Endpoint Services, MECM, How do I provide off-campus support for my endpoints?
How to manage off-campus MECM endpoints
Microsoft Endpoint Configuration Manager (MECM, formerly SCCM)
University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team
Off-campus endpoints can connect to the MECM infrastructure by either connecting to the campus VPN or utilizing Internet Based Client Management (IBCM). Due to security limitations, the shared HTTPS DP only provides managed content over IBCM connections. By default, custom content will only be accessible over your unit's network boundaries, as defined during provisioning. Units may provision HTTPS-enabled distribution points to allow custom content to be accessible via IBCM connections.
Internet Based Client Management (IBCM)
MECM-managed UOFI domain-joined endpoints running a workstation-class Windows OS will receive a workstation certificate for the purpose of communicating with MECM over the internet (a feature known as Internet Based Client Management (IBCM). This is applied via an auto-enrollment group policy linked to the Urbana OU. For those who break GPO inheritance, you will need to link the 'SCCM-ADCS-autoenrollment' GPO, as desired, to target endpoints which may need to make use of IBCM.
Some things to note:
- Endpoints will now be able to retrieve policy from and report status messages to the MECM infrastructure.
- Deployments of content distributed to HTTPS-enabled DPs (shared or otherwise) will be available outside of the campus network without the requirement of a VPN connection.
- OS deployment task sequences are not supported via IBCM; task sequences that perform other actions, such as app install, are supported.
- Remote Tools do not work via IBCM.
- User-based deployments may or may not work via IBCM depending on client policy configuration.
- The standard client installation method does not work over IBCM; this article outlines the steps to deploy the client to off-campus endpoints