CMG with just One Cert


You read it correct! Cloud Management Gateway has evolved and its now easier than ever to deploy one. All you need is a single Web Server Authentication Certificate from a public CA.

What changed?

Primarily the introduction of a new feature in ConfigMgr 1806 called Enhanced HTTP Site System which replaces the requirement of an HTTPS Management Point for CMG communication. The site server generates a certificate for the management point allowing it to communicate via a secure channel.

Another addition in 1806 is the Azure AD Device Identity can be leveraged for both Hybrid & Azure AD joined devices to securely communicate with its assigned site without a logged-on user.

Prerequisites

The modern workplace in a cloud first world is possible when your resources are accessible from anywhere. Below are two important prerequisites for stepping into one.

Sync On-Prem Domain Users to Azure AD

If you are an Office 365 user, your domain users are already synchronized in Azure Active Directory. This is configured via Azure AD Connect and requires planning.

Refer this link as a starter - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity

Register the Domain Joined devices to Azure aka Hybrid Azure AD Joined

Once your users are synchronized into Azure AD, the next step is to ensure the domain joined Windows 10 devices are also registered in AAD.

All you need is to run AAD Connect and choose the option below (available in version 1.1.819.0 and higher). Refer this link for more info.

Configure GPO to automatically register the devices in AAD.

Prepare ConfigMgr

Enhanced HTTP Site System

Introduced in 1806 as a pre-release (fully supported in production) replaces the requirement of an HTTPS Management Point for CMG communication.

The site server generates a self-signed certificate for the management point allowing it to communicate via a secure channel. Only Hybrid & Azure AD Joined devices connected via CMG can communicate with the Enhanced HTTP MP.

Since this is a pre-release feature, make sure you Consent it in the Hierarchy Settings

Turn On the feature Enhanced HTTP Site System

This will light up the feature in the Site Properties > Client Computer Communication tab.

Check the box Use Configuration Manager-generated certificates for HTTP site systems.

Configure Azure Services for CMG – ARM based deployment

  • On the ConfigMgr Console, go to Administration > Cloud Services > Azure Services.
  • Click Configure Azure Services on the ribbon menu.
  • Select Cloud Management in the Wizard.
  • Provide a Name and click Next to proceed.

    

  • Click on Browse to either Import an existing App or click Create to start with a fresh App.

  • Provide an Application Name
  • You need to Sign in with a Subscription Admin.
  • Click OK to complete

  • Repeat the steps to create a Client App and click OK to complete.

  • Click Next in the wizard

  • Check the box Enable Azure Active Directory User Discovery.
  • Click Next to summarize and finish the wizard.

Domain User accounts will be populated with Azure AD information.

Setup CMG

Now we are all set to configure CMG.

  • On the ConfigMgr Console, go to Administration > Cloud Services > Cloud Management Gateway
  • Click Create Cloud Management Gateway on the ribbon menu.

  • Choose Azure Resource Manager deployment
  • Sign In with Azure Subscription Admin account
  • The subscription info and the Web App created in the previous section will auto populate. Click Next to proceed.

  • Click Browse to specify the CMG Certificate obtained by a public CA [desired_service_name.yourdomain.xxx]. This will auto populate the Service name in the wizard.

    Note – Choose the service name carefully as this name should not exist in Azure. You can check for available name by attempting to create a classic service.


  • Choose your Azure Region
  • Choose Create new under Resource Group.
  • Optionally select the option to function CMG as a Cloud DP
  • Click Next to summarize and finish the wizard.

Note -Azure appends the CMG Service name with .cloudapp.net domain name. You have to create a CNAME record in public DNS pointing <yourservicename.cloudapp.net> to <yourservicename.yourdomain.xxx>

Monitor the state of deployment and proceed to next step once the Status is Ready.

CMG – Connection Point

This is the on-premise site system role which communicates with the CMG.

Add a new Site System Role and select Cloud management gateway connection point.

This auto-populates the CMG name and its region. Click Next to summary and finish the wizard.

Allow CMG Traffic

On your HTTP Management Point, check the box to allow CMG traffic.

Validation

We are now ready to test the CMG connection on a domain joined client computer.

The first thing you need to validate is ensure the device is Hybrid Azure AD Joined. You can run the command DSRegCMD /Status

The device will also be listed in Azure portal under devices with a Join Type as Hybrid Azure AD joined.

Reference snapshot of domain joined client certificate snap-in. All I have is two certificates from Azure.

Open the ConfigMgr control panel applet to validate the CMG information is populated in the Network tab.

Deploy a test application to validate a successful download of the policy via CMG.

Install the application to further validate.

Note – I don't have a public domain or cert hence I used .cloudapp.net for DNS validations.

Thanks,

Arnab Mitra

Comments (4)

  1. Dayanand says:

    Hi Arnab – Thank you for the steps. I have one question, does anything changes when we have AAD only joined devices except for the step Configure GPO to automatically register the devices in AAD?

    1. Nothing changes, AAD only devices will also work the same way.

  2. rlawrimore says:

    If you don’t have a public cert, then what cert did you use to setup.

    1. I used an internal CA cert. This required the client to have the trusted root CA of the internal CA.

Skip to main content