Hope this post finds you in good health and spirit. Our world need to be digitally secure and while a lot of employees try to connect to corporate resources from internet, security becomes utmost priority. To cater, its important to keep machines patched and we can use SCCM for the purpose. Internet based client management or IBCM is a SCCM feature which allow internet based SCCM clients to connect to infrastructure and get patches along with other SCCM features as software deployment, inventory etc. But now we have additional feature in SCCM, Cloud management Gateway or CMG with similar functionality as IBCM so which one we should consider while adding support for internet based SCCM clients. This question has come to me from couple of customers so in this post we will discuss few points which we can take in consideration for decision.
Cloud management Gateway
- Better security : CMG is hosted on Azure so no need to expose infrastructure to internet.
- No infrastructure requirement: CMG is a PaaS solution on Azure there is no need of hardware to host any service.
- Azure AD(AAD) authentication: Windows 10 machines which are registered on Azure can use AAD authentication. This removes the complexity of hosting and using PKI.
- Azure advantages: Since CMG is hosted on Azure it comes with cloud advantage as scalability, elasticity and no maintenance.
- Futuristic and adaptability to modern technologies: CMG along with co management provides better adaptability to geatures like Autopilot, Intune and new SCCM features. AAD registered Windows 10 devices can also get SCCM client and site assignment. CMG has now shifted to ARM deployment from ASM on Azure.
- Easier to deploy: CMG can be deployed from SCCM console so deployment time is less and is easier to deploy.
- Easy Monitoring: CMG traffic can be monitored from SCCM console. Cloud service dashboard is introduced in SCCM 1806 to monitor CMG usage. Additionally connection analyser can be used to troubleshoot connection issue.
- Cost: CMG is hosted on Azure so there will be cost of hosting.
- No direct control on VM instances hosted for CMG on Azure.
- Management data will be transferred through cloud service. However this communication is on secure channel.
- Cost: Azure subscription cost is not associated.
- Control: There is complete control on server and role hosted for IBCM.
- Proxy can be used: Reverse proxy can be used to ensure that site systems are not directly exposed on internet.
- PKI infrastructure required: IBCM authentication is certificate based so PKI is must.
- Infrastructure requirement and maintenance: Hardware is required and should be maintained for site system roles hosted for IBCM.
- User authentication: User authentication is must for SCCM user based client policy.
- Network and security requirement: Intervening proxy and firewall need to allow client traffic to IBCM site system.
- No Azure subscription needed.
So these may be few of the key points we can consider before choosing IBCM or CMG. However both these can co-exist within SCCM infrastructure.
So that’s all in this post. Hope to see you soon with other technical blog. Till then ta-ta.