open up a command prompt as administrator so over here on the docs we can see that you want to navigate to the installation directory and then bin x64 so there's going to be a utility here where we can generate these tokens that we would then use in the CCM setup that XE command to install the client over the Internet without a certificate and the tokens going to be essentially the authentication piece that allows us to authenticate to the site so that's going to be like our private key within our traditional certificate if you will so what we're going to do here is go ahead and navigate to the D Drive let's do a CD into that directory so here we go so now if we do Durer and then we do something like Fox star we can see that bulk token within the installation directory where we installed configuration manager so if we just do a quick run and just run the bulk token tool we can see that it gives us a couple of parameters that we can use here so the first one's going to be to generate a new certificate so or I'm sorry a new token so if we do something like Bach Bach and then we did something like new this would actually generate a token for us that we could use to install the client now if we look here we can see the default length that the token would be valid for is three days so within a three-day period you could use that token ID and install however many devices you want out on the Internet so that's the first kind of option now there is a lifetime so the lifetime is how long it's ballad for now this is the number of minutes that it's valid for now the max length is actually going to be seven seven days so from a minutes perspective that's going to be ten thousand and eighty minutes so for example if we do ten thousand and eighty one we can see that we get an error saying it you know it has to be smaller than seven days so let's say we wanted to create a new token and we wanted to make it the max of seven days we would just do the bulk registration token to EXCI /nu for slashed lifetime and then ten thousand eighty so if we've run that command it's going to create a token for us and this is going to be what's used to enroll clients securely so this is essentially your private key that you would want to keep kind of secure because anybody that had this key and they knew your cloud management gateway server name they could essentially enroll clients so we'll see whether or not actually like blur this out if not I guess you could enroll into our demo tenant maybe get some free third-party patching but that's probably about it in this demo so going back to that now that we have that token you you know you want to make sure you save that somewhere now in my case what I did is I copied this entire example command and then I pasted that into a command file so within this folder cesium set up - CMG I've simply created a command file and what we're gonna do is we're gonna come in here and we're going to go ahead and replace that token with the one that I just generated now in my case just to save some time I did go go ahead and already change the management point so the MP we've already replaced that without our cloud management gateway management point we also replaced the CCM hostname with ours and then the site code and local SMS NP were all replaced so we can see that we've got our CMG we've got our site code of PR one and then we have our local MP now the CCM hostname and the MP this is gonna be where the initially registers so that's telling it to go directly out to our cloud management gateway outside of that this is all pretty basic just a batch file we're basically just running CCM setup what I've done is I've already copied CCM setup from the installation directory so you would want to make sure that you know you get the latest version of CCM setup when you go on your client to actually install this so within my installation directory I just went into the client folder and then I copied the CCM setup from here so this definitely needs to be at least the CCM setup for build 2002 or newer so it looks like that's 5.0 8 9 6 8 or newer would be what you would need in order to use this new token parameter Reg token in order for you to actually register over the Internet without that certificate I'm outside of that you know the only other thing we're doing in this basic batch file is just launching CM trace so I did also copy CM trace to the same folder and then of course we have the batch command where I copied just the command and the script that we're running so pretty simple here the reason I'm doing that is you know let's say that you wanted to go install this on like 10 devices within that 7 day period all you'd have to do is right click run the script and that would initiate the installation for the device over the Internet outside of that we've already obviously got our cloud management gateway of running so at that point once we generate our token we're pretty much ready to test the client over the Internet so if I jump over to one of our client devices let's go ahead and open that up we can see that this is just the device out on the Internet so if we try to ping our domain we should be on a guest network so we're not gonna have any idea about that in addition to that we're actually on a workgroup based machine so if we go ahead and look at our system info we can see that we're totally out on the Internet we're not even domain joined and of course we would not have any certificates so if we look at our certs we would not have any client base certificates that could typically be used within cloud management gateway so what we're gonna do here is I've already copied those bits within our environment so I just copy that folder and basically pasted it now from here what I'm gonna do is go ahead and launch that installation command as administrator so that's going to go ahead and kick off CCM setup and then it's going to automatically open CM trace from the local directory where it's in and then it's gonna automatically open the CCM setup folder that would get launched when that installation