A decade ago, the Cloud was an abstract concept that was not completely comprehended by IT departments. Today the Cloud is driving businesses; it became even more prominent with the COVID pandemic. We are in the Cloud age!
I have an IT administration background and am mainly working with End User Computing (EUC) technologies. In the past 14 years I have witnessed how hardware, software and the EUC management has rapidly evolved.
The client applications being delivered evolved from being simple EXEs to MSIs, App-V, VMware Thin-app, MSIX . Web applications accessed by the end users are slowly being migrated from the on-premise servers to the Cloud platform and are now called Software as a Service (Saas).
The evolution of stand-alone applications delivery progressed from Active Directory deployment, then technologies like Marimba, Microsoft SMS that was later known as SCCM, Citrix, App-V, Intune etc.
The evolution of IT management, which I observed, was from Active Directory, GPOs, to SCCM on premise, to SCCM co-management with Cloud management Gateway. I also observed many environments are using legacy technologies and want to transition towards the new way of working that addresses today’s challenges.
The pandemic was a wake-up call for the IT EUC administration landscape where the remote working has abruptly become the norm. IT managers are required to shift the way of working from the enterprise network connected buildings to the employee’s homes. Desktops are becoming less desirable, while laptops and tablets are taking the lead.
Due to abrupt and full time homeworking, challenges arose. I want to share the below case study to help you understand how Microsoft Azure based Cloud Management Gateway can be leveraged to address these challenges. How application delivery and EUC asset management over the Internet can be conducted in a secure and efficient fashion.
In this pandemic situation, below questions give us a good start because as the saying goes “Understanding the problem correctly is half the solution”. So let’s try to understand the problem by asking the below questions:
- Most of the EUC assets in our enterprise are on premise AD-joined and SCCM controlled; how to manage these assets when they are not connected on the corporate network?
- How to ensure the required software and their updates are send to the EUC assets when they are not connected on the corporate network.
- How can we keep the Windows 10 version on our EUC assets current & supported? How to perform in-place upgrades in remote locations where the enterprise network is not efficient or only sporadically connected via VPN?
- How to ensure the windows updates are send to the clients without consuming the enterprise’s network bandwidth & flow over the Internet?
- How to ensure the clients are still meeting the compliance requirements set by the enterprise security policy?
- How can we deliver applications which are deployed by SCCM to the EUC assets that are only connected to the Internet and not VPN?
- How can we make sure a critical security update is installed immediately when our VPN bandwidth is limited and/or users are only sporadically connected to VPN due to the working style of using more cloud based applications like Office 365, Teams, OneDrive, SharePoint online etc.
So how can you overcome these challenges?
Now this is where I want to talk about Cloud Management Gateway (CMG) and why it can be an advantage to use it in your enterprise.
What is CMG and why to use it?
Cloud Management Gateway is a cloud based service in Microsoft Azure platform to manage the SCCM clients over the internet. So the questions that we asked above, let’s relook at them and see if CMG fits as a solution or may be a part of the solution.
Since it acts exactly like a Management Point and a Distribution Point (from version SCCM 1806 onwards), below benefits are possible:
- Pushing Windows Updates
- Software Distribution and patching
- Windows 10 In-place Upgrades
- Endpoint protection
- Inventory and client status
- Compliance settings
- Managing Auto-pilot devices
Scenario 1: In a scenario where the devices are only managed by SCCM and not Co-Managed with InTune, below is what we can do:
- We can setup a Cloud Management gateway with the roles of both Management Point as well as Distribution point. For example, you want to conduct a Windows 10 in-place upgrades and the EUC assets are located in the remote offices/users homes were the enterprise network or VPN is not reliable. Over the internet, CMG can take control of deploying the Windows 10 upgrade task sequences to the EUC assets. The best way to configure such upgrades is to ensure the content is downloaded locally completely even before the task sequence begins. This ensures that if there is any interruptions in the internet once the Task sequence begins, the upgrade can still proceed because the upgrade dependencies are all locally available.
- Another example, there is an urgent security update that is to be deployed ; we cannot rely on users to be always be connected to VPN. So such security updates or emergency software updates can be distributed to CMG Distribution point so the CMG can deploy to the EUC assets through the Internet without the necessity to connect to VPN. If the EUC assets are connected to VPN or corporate network, they report to On-Premise SCCM which will be in control of deploying the same emergency software / security updates. This way we are able to conduct the deployment when an asset is connected to the corporate network, the VPN or only the internet.
- We are saving time to meet the security compliance when CMG is in place. When EUC assets are connected to VPN or corporate network, the On-premise SCCM is in control and when they are roaming on Internet, the CMG is in control of the EUC assets. The time in achieving this compliancy rate is reduced drastically and gaps are avoided.
- Also, the VPN network bandwidth is not choked because CMG leverages Azure bandwidth.
Scenario 2: In a scenario where the companies are doing transition from On-Premise to Cloud i.e., SCCM to InTune, and co-management is in place:
- If I want to convert my existing On-premise domain joined windows 10 devices to Auto-pilot devices, an Auto-pilot task sequence can be deployed via SCCM. This will wipe-off and deploy the offline auto-pilot profile on the devices. The devices are now Azure AD joined and InTune enrolled. But how do I get these devices co-managed ?
- We can use InTune to deploy the SCCM agent and now CMG plays a crucial role here. Through CMG, the windows 10 devices will now communicate with On-Premise SCCM even though the devices are no longer On-Premise AD joined.
- If the new devices from the OEM are auto-pilot enrolled and I want to deploy some applications which haven’t yet been transferred to InTune, CMG can be used to deploy them via SCCM to the Auto-pilot devices.
How does it work?
CMG consists of a Microsoft Azure cloud service and an SCCM site system role to communicate with Azure service. The clients on internet can then use this Azure service to communicate with SCCM. Since, CMG is a cloud based service, the setup is fairly simple and secure.
Typical architecture setup when CMG is going to be part of the existing SCCM Infrastructure:
The communication flow among the different components in the infrastructure is detailed below:
- Internet connected SCCM client request for policy from Azure CMG cloud service
- Azure CMG cloud service forwards the client communication to the on-premises CMG connection point. CMG cloud service gets the policy from On-premise MP and SUP through CMG connection point role.
- CMG connection point role acts as a proxy and build a 2-way communication channel between on-premise SCCM (MP & SUP) and Azure CMG cloud service
- Finally, SCCM clients get policy and content from Azure CMG cloud service.
Costs are incurred on the Azure subscription of the enterprise. When a CMG is deployed, an Azure Standard_A2 Virtual Machine is automatically created. A maximum of 16 VMs can be created which can support 6000 clients each .i.e, up to a total of 96000 clients can be supported. Azure VM costs vary by region. Data transfer and content storage also incurs the charge, which means the client refreshing policy and any software deployments will be accounted as content outbound data transfer from Azure. Exception is the internet managed SCCM clients get software update content directly from Windows Update and there is no charge for the content storage.
As an example, below you can find the costs based on the organization capacity. These numbers are only an estimate it also depends on the content of the applications, policy refresh interval, HW/SW inventory etc. The matrix below merely provide a rough estimate:
|No.of.Devices using CMG
|Estimated Monthly Cost
|Estimated Cost per device
For VMs: https://azure.microsoft.com/en-gb/pricing/calculator/
For data bandwidth: https://azure.microsoft.com/en-us/pricing/details/bandwidth/
Well, that briefly is what CMG can offer you & your organization and I hope you can take advantage of CMG!