Comments on: Best Guide to Set up SCCM CMG Cloud Management Gateway

By: GlennC

GlennC

It looks like Microsoft may have clarified the recommendations for the APP ID registration url to show the following recommened formatting:

api://{tenantId}/{string}, for example, api://5e97358c-d99c-4558-af0c-de7774091dda/ConfigMgrService
https {verifiedCustomerDomain}/{string}

In testing, I found that the https Configmgrservice formatting prevents AAD user token retrieval. Device management seemed to work ok, but things like application request approval through the CMG did not until the App ID registration url was changed to recommended format. CcmAADBroker.log will show an error if this is not working properly.

By: John Kuntz

John Kuntz

In reply to Shailesh Namjoshi. You won't see it under Cloud Distribution Points. This is a legacy option for when you needed a separate Cloud Distribution Point. If you've checked the box for the CMG to also be a Cloud Distribution Point, it will show up under your normal distribution points

By: Shailesh Namjoshi

Shailesh Namjoshi

Hi Prajwal,

I am facing issue where i dont see any Cloud Distribution Points. I have enabled it in the Client Settings -> Cloud Services and my Cloud Management Gateway has been installed and it is ready – in Status and Connected as well.

Can you please tell me where is the other entry point i should look for Cloud Distribution Points.

Thank you,

Regards,
Shailesh

By: unkownuser

unkownuser

In reply to Prajwal Desai. how to setup multiple CMG instance in sccm console and how to assign the machines based on site/etc?

By: Antoonioo

Antoonioo

In reply to Antoonioo. Everything appeared in Azure :)

By: Antoonioo

Antoonioo

Hi Prajwal,

Could you tell me if i can find this vm to cmg somewhere in Azure? I can’t see this vm in my resource group. Can I check cost of this running service somewhere in Azure?

Regards,
Antoonioo

By: emz

emz

For CMG service deployment in Azure:

az login
az provider register -n Microsoft.KeyVault
az provider register -n Microsoft.Microsoft.Network
az provider register -n Microsoft.Microsoft.Storage

then you can create the service from CM console

By: Nishant

Nishant

In reply to Benny. You can create a new user in Azure AD and provide Global admin privilege and login with that account. In my case it works perfectly

By: Mark

Mark

In reply to Santosh. The CMG must have a trusted certificate on its Internet facing side. It can talk internally to the MP without a full PKI because Azure AD will handle stuff on that side. The cert does not have to be part of a full PKI, you could just go to a trusted authority such as DigiCert or GoDaddy to get one singular cert and apply it on your CMG. As I said, it must be trusted, so whichever authority you choose must either already be trusted by your clients or you will need to distribute a trusted root authority cert to them (usually done via GPO).

By: Mark

Mark

What I would do is reinstall the client (FTP it over to them or whatever) with the command line option SMSMPLIST containing the FQDN of your CMG in the list. I can’t type what that would look like into this response due to blocking URLs but you can find info about SMSMPLIST at Microsoft’s site:

Search for the title: About client installation properties smsmplist

——————–

Since you already have an SCCM client on the device populating HKLM – SOFTWARE – Microsoft – CCM – CMGFQDNs with your CMG server’s FQDN might work, but there also may be more needed so I’d just go with the client reinstall.