Managing enterprise-owned computers is an important responsibility for any IT department. A management product like Microsoft System Center Configuration Manager (SCCM) provides a significant amount of power and process for performing this task. Traditionally, products like this have done a fantastic job of managing systems that are on the internal network, but managing “internet-based” clients has been much more challenging.
One option that many companies have adopted is to attempt to manage these systems via a VPN connection, which essentially places the remote computer on the internal network. No additional infrastructure is required for this option; but it is dependent on an end user connecting the computer to the VPN regularly and for a long enough duration to accomplish the management tasks. As a result, the success rate for this option can be very hit or miss.
Configuration Manager has provided the ability to manage these clients directly on the internet for a number of years. However, Internet Based Client Management (IBCM) has required significant infrastructure and client prerequisites that has made it a daunting endeavor for many companies.
Easier Internet-Based Client Management
With the release of Configuration Manager v1610, Microsoft has begun to lower the complexity bar for managing internet-based clients. Version 1610 introduces a public preview of the Cloud Management Gateway service. It should be noted that this service is a preview (i.e. beta) and is not designed for production deployment at this time.
The Cloud Management Gateway service has two components that enable it to work. First is a cloud service that is deployed to a Microsoft Azure virtual machine. Second is a new Configuration Manager site system role that connects to that VM. During setup of the Cloud Management Gateway, the Configuration Manager site server will use the Azure subscription ID to automatically set up and configure the Azure virtual machine. Because this connection is initiated by the site server and uses TCP port 443 (standard SSL port), no additional firewall configuration will be necessary in most instances. Once configured, SCCM clients will obtain the location of the Cloud Management Gateway the next time they run the location request polling cycle on the internal network.
SCCM for Internet-Based Clients
A Cloud Management Gateway supports the Management Point and Software Update Point SCCM roles. These roles allow an internet-based client to receive SCCM policy updates and notification regarding approved software updates. If client policy requires content such as an application installation or software updates, then the client will be directed to download that content from either a Cloud Distribution Point or directly from Microsoft Update.
As this is a cloud service, there is a recurring cost for the Cloud Management Gateway. During setup, an Azure Standard_A2 virtual machine is configured, which costs approximately $130 per month. Additionally, the cost of outgoing data has to be taken into account. If clients are configured to use the default policy refresh cycle (hourly), Microsoft has estimated the outgoing data to be approximately 100MB per client per month. Microsoft’s Azure Pricing Calculator can be used to estimate these costs.
As stated earlier, the Cloud Management Gateway is currently in public preview, so it should not be used for production workloads at this time. Once this feature is fully released, it will be a valuable tool for enabling easier management of internet-based clients.