I was recently assisting a customer on the implementation of CMG to manage the windows devices over the internet.
Due to COVID-19, majority of the workforce is working from home and these devices connected not connect to the office for several weeks after the implementation of CMG.
Once the CMG and site system roles are installed, clients get the location of the CMG service automatically on the next location request. Clients must be on the intranet to receive the location of the CMG service but in the customer case, users are all working from home and no possibility to bring the devices for CMG aware.
So the alternative option is to reinstall the client on the internet-connected devices with the help of ccmsetup.exe using CMG command-line switches.
How do you install the client on the internet-connected device centrally? Well, the customer has a different tool that helps to run the command line on all internet-connected devices.
As I mentioned in my previous blog post, you can use the command line to install the client on internet-connected devices but the question is how to get the command line switches will be covered in this blog post.
Following is the command line syntax that I have used to install the client on internet-based clients (I did not use token-based here because the customer has PKI/AAD/Hybrid AAD). For token-based, read here.
"C:\windows\ccmsetup\ccmsetup.exe" /nocrlcheck /mp:https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/6257556037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057556037928694 SMSSiteCode=PS1 AADTENANTID=5004305e-6764-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=3C6a28b2-9d0a-484d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService
When I was assisting the customer to prepare a command-line syntax just like above, I was searching at various places such as Azure portal, app registration, tenant ID, etc. But I have realized that, there is a SQL Table that stores all this information.
On the SCCM database, run the following 1 liner syntax.
select * from proxy_settings
Connectorinfo contains the mp and ccmhostname values.
AADConfig contains the AADTENANTID ,AADCLIENTAPPID and AADRESOURCEURI and values.
AADTENANTID=Tenant ID
AADCLIENTAPPID=ClientID
AADRESOURCEURI=ResourceURI
Based on the above data, it is now much easier to prepare the command line syntax to install the client over CMG and manage the client from internet.
If you are using office 365 such as teams,onedrive etc and your users have local admin rights on the device, you can simply share the client installation files or command line switches in onedrive and user can run it directly.
if your users do not have local admin rights on the device to install the client, and you do not have any other remote tool to install the client (local admin permissions still required), then you have no other choice to install it. What ever the method you choose to install client, the account need to have local admin rights on the device.
I hope it helps and thanks for reading!
For more information about client installation parameters and properties in Configuration Manager, please read here
12 Comments
Great post, the MS documentation could have called this stuff out a bit better. They put a lot of work into branding and site appearance but the content quality is all over the map. I greatly appreciate your post!
This is great information!
If I wanted to have the CM client installed as part of the OSD task sequence, what would be needed in the switches to ensure the client installs and then communicates directly to the CMG instance on initialization?
Hi,
For OSD task sequence, you dont need to CMG switches as the client finish the OSD and communicate with SCCM to pick the settings of the CMG and start communication with CMG automatically.
Thanks,
Eswar
Thank you Eswar! Now I could find the MP Role ID and can sucessfully create Co Management Profiles in Intune - Autopilot Enrollement . Devices born in the cloud and co managed.
Thank you Marius, glad you found this useful.
Regards,
Eswar
Hello Eswar,
First off, this is great!! Did you ever find what that tool was? We have some clients that are on the internet that we cannot get to successfully and wondering if that tool would work for us to get the client installed through our CMG.
The tool called tanium.
Thanks
Eswar
Pingback: SCCM CMG Setup - Rui Qiu's Blog
Hi Eswar,
My clients use PKI for CMG communication as they are domain joined only, no hybrid or AAD joined.
Everyone is now remote, and I want to upgrade Config Manager to 2006 from 1910 but I know client push is not supported by CMG.
How do I install the new client on computers that are internet connected through CMG only using PKI?
Thanks
Finn
Hi,
For internet connected clients, the client push wil not work but the client upgrade that is available in the site hierarchy properties does it work.
Thanks
Eswar
"Well, the customer has a different tool that helps to run the command line on all internet-connected devices."
What kind of tool is this?
Hi Petri,
I think it was tandem or something but let me re-verify and get back to you.
Thanks,
Eswar