I was recently assisting a customer on the implementation of CMG to manage the windows devices over the internet.
Due to COVID-19, majority of the workforce is working from home and these devices connected not connect to the office for several weeks after the implementation of CMG.
Once the CMG and site system roles are installed, clients get the location of the CMG service automatically on the next location request. Clients must be on the intranet to receive the location of the CMG service but in the customer case, users are all working from home and no possibility to bring the devices for CMG aware.
So the alternative option is to reinstall the client on the internet-connected devices with the help of ccmsetup.exe using CMG command-line switches.
How do you install the client on the internet-connected device centrally? Well, the customer has a different tool that helps to run the command line on all internet-connected devices.
As I mentioned in my previous blog post, you can use the command line to install the client on internet-connected devices but the question is how to get the command line switches will be covered in this blog post.
Following is the command line syntax that I have used to install the client on internet-based clients (I did not use token-based here because the customer has PKI/AAD/Hybrid AAD). For token-based, read here.
"C:\windows\ccmsetup\ccmsetup.exe" /nocrlcheck /mp:https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/6257556037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057556037928694 SMSSiteCode=PS1 AADTENANTID=5004305e-6764-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=3C6a28b2-9d0a-484d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService
When I was assisting the customer to prepare a command-line syntax just like above, I was searching at various places such as Azure portal, app registration, tenant ID, etc. But I have realized that, there is a SQL Table that stores all this information.
On the SCCM database, run the following 1 liner syntax.
select * from proxy_settings
Connectorinfo contains the mp and ccmhostname values.
AADConfig contains the AADTENANTID ,AADCLIENTAPPID and AADRESOURCEURI and values.
Based on the above data, it is now much easier to prepare the command line syntax to install the client over CMG and manage the client from internet.
If you are using office 365 such as teams,onedrive etc and your users have local admin rights on the device, you can simply share the client installation files or command line switches in onedrive and user can run it directly.
if your users do not have local admin rights on the device to install the client, and you do not have any other remote tool to install the client (local admin permissions still required), then you have no other choice to install it. What ever the method you choose to install client, the account need to have local admin rights on the device.
I hope it helps and thanks for reading!
For more information about client installation parameters and properties in Configuration Manager, please read here
Thank you Eswar! Now I could find the MP Role ID and can sucessfully create Co Management Profiles in Intune - Autopilot Enrollement . Devices born in the cloud and co managed.
Thank you Marius, glad you found this useful.
First off, this is great!! Did you ever find what that tool was? We have some clients that are on the internet that we cannot get to successfully and wondering if that tool would work for us to get the client installed through our CMG.
The tool called tanium.
Pingback: SCCM CMG Setup - Rui Qiu's Blog
My clients use PKI for CMG communication as they are domain joined only, no hybrid or AAD joined.
Everyone is now remote, and I want to upgrade Config Manager to 2006 from 1910 but I know client push is not supported by CMG.
How do I install the new client on computers that are internet connected through CMG only using PKI?
For internet connected clients, the client push wil not work but the client upgrade that is available in the site hierarchy properties does it work.
"Well, the customer has a different tool that helps to run the command line on all internet-connected devices."
What kind of tool is this?
I think it was tandem or something but let me re-verify and get back to you.