Isn’t a revolution (really?) happening with Digital Transformation? Let’s check the SCCM internet client management revolutions. In this post, I will try to give a quick SCCM IBCM Vs CMG comparison.
What is SCCM Internet Client Management?
Managing SCCM clients from the internet is called Internet client management. There are two (2) methods to manage SCCM clients from the internet.
The SCCM clients connected through traditional VPN tunnel is NOT SCCM internet client management.
SCCM IBCM Vs CMG
The following table will give a quick overview between SCCM IBCM Vs CMG. More detailed discussion on all the columns and some pointers are available in the below sections of this post.
| SCCM IBCM | SCCM CMG | |
| Cost | Fixed Cost | Variable Cost |
| Location | On-Prem/Private Cloud | Azure Cloud (PaaS) |
| Stability | Stable | Continuous Improvements |
| Complexity (Setup + Troubleshoot) | Complex | Complex |
| Location Awareness | No (for internet clients) | No Support for location awareness |
| Operability | Use existing Process | Might Need to setup new process |
| Security | Yes (Traditional) | Yes (Modern) |
| Future Proof | NO | Yes |
| IT Community Support | Less Blog posts/Videos | Many Blog Posts/Videos |
| Co-MGMT Support | Yes | Yes (Advanced) |
| API Support | Yes | No (checkout the comments to get more details) |
All SCCM client Communications are supported (Almost?) Only selected SCCM client Communication is supported.
Cost
Yes, the cost is one of the factors which we need to look into when we try to decide between SCCM IBCM Vs CMG.
The comparison here is between variable and fixed costs. I won’t say IBCM always will have fixed costs, but it’s more or less fixed or internal to your organization. So, it’s near to a FIXED cost.
In the other hand, SCCM CMG is a variable cost depending on the usage of data storage, data transfer, and client count, etc… The best way to analyze SCCM CMG cost is by using Azure Pricing Tool. The following SCCM CMG component list will give you some hints:-
SCCM IBCM Vs CMG VM Cost – South EU
- Standard A2 V2 VM (not IaaS solution but it’s PaaS – ~100$ per month (US)?)
- Outbound data transfer (Lower Estimate 100-300 MB per client per month) – $0.087 per GB/Month
- Content Storage cost (Application content files – 3rd Party patch content as well) –$0.02 / GB / month
- Dynamic IP cost per CMG instance – ~$3/Month
- Public DNS Costs (name resolution)
Locations
The location topic is essential from the decision making perspective. You should be clear about your location preferences before checking on SCCM IBCM Vs CMG comparison.
- SCCM CMG is a Platform As A Service (PaaS) solution located in Microsoft Azure (You can’t create an SCCM CMG in Amazon or Google Cloud – Full Stop)!
- SCCM IBMC is a solution you can build within your ON-PREM data center. Or in Private cloud or Amazon/Google Cloud
Stability
SCCM IBCM is used to manage internet based clients for many years. However, CMG is introduced with SCCM 1610 version as a pre-release version. SCCM CMG has been promoted since SCCM 1802 version.
Stability is essential for SCCM IBCM Vs CMG discussions. I don’t think SCCM CMG is unstable at all. But, many new features are getting added to SCCM CMG and CMG code is changing in all the releases.
Location Awareness
SCCM CMG doesn’t have regional awareness capabilities. So the SCCM client connected from the internet can go to any one of the CMG available.
The new SCCM CMG behavior with boundary groups helps scenario which will help you to move SCCM traffic off the expensive and slow WAN/VPN and on to the cheaper Internet links to SCCM CMG.
The new preview version of SCCM 1902 will give more parity to SCCM CMG with IBCM features. So the new developments will help you to decide between SCCM IBCM Vs CMG.
SCCM IBCM Vs CMG – Boundary Awareness
Setup Troubleshooting Complexity
I think SCCM CMG and IBCM are equally complex to setup + troubleshooting because of different reasons.
SCCM IBCM complexity is mainly because of dealing with your PKI, Firewall, and Security teams within your organizations.
SCCM CMG complexity is mostly because it’s pretty new to many of SCCM admins. SCCM admins should go through an upskilling process (continuous learning) and learn more about the concepts of SCCM CMG.
