ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services

ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services. The Cloud Management Gateway (CMG) provides a simple way to manage SCCM clients on the internet. The CMG is a PaaS (Platform As A Service) solution in Azure.

So, we don’t need to maintain the servers in the Azure platform, unlike Azure IaaS (Infrastructure As A Service) solution.

We need to set up and configure Azure Cloud Services within SCCM before implementing Co-Management CMG.

SCCM CMG Cloud Management Gateway Implementation Guide

Patch My PC

Co-Management Related Posts

All Co-Management Video tutorials

Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6 (This Post)
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9
End User Experience of Windows 10 Co-Management - Part 10

SCCM Cloud Management Gateway – CMG Requirements

Co-Management CMG is not a prerequisite for all the SCCM Co-Management scenarios. However,  CMG is required for the scenario where you want to install an SCCM client from the internet. SCCM Cloud Management Gateway (CMG) & CDP are needed in the situation mentioned above.

  • Azure subscription with Azure Admin access to host the CMG
  • Azure Cloud Services Configured within SCCM (Azure AD User Discovery – for some authentication scenarios)
  • Azure Web and Client applications (Part of Azure Cloud Services)
  • Azure Resource Manager (ARM) SCCM 1802 or later to avoid Azure Management certificates
  • Client Authentication Certificate – Root Cert and Intermediate/Issuing certificates (PKI or Public Certificates)
  • Server Authentication Certificate (Web Server Template & Custom web server certificate with CMG/CDP CNAME)
  • The service connection point must be in online mode

Before implementing the Co-Management CMG setup, I recommend reading CMG Prerequisite and Certificate requirements.

Video Step by Step Guide to Setup Cloud Management Gateway

ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services 1

Setup Azure Services – Cloud Management

I would recommend going through and configuring Azure services cloud management before proceeding with CMG configuration.

Adaptiva

Use the Azure Services Wizard to simplify setting up the Azure cloud services you use with SCCM. I have also explained this in the video tutorial.

Azure Services configuration wizard provides a standard configuration experience using Azure Active Directory (Azure AD) web app registrations.

This wizard creates Web and Client (native) applications to subscription & configuration details & authenticate communications with Azure AD.

Cloud Management: This service enables the SCCM site and clients to authenticate Azure AD. This authentication allows for other scenarios, such as:

Install and assign SCCM Windows 10 clients using Azure AD for authentication
Configure Azure AD User Discovery
Support specific Cloud Management Gateway scenarios

Configure Azure Services

This wizard helps you deploy and configure Azure services through SCCM. I have explained the same in the Video Tutorial as well.

Navigate via \Administration\Overview\Cloud Services\Azure Services – Click on Configure Azure Services button from the ribbon menu.

1. Select an Azure service and specify the name, description

  • Name:- ACN Azure Cloud Services
  • Description:- Any full, meaningful description

2. Select Cloud Management and click on the NEXT button to proceed further

Note – Deploying the Azure service for Cloud Management enables SCCM clients to authenticate with the site using Azure AD. You can also allow the discovery of Azure AD resources for this tenant.

3. Select AzurePublicCloud as Azure Environment from the App properties page

4. Create a new WEB APP in Azure for Authentication (Server App for SCCM). Add an application that represents a web application, a web API, or both.

Server App – Select a list of available server apps to configure Azure services. You can also import or create a server app. In this scenario, I opted to create a new Server Application.

Specify application details and sign in with AAD admin credentials to create an application in the Azure Active Directory

  • Application Name: ACNCloudServiceAnoopC
  • Homepage URL: https://ConfigMgrService1
  • App ID URI: https://ConfigMgrService1
  • Secret Key Validity Period: 1 Year
  • Azure AD Admin Account: Sign in – Signed in successfully!
  • Azure AD Tenant Name: ANOOPC
Co-Management CMG Azure Cloud Services
ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services 2

5. Create a NATIVE Client APP. A native client is an application that can be installed on a user’s device or computer. To Create Client Application Specify application details and sign in with AAD admin credentials to create an application in the Azure Active Directory.

