CMG Tip – Why you shouldn’t disable CMG from the default client setting

If you are planning to use the Default Client Settings from 1706 to disable cloud management gateway which is enabled by default, you should reconsider your decision if you'd like to perform client installation over internet because the client will never receive the custom device settings.

Finding

If you end up in the above situation, you won't see any policy downloads –

PolicyAgent.log -

Synchronous policy assignment request with correlation guid {14F22612-ECB8-4D5E-B9A0-0FEC930CF69A} for Machine DESKTOP-OAV38LH completed with status 87D00231        PolicyAgent_RequestAssignments        10/28/2017 8:49:42 PM        6368 (0x18E0)

From the ClientLocation.log you will find the actual cause -

Cloud Management Gateway is not allowed to use on this machine        ClientLocation        10/28/2017 9:10:12 PM        3840 (0x0F00)

The resultant client setting can be misleading here –

Using the PolicySpy tool, I could confirm CMG is in fact disabled.

Recommendation

A better approach to disable the cloud management gateway for clients which are always on-premise (Desktops/Servers) would be to create a client setting for Intranet Only devices.

Changing this now won't remediate this existing Internet facing client because it's not allowed to receive any polices from CMG unless you reinstall the agent to receive the default client settings.

Thanks,

Arnab Mitra