SCCM CMG Schema Workflow Scenarios – Part 1

0
SCCM CMG Co-Management Scenarios and Entry Points

SCCM Cloud management gateway (CMG) is an Azure service (PAAS) to manage SCCM client over the internet. We can say CMG is an SCCM Management point in Cloud. SCCM CMG helps to reduce SCCM infrastructure complexity and cost. CMG also open up different scenarios for modern device management. We will be discussing different scenarios in this post. In a later post, we will cover configuration and troubleshooting.

This is a series of posts as listed below:

  • SCCM CMG Architecture and different scenarios – Part 1
  • How to Configure CMG – Part 2
  • CMG troubleshooting Tips – Part 3

Subscribe to this Blog via eMail?

Join 15,880 other subscribers

SCCM CMG High-level Architecture and Workflow

SCCM CMG – Schema – Architecture
  1. Internet connected SCCM client request for policy from Azure CMG cloud service
  2. Azure CMG cloud service forwards the client communication to the on-premises CMG connection point. CMG cloud service gets the policy from On-premise MP and SUP through CMG connection point role.
  3. CMG connection point role acts as a proxy and build a 2-way communication channel between on-premise SCCM (MP & SUP) and Azure CMG cloud service
  4. Finally, SCCM clients get policy and content from Azure CMG cloud service.

Note: Starting SCCM 1806, CMG can act as DP as well.

Do you want to download the SCCM Architecture Visio Diagram? Check out 👍👍 SCCM Architecture Visio Template Download from GitHub Throwback . You can download the slides used in this post from here technet or Github

SCCM CMG Co-Management Scenarios

  • Co management = Manage Windows 10 with Intune and SCCM.
  • CMG = Manage SCCM client over internet.

SCCM CMG is required in some co-management scenarios but not in all. In some co-management scenarios, CMG will be optional. Let us discuss some of the common co-management scenarios and role of CMG. The best way to explain Co-Management is through “entry points.”

There are two type of co management entry points.

  • Entry point 1: On-premise domain-joined computers get into the cloud world.
  • Entry point 2: Windows 10 from the OEM / or cloud world gets into on-premise

We can think about many scenarios with each entry point. However, in this post, we will cover a couple of scenarios from each Entry points.

SCCM CMG - Co-Management Entry Points
SCCM CMG – Co-Management Entry Points

Entry point 1 – Scenario 1

  • This is common scenarios for the majority of the customers. Initially, Windows 10 is Domain Joined, and SCCM managed only.
  • To avail co-management benefits, Windows 10 is configured to Win 10 Hybrid Azure AD Join+ co-managed.
SCCM CMG – Co-Management Entry Point 1
  • Once the machine is co-managed, then we can offload some of the on-premise workloads and start using cloud solutions.
  • In this scenario, CMG is optional. You require CMG only if you want to manage the SCCM agent over the internet.

In this scenario , below on premise workloads can be off loaded to cloud

  • Software update (WSUS) – > WufB
  • GPO policies – > Intune Baseline policies
  • Security baseline – > Intune security baseline policies
  • SCCM software distribution – > Intune software distribution
  • SCCM Endpoint protection – > Intune Endpoint protection

With SCCM 1906 production release, you have improved options to deploy specific workloads to different pilot collections.

SCCM CMG - Co-Management Entry Point 1
SCCM CMG – Co-Management Entry Point 1

Entry point 1 – Scenario 2

Initially Windows 10 is Domain Joined and SCCM managed only. But it is possible to use SCCM task sequence to change Domain joined computer manged by SCCM to Autopilot computer.

SCCM CMG – Co-Management Entry Point 2
  • Starting SCCM Current Branch build (1810) the built-in task sequence is available.
SCCM CMG - Co-Management Entry Point 2
SCCM CMG – Co-Management Entry Point 2 – Autopilot
  • As shown below, SCCM task sequence will Wipe and deploy offline autopilot profile. offline autopilot profile can be exported in json file format. We will cover how to configure this Task sequence in detail later posts.
SCCM CMG - Co-Management Entry Point 2
SCCM CMG – Co-Management Entry Point 2 – Autopilot
  • After offline autopilot profile deployment-using SCCM task sequence, Win 10 computer becomes Azure AD Joined and Intune enrolled.
  • From Intune, you can push the SCCM agent. To achieve this, SCCM CMG plays an essential role here. Through CMG, SCCM agent will communicate with on-premise SCCM server over the internet.
  • Finally, the computer is no longer on-premise Domain AD joined. We cannot use on-premise AD for authentication and GPOs. Instead, Intune will manage the cloud GPO and security baseline settings.

In this scenario, below are workloads can be co-managed. Based on the required we can decide who should do what.

  • SCCM WSUS < —- > WufB
  • SCCM software distribution < —- > Intune software distribution 
  • SCCM Endpoint protection < —- > Intune Endpoint protection

Entry point 2 – Scenario 3

SCCM CMG – Co-Management Entry Point 2 – Scenario 3
  • In this scenario, we are provisioning device as a Windows Autopilot computer initially.
  • Next, the SCCM agent needs to deploy from Intune. SCCM agent will communicate with SCCM server over CMG.
  • Now Autopilot computer becomes a co-managed state.
  • SCCM CMG is not optional here but required

Below are the typical workloads, which can be co-managed. Based on the required we can decide who should do what

  • SCCM WSUS < —- > WufB
  • SCCM software distribution < —- > Intune software distribution
  • SCCM configuration policy < —- > Intune configuration policy
  • SCCM Endpoint protection – > Intune Endpoint protection

Entry point 2 – Scenario 4

SCCM CMG – Co-Management Entry Point 2 – Scenario 4

This scenario can be referred “Hybrid Autopilot”. In this setup, Windows 10 computer is Hybrid Azure AD joined. Intune AD connector is a required for this setup. I already covered how to configure “hybrid Autopilot” in my previous post.

To be Continued….

In my future posts, we will discuss how to deploy SCCM agent from Intune in hybrid autopilot scenario. Intune will push the SCCM client and communicate with SCCM through CMG. Hence, CMG is required here.

In this post, we discussed four different scenarios of co-management and role of CMG in each of them. You can download the slides used in this post from here technet or Github. In the next post, we will discuss how to configure CMG and troubleshooting in detail.

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.