[Related Post – SCCM Co-Management Video Guide With 16 Posts]
Operability
You can use your existing processes (SAL, TOM, RACI,etc.) to manage and operate SCCM IBCM components.
SCCM CMG requires a modern way of thinking, and you might need to create or update existing SLA, TOM, RACI, etc. But these changes will help you to start the digital transformation for your organization, and that is helpful.
Security
There should not be any comparison between modern and traditional security verticals. Both are made for different reasons.
SCCM IBCM components are placed in the DMZ of your organization’s data center. The SCCM clients from the internet will directly connect to those IBCM components (sometimes via reverse proxy).
SCCM CMG components are placed in the Microsoft Azure data center and not in your on-prem DMZ. And moreover, the internet clients are NOT communicating directly with SCCM on-prem elements. SCCM CMG components will always create outbound connections to the Microsoft cloud.
SCCM IBCM Vs CMG – Security Outbound Connections
Future Proof
Don’t get me wrong; I’m not saying SCCM IBCM is not future proof. But what I can see is, Microsoft put many more efforts to improve the capabilities to SCCM CMG.
Co-Management Support
SCCM IBCM Vs CMG comparison always reaches a point where co-management support will come into the discussion. There is NO hardcore dependency on co-management and CMG.
SCCM CMG is more aligned with co-management options and scenarios.
Resources
- How to Setup Co-Management – Introduction – Prerequisites Part 1
- How to Setup Co-Management – Firewall Ports Proxy Requirements Part 2
- Setup Co-Management – AAD Connect UPN Suffix Part 3
- Setup Co-Management – CA PKI & Certificates Part 4
- Setup Co-Management Cloud DP Azure Blob Storage Part 5
- Setup Co-Management Azure Cloud Services CMG Part 6
- SCCM Configure Settings for Client PKI certificates Part 7
- How to Setup SCCM Co-Management to Offload Workloads to Intune – Part 8
- How to Deploy SCCM Client from Intune – Co-Management – Part 9
- End User Experience of Windows 10 Co-Management – Part 10
- Overview Windows 10 Co-Management with Intune and SCCM
- Custom Report to Identify Machines Connected via SCCM CMG
- How to Setup SCCM Cloud Management Gateway as cloud DP
- Troubleshooting Tips SCCM CMG Connection Analyzer
- Learn How to Remove SCCM Cloud DP
- Clean-up SCCM CMG and Cloud Services from SCCM
Hi Anoop –
Nice comparison and very helpful to help decide. For Parallels it came down to IBCM has an open to development API and CMG doesn’t. We would have preferred to go with CMG but couldn’t integrate it for Mac management in SCCM. To bring Macs into the policy management of SCCM, external off-prem Mac’s can use an HTTPS URL to receive a download of our Parallels Mac Management for SCCM agent, connect through the DMZ where IBCM is, then be enrolled into SCCM for off-prem policy management. For associates that will seldom be in the office, this gives a secure method to achieve a well managed Mac no matter where it is.
Regards!
Hi Danny – I’ll add the API into the list. I remember you mentioning the same point in London user group presentation! It was nice presentation!!
Very helpful thank you !
Hello Anoop,
Have you ever find yourself in the scenario of having an IBCM and try to install clients from Intune, using the IBCM MP as the managementpoint to point to when sending the client’s deployment from Intune?
Thanks!
Hello – I have not got into that scenario. But it’s almost same as to the situation of CMG isn’t it.
If you have appropriate certs and authentication and co-management enabled, then it should work just fine isn’t it
I do have co-management enabled, and I already did it the other way (Enroll into Intune same computer when it had the client and certs), it fails when the computer is fresh started and I want that scenario, a fresh computer, enroll to AAD / Intune, and then deploy SCCM client to co-manage.
Either way, I just discovered your “forum.howtomanagedevices.com” and threw the question there,
Thanks a lot!
Sure let’s discuss https://forum.howtomanagedevices.com/endpointmanager/intune/does-anyone-know-if-having-an-ibcm-instead-of-a-cmg-is-possible-scenario-for-intune-autopilot-and-com-management-using-ibcms-management-point-role-to-deploy-client-installation-from-intune-to-aad/