CMG with just One Cert
You read it correct! Cloud Management Gateway has evolved and its now easier than ever to deploy one. All you need is a single Web Server Authentication Certificate from a public CA.
Primarily the introduction of a new feature in ConfigMgr 1806 called Enhanced HTTP Site System which replaces the requirement of an HTTPS Management Point for CMG communication. The site server generates a certificate for the management point allowing it to communicate via a secure channel.
Another addition in 1806 is the Azure AD Device Identity can be leveraged for both Hybrid & Azure AD joined devices to securely communicate with its assigned site without a logged-on user.
The modern workplace in a cloud first world is possible when your resources are accessible from anywhere. Below are two important prerequisites for stepping into one.
Sync On-Prem Domain Users to Azure AD
If you are an Office 365 user, your domain users are already synchronized in Azure Active Directory. This is configured via Azure AD Connect and requires planning.
Refer this link as a starter - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
Register the Domain Joined devices to Azure aka Hybrid Azure AD Joined
Once your users are synchronized into Azure AD, the next step is to ensure the domain joined Windows 10 devices are also registered in AAD.
All you need is to run AAD Connect and choose the option below (available in version 1.1.819.0 and higher). Refer this link for more info.
Configure GPO to automatically register the devices in AAD.
Enhanced HTTP Site System
Introduced in 1806 as a pre-release (fully supported in production) replaces the requirement of an HTTPS Management Point for CMG communication.
The site server generates a self-signed certificate for the management point allowing it to communicate via a secure channel. Only Hybrid & Azure AD Joined devices connected via CMG can communicate with the Enhanced HTTP MP.
Since this is a pre-release feature, make sure you Consent it in the Hierarchy Settings
Turn On the feature Enhanced HTTP Site System
This will light up the feature in the Site Properties > Client Computer Communication tab.
Check the box Use Configuration Manager-generated certificates for HTTP site systems.
Configure Azure Services for CMG – ARM based deployment
- On the ConfigMgr Console, go to Administration > Cloud Services > Azure Services.
- Click Configure Azure Services on the ribbon menu.
- Select Cloud Management in the Wizard.
- Provide a Name and click Next to proceed.
- Click on Browse to either Import an existing App or click Create to start with a fresh App.
- Provide an Application Name
- You need to Sign in with a Subscription Admin.
- Click OK to complete
- Repeat the steps to create a Client App and click OK to complete.
- Click Next in the wizard
- Check the box Enable Azure Active Directory User Discovery.
- Click Next to summarize and finish the wizard.
Domain User accounts will be populated with Azure AD information.
Now we are all set to configure CMG.
- On the ConfigMgr Console, go to Administration > Cloud Services > Cloud Management Gateway
- Click Create Cloud Management Gateway on the ribbon menu.
- Choose Azure Resource Manager deployment
- Sign In with Azure Subscription Admin account
- The subscription info and the Web App created in the previous section will auto populate. Click Next to proceed.
Click Browse to specify the CMG Certificate obtained by a public CA [desired_service_name.yourdomain.xxx]. This will auto populate the Service name in the wizard.
Note – Choose the service name carefully as this name should not exist in Azure. You can check for available name by attempting to create a classic service.
Choose your Azure Region
Choose Create new under Resource Group.
Optionally select the option to function CMG as a Cloud DP
Click Next to summarize and finish the wizard.
Note -Azure appends the CMG Service name with .cloudapp.net domain name. You have to create a CNAME record in public DNS pointing <yourservicename.cloudapp.net> to <yourservicename.yourdomain.xxx>
Monitor the state of deployment and proceed to next step once the Status is Ready.
CMG – Connection Point
This is the on-premise site system role which communicates with the CMG.
Add a new Site System Role and select Cloud management gateway connection point.
This auto-populates the CMG name and its region. Click Next to summary and finish the wizard.
Allow CMG Traffic
On your HTTP Management Point, check the box to allow CMG traffic.
We are now ready to test the CMG connection on a domain joined client computer.
The first thing you need to validate is ensure the device is Hybrid Azure AD Joined. You can run the command DSRegCMD /Status
The device will also be listed in Azure portal under devices with a Join Type as Hybrid Azure AD joined.
Reference snapshot of domain joined client certificate snap-in. All I have is two certificates from Azure.
Open the ConfigMgr control panel applet to validate the CMG information is populated in the Network tab.
Deploy a test application to validate a successful download of the policy via CMG.
Install the application to further validate.
Note – I don't have a public domain or cert hence I used .cloudapp.net for DNS validations.