In Configuration Manager Current Branch v1610 Microsoft released one specific feature (previously available in tech preview) called the Cloud Management Gateway. To summarise, this offers an alternative solution to internet based client management utilising Azure therefore removing the need for any internal infrastructure, port openings, network routes etc which can often be complicated and cumbersome for many IT departments. Full info is available here - https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients-internet
For me as a consultant implementing internet based client management for various companies this looks like it will save a few difficult conversations with InfoSec guys as everything runs over TCP 443 and there’s nothing special needed internally, I will also get use out of this in my own company. That all sounds great, however here’s the butt…
Well it’s a small but as you can see, but it’s a but all the same. Probably just over 12 months ago Microsoft introduced a program for partners called the Cloud Solution Provider Program or CSP for short. In summary this allows Microsoft partners (such as the one I work for) to sell Azure to customers and essentially host and support them on Azure whilst taking care of things like billing and management. The customer pays exactly the same as they would directly to Microsoft so it’s good for everyone. This is starting to catch on with partners and indeed with customers however there are currently some limitations to CSP - it’s all based on the ‘new’ Azure portal which in turn is based on Azure Resource Manager (ARM). There is no ‘old’ portal available as this is based on Azure Service Management (ASM) and this is widely acknowledged as being phased out by Microsoft.
Here’s where the two meet though, this NEW cloud management gateway feature from Microsoft currently relies on Azure management certificates which are only available in the OLD portal. As a result, you can’t implement it. There are new authentication methods available in ARM but alas they can’t currently be used with the Cloud Management Gateway. So, that’s it we're stuck and so are any CSP customers.
Check out the how to here - https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway
I contacted the Configuration Manager product group with this scenario and they acknowledged the problem and are currently aware of it. It seems that the Cloud Management Gateway is based on the same code as the Cloud Distribution Point which was written into Configuration Manager 2012 SP1 – released 2013. In order to make this compatible with ARM there needs to be “some re-architecture of both” and this is currently a work in progress with “no definitive timelines at this point”.
Whilst I understand the reasons now and I’m grateful of the response I’d really like to get a more definitive timeline. With that in mind I thought community power was the way forward, if we want this then I guess we need to keep asking for it. Don’t forget this will also mean we can use Cloud DPs in Azure ARM too. A search on uservoice reveals a post created mid-December 2016 by Wesley Droogenbroot with the same problem. If you have any spare votes, PLEASE VOTE THIS ONE UP.
So whilst at the WMUG day today we were fortunate enough to get Brett Flegg of the CM Product group online via a skype session. He talked a little bit about the Cloud Management Gateway (CMG) so I had to ask the question about this. He confirmed we could expect an update to CMG in the next month or so but when pressed on this specific ASM vs ARM issue the answer was that it's highly unlikely we'll see a resolution to this soon. It's definitely on the to do list but the team have more pressing issues for now. Fair enough, we like an honest answer.
I have a separate write up in the locker for this though, I have a workaround. It's unsupported but it seems to work. Look out for that post.
In the mean time, there's only one thing for it - vote up the uservoice link above!