Systems

Microsoft Endpoint Configuration Manager (MECM)

Intended Audience

University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team

General Information

Off-campus endpoints can connect to the MECM infrastructure by either connecting to the campus VPN or utilizing Internet Based Client Management (IBCM). Due to security limitations, the shared HTTPS DP only provides EPS-managed content over IBCM connections. By default, custom unit content will only be accessible over your unit's network boundaries, as defined during provisioning. Units may provision HTTPS-enabled distribution points to allow custom unit content to be accessible via IBCM connections.

Internet Based Client Management (IBCM)

MECM-managed UOFI domain-joined endpoints running a workstation-class Windows OS will receive a workstation certificate for the purpose of communicating with MECM over the internet (a feature known as Internet Based Client Management, IBCM). This is applied via an auto-enrollment group policy linked to the Urbana OU. For those who break GPO inheritance, you will need to link the 'SCCM-ADCS-autoenrollment' GPO, as desired, to target endpoints which may need to make use of IBCM.

Some things to note:

• Endpoints will now be able to retrieve policy from and report status messages to the MECM infrastructure.
  
  
• Deployments of content distributed to HTTPS-enabled DPs (shared or otherwise) will be available outside of the campus network without the requirement of a VPN connection.
  
  
• OS deployment task sequences are not supported via IBCM; task sequences that perform other actions, such as app install, are supported.
  
  
• Remote Tools do not work via IBCM and require the VPN.
  
  
• User-based deployments may or may not work via IBCM depending on client policy configuration.
  
  
• The standard client installation method does not work over IBCM; this article outlines the steps to deploy the client to off-campus endpoints

Contact the EPS team