With the release of the build 1706 of System Center Configuration Manager Current Branch, it is now easier to manage Internet clients. Windows 10 Azure AD Joined devices do not need anymore certificate to authenticate against your SCCM.
The need for client authentication certificates is now removed (there is some prerequisites) and you can now deploy the SCCM client to these clients too.
So here are the steps to take advantage of this new functionalities
Prerequisites
To be able to get your Internet client authenticating against SCCM you must meet the following:
- Have an Azure AD – this should be easy as you already have Azure AD when you use Office 365
- Your Internet client must run Windows 10 and be Azure AD Joined
- Your SCCM must have at least one management point configured for HTTPS mode and have setup the Cloud Management Gateway (see http://blog.hametbenoit.info/2016/12/12/sccm-cloud-management-gateway/ for details)
For this post I’m not covering the Cloud Management Gateway deployment and configuration; please refer to above link.
Setup
As first step you need to ensure your have installed the update 1706 for SCCM – without it, you will not get these functionalities available (except the Cloud Management Gateway which came with an earlier build)
After the installation of the build 1706, you should see the following in your SCCM Console within the Administration workspace below the Cloud Services section
- Azure Services
- Azure Active Directory Tenants
- Using the SCCM console, select Azure Services and configure them
- Follow the wizard to add Cloud Management – do not be confused with the Cloud Management Gateway
- Then define the Azure web apps properties; validate your Azure environment (should usually be Azure PublicCloud – it depends on your Azure services, either public or government); for each Web App and Native App click on Browse which then will open a window to let you select the Azure app to use. (see below sections for the details – Create new application or Reuse existing application)
NOTE if you already have create an Azure App to get SCCM working with Azure for OMS integration or Windows Store for Business you can reuse it
- Once the applications have been defined, you can then enable the Azure Active Directory User Discovery; if you click on the Settings button you will have the same options than for other user discovery methods to define when to run it. I would recommend to update the delta synch to match the Azure AD Connect synchronization interval.
NOTE if you need to reconfigure the discovery interval, it will be available in the Discovery tab of the management cloud service after the creation
- Finally you get the configuration summary as usual
- And this is it, SCCM is now configured to allow Windows 10 Azure AD Joined management
Next step is to configure your SCCM client to allow the use of this service.
- Create or edit Client Settings for the following options Cloud Services
- You need to Automatically register Windows 10 domain joined devices with Azure AD and Enable clients to use a cloud management
- Finally you need to deploy/update your SCCM client deployment to configure it for this functionality; you need to use the following command
ccmsetup.exe /NoCrlCheck /Source:<local location of the SCCM setup files> CCMHOSTNAME=<name of your Internet management point> SMSSiteCode=<your SMS site code> AADTENANTID=<your Azure tenant ID – see Re use existing web app below to get this> AADTENANTNAME=<your Azure tenant name> AADCLIENTAPPID=<the application ID – see Re use existing web app below to get this > AADRESOURCEURI=<the application URL – see Re use existing web app below to get this>
Create a new web app
Follow these steps only if you plan to create a new Azure web app for this service or if this is the first time you configure SCCM to work with Azure (meaning you do not have configure OMS or Windows Store for Business for use with SCCM).
- On the Server app window, click on Create and fill the fields
- Application Name: the name of your new application. I would recommend to use an understandable name
- Home page URL: is the sign in pa