With each release of ConfigMgr Microsoft is making huge strides in internet-based client management. There are many new features for the CMG in 1806 however this blog is focused on the simplification of the installation. Many customers have been reluctant to use a CMG due to the complex and confusing certificate requirements.
In versions prior to 1806 the cloud distribution points and cloud management gateways had to be deployed as separate roles. The cloud management gateway now can serve content to clients. This simplifies the installation, reduces the number of certificates required and lowers the cost of operations.
These simplifications are made possible by ConfigMgr generating its own certificates in conjunction with AAD security tokens allowing internet clients to use an HTTP management point. To put that in more simple terms 1806 does not require an internal PKI. You can see these certificates in the ConfigMgr console by going to Administration>Security>Certificates in the ConfigMgr console. For this to work clients must be Windows 10 and in some scenarios must be Windows 10 1803. Of course, you must also onboard the site to Azure AD for cloud management. Clients must be AAD joined or AAD registered which can easily be accomplished via client agent settings.
Azure Active directory can issue machine or user tokens. Machine tokens are preferred because they add remove the requirement for an AD user to be logged in to the client in order for the client to communicate to ConfigMgr. Machines tokens are one scenario which requires Windows 10 1803 or greater.
For a detailed how-to guide on deploying the CMG/CDP in 1806 please download my paper here.
If you’d like to see what else is new for the CMG and/or CDP 1806 please refer to the official documentation.