  • Application Name: ACN CloudService AnoopC
  • Reply URL: https://ConfigMgrClient1
  • Azure AD Admin Account: Sign in – Signed in successfully!
  • Tenant Friendly Name: ANOOPC
  • App Friendly Name: ACN CloudService AnoopC
  • Service Type: Blank

6. Enable Azure AD Discovery on Configure Discovery Settings page. Click on the Settings button to check and configure advanced options of AAD Discovery.

Azure AD User Discovery – Configure the settings to discover resources in the Azure AD. When resources are discovered, SCCM creates records in the SCCM DB for them and their associated information.

We need to enable Azure AD discovery to allow the AAD authentication scenario in SCCM. If you want SCCM to authenticate the AAD user, you must first have the user discovered.

As I showed in the video tutorial, you need to provide/grand appropriate permissions for the WEB (Server) application on Azure.

Setup Co-Management CMG (Cloud Management Gateway)

Before starting a Co-management CMG setup, make sure that all the prerequisites and certs are available. I have also explained this in the video tutorial.

  1. Navigate via SCCM CB console – \Administration\Overview\Cloud Services\Cloud Management Gateway
  2. Click on Create Cloud Management Gateway icon in the ribbon menu
  3. Select Azure Environment as AzurePublicCloud on Specify details of this cloud service page

NOTE – Specify the Azure environment and the deployment method for the cloud service. Provide Azure subscription ID, the management certificate, or Azure AD administrator credentials to proceed.

4. Choose how you want to deploy your cloud Service – Azure Resource Manager (ARM) deployment 

Note:- Please sign in as an administrator account to access your Azure subscription. SCCM will obtain the subscription information and contribute the permission required for deploying the service.

  • Subscription Admin Account: Sign In
  • Subscription ID: Automatically gets populated once you log in with the Azure admin account
  • Azure AD App Name: ACNCloudServiceAnoopC (WEB/Server Application which we created (above) will automatically get populated)
  • Azure AD Tenant: ANOOPC (Automatically gets populated once you log in with Azure admin account)

5. Specify Additional Details for the cloud Service (CMG) page

Service Name:  ACMCMG01 Automatically gets populated based on the CName mentioned in the certificate. You won’t be able to change it. As explained in the previous blog, you need to create a new WEB certificate to change the service name.

Description: Useful information to identify the CMG instance if you have more than one CMGRegion: South Central US
Resource Group: ACNCMGCDP. Click on Create New radio button above and give it a meaningful name.

VM Instance: 1 (depending on your requirement)

Co-Management CMG ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services
ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services 3

Select the CMG PFX file created for CMG in the previous post about creating certs. We need to specify a server PKI certificate for this cloud service.

Certificate File: Select the PFX file created for CMG in the previous post. Enter the password for the PFX certificate. Service Name, Service FQDN will automatically get populated once you have uploaded the PFX cert successfully.

Service FQDN: ACMCMG01.Cloudapp.net These details will get populated automatically, as I mentioned above.

Specify security settings for authenticating client connections through CMG (Cloud Management Gateway).

Certificates uploaded to the cloud services: Click on the Certificates button to upload Root CA and Intermediate/Issuing CA certs. I have only root CA in the chain of certs. Click on Add to upload certificates to the cloud service.

Remove the “Verify Client Certificate Revocation” check box when you have not published CRL to the internet. I recommend publishing CRL to the internet to have a more secure PKI. However, I don’t use this for my lab environment.

Sample Configuration Details of SCCM Cloud Management Gateway (CMG) Wizard

General
• Subscription ID: dda75f69a-5a3b-4ecd-b385-db1223e9549873
• Azure AD application: ACNCloudServiceAnoopc
Settings
• Service Name: ACMCMG01
• Description:
• Primary Site: Primary CB 2 (PR3)
• Region: South Central US
• Resource group: ACNCMGCDP
• Service Certificate:\\dc1\Sources\Certs\ACNCMG01.pfx
• CName:ACMCMG01.cloudapp.net
• Number of Instances: 1
• Root Certificate: 681B323ghdAC90E2523489898HUD7C0E4015E812;
• Verify client certificate revocation enabled:True
Alerts
• Outbound Data Transfer Threshold:Enabled
• Outbound Data Transfer Threshold:10000 GB
• Outbound data transfer Warning alert level: 50%
• Outbound data transfer Critical alert level: 90%

Setup Co-Management – Cloud Management Gateway Connector

The CMG connection point is the SCCM site system role for communicating with the CMG and on-prem components like MP/SUP. I have also explained this in the video tutorial.