was in this initiated from that same batch file so at this point we can see the client is now attempting to download the latest client bits from the internet through CMG's so for example we can see that we actually see the package ID so if we come back to our console we should see that if we go look at our packages we can see that the client package is in fact the one that ends in O 2 so by default your your built-in client package will automatically distribute to all DPS and that would include your cloud management gateway so at this point it's connecting and we should see here in a minute it's going to start downloading the files and getting our setup started so we'll just pause this for a minute while we're waiting if we look at our CCM setup folder we should see that this has already started to initiate some of the files to go ahead and get downloaded okay so the download is now completed so if we go ahead and pause this see if we can get to that here we go so we can see it downloaded all the client setup files from our cloud management gateway URLs so at this point it's currently running CCM setup just like any other installation whether it was on Prem or not you know we should start seeing the CCM folders start to populate and then once these components start up you know at that point the client is then registered where it's going to start the process of registering so once the client CCM setup is completed and it's installed over the Internet the first thing that's going to kind of kick in here is we're gonna see CCM messaging dot log and then we're going to see the client ID managers so we can see there just now populating looks like cesium setup just completed if we go ahead and look at that we can now see that cesium messaging is starting to post different web calls to the CMG server so if we look at client ID manager startup we should see a registration take place over the Internet to CMG so we can now see the registration was just sent and now it's waiting for the response from the server to approve it so back on our management point internally CMG should for that request to our MP so if we look under the SMS underscore CCM and then logs we should see an MP underscore of registration that's going to be when the client gets approved this is going to be the output of that on the server side of things so we can see the gooood ends in it looks like 4c so if we go back to the client side we can see that this client does in fact end in 4-4 here let's see four four so let's come back to the server client there we go client four for this is where we were looking so that is in fact the registration so we should see here in a couple of seconds after that 60 second sleep period on the client you know we saw on the server side it did approve it using that reg token so the client should then start to populate all the other logs like client policy there we go so we should see like policy agent kicking in here and we're now getting policy directly over the internet through CMG so we can see these different you know CCM messaging we can see it making these different calls to CMG when it's doing things like posting different data as well as downloading we can see in like policy downloader evaluator and all these different things getting applied over the internet through CMG so at this point we're getting pretty close I think to having our client at a good state so if we come back to control panel let's go to all control panel items and then configuration manager what we can do on this side of things let's go ahead and do a data discovery just to get the client some Basics reporting in we'll go ahead and trigger Hardware inventory usually that might take a couple hours before it triggers the first and let's go ahead and do a scan cycle let's see if we can get this client scanning against our software update point over the internet through CMG so if we come over here we look at wua handler we should hopefully see that it's automatically pointed our scanning to our CMG servers so it's going to start evaluating software updates if we look at inventory agent we should see that it's probably already submitted the inventory to our management point looks like that just happened so that's all looking good on the server side let's see if that inventory is actually processed for our Hardware inventory so we should see the device it's still you can see it's still kind of enough registering status we go ahead and start let's just see if we've got that Hardware inventory yet yep so it looks like CMG has kind of sent that up and it's been processed into our database so we can see even that client out on the internet we've already got inventory coming in we can see it is in fact active and it is automatically approved because it was trusted using that Reg token so we'll just give this a few more minutes and then we'll just come check out maybe a few other client logs and then at that point I think we'll be good to go yep so at this point we are all good to go so for example we look at updates deployment we can see that we're actually scanning against some deployments already for software updates you know over CMV if you're out on the internet any Microsoft based updates would just download right from the Internet through Microsoft updates you know if you're doing third-party updates you would want to make sure that that's on CMG since that's kind of specific to your environment but at this point I think we're pretty much good to go so go back to secm we can see that we've got the client fully showing up and active and that was all done using the new registration token that you can use in CMG without the need for certificates I hope this video was helpful and thank you for watching

Info

Channel: Patch My PC

Views: 5,241

Rating: undefined out of 5

Keywords: cloud management gateway, token-based authentication sccm, token cloud management gateway, SCCM cloud management, CMG token, ConfigMgr token sccm

Id: e5QSv1Yna6M

Channel Id: undefined

Length: 15min 25sec (925 seconds)

Published: Thu Apr 02 2020