Add new Site System Role – Select a server to use as a site system. When you have only one site system – Click NEXT.

System Role Selection – Specify roles for this server – Select Cloud Management Gateway Connection Point

Specify the Cloud Management Gateway Connection Point settings. You can select a relevant one from the drop-down option when you have more than one CMG in your SCCM environment. For me, it’s only one CMG.

Cloud Management Gateway Name: ACMCMG01.CLOUDAPP.NET
Region: South Central US

Install client authentication certificate manually for CMG connection point to communicate with client-facing site roles in HTTPS mode.

Azure Portal experience Co-Management CMG

Login to Azure Portal and click on Subscriptions – Resource Groups – ACMCMG01

There will be 2 (two) services associated with Resource Group, which we create from the SCCM console. More details are available in the video tutorial.

1. ACMCMG01 PaaS server for CMG service
2. acmcmg01 storage account for CMG

Click on PaaS server ACMCMG01 to check the details, and you can also login to the server and check (there is no need to login and check in normal scenarios).

SCCM Cloud Management Gateway CMG Log Files

The following table lists the log files that contain information related to the cloud management gateway.

Log nameDescriptionComputer with log file
CloudMgr.logRecords details about deploying the cloud management gateway service, ongoing service status, and associated user data. You can configure the logging level by editing the Logging level value in the registry key HKLM\SOFTWARE\ Microsoft\SMS\COMPONENTS\ SMS_CLOUD_ SERVICES_MANAGER.The installdir folder is on the primary site server or CAS.
CMGSetup.log1Records details the second phase of the cloud management gateway deployment (local deployment in Azure). You can configure the logging level using the setting Trace level (Information (Default), VerboseError) on the Azure portal\Cloud services configuration tab.The %approot%\logs on your Azure server or the SMS/Logs folder on the site system server
CMGHttpHandler.log1Records details about the cloud management gateway HTTP handler binding with Internet Information Services in Azure. You can configure the logging level using the setting Trace level (Information (Default), VerboseError) on the Azure portal\Cloud services configuration tab.The %approot%\logs on your Azure server or the SMS/Logs folder on the site system server
CMGService.log1Records details about the cloud management gateway service core component in Azure. You can configure the logging level using the setting Trace level (Information (Default), VerboseError) on the Azure portal\Cloud services configuration tab.The %approot%\logs on your Azure server or the SMS/Logs folder on the site system server
SMS_Cloud_ ProxyConnector.logRecords details about setting up connections between the cloud management gateway service and the cloud management gateway connection point.Site system server
ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services 4

Resources

  • https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway
  • https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/azure-services-wizard

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

4 thoughts on “ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services”

  1. Hi,
    Is it possible to join a w10 to only AAD (with automatic Intune enrollment) and install the configmgr client on it via the install string thats displayed during co-mgmt configuration? Of we try this the configmgr client never initialize. On technet rendement is hybrid aad joined so i presume it will not work for pure aad joined/Intune devices, correct?

    Reply
  2. Hi there,
    If we are using a 3rd Party DigiCert certificate for the cloud service, do we still need to upload our internal root cert as in section:
    Specify security settings for authenticating client connections through Cloud Management Gateway
    Our computers are all connected to on prem AD.

    Reply
  3. It looks like Microsoft may have clarified the recommendations for the APP ID registration url to show the following recommened formatting:

    api://{tenantId}/{string}, for example, api://5e97358c-d99c-4558-af0c-de7774091dda/ConfigMgrService
    https://{verifiedCustomerDomain}/{string}, for example, https://contoso.onmicrosoft.com/ConfigMgrService

    In testing, I found that the https://Configmgrservice formatting prevents AAD user token retrieval. Device management seemed to work ok, but things like application request approval through the CMG did not until the App ID registration url was changed to recommended format. CcmAADBroker.log will show an error if this is not working properly.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.