Endpoint Services, SCCM, How do I provide off-campus support for my endpoints?
How should SCCM endpoints not on the campus network send & receive data from SCCM?
Systems
System Center Configuration Manager (SCCM) Current Branch
Affected Customers
University of Illinois IT Pros leveraging Technology Services Endpoint Service SCCM Current Branch
General Information
Off-campus endpoints can connect to the SCCM infrastructure by either connecting to the campus VPN or utilizing Internet Based Client Management (IBCM). Due to security limitations, only managed content will be available over the wireless and VPN networks. By default, custom content will only be accessible over your unit's network boundaries, as defined during provisioning. Units may provision HTTPS-enabled distribution points to allow custom content to be accessible via IBCM connections.
Internet Based Client Management (IBCM)
SCCM-managed UOFI domain-joined endpoints running a workstation-class Windows OS will receive a workstation certificate for the purpose of communicating with SCCM over the internet (a feature known as Internet Based Client Management (IBCM). This is applied via an autoenrollment group policy linked to the Urbana OU. For those who break GPO inheritance, you will need to link the 'SCCM-ADCS-autoenrollment' GPO, as desired, to target endpoints which may need to make use of IBCM.
Some things to note:
- Endpoints will now be able to retrieve policy from and report status messages to the SCCM infrastructure.
- Deployments of content distributed to HTTPS-enabled DPs (shared or otherwise) will be available outside of the campus network without the requirement of a VPN connection.
- OS deployment task sequences are not supported via IBCM, task sequences that perform other actions, such as app install, are supported.
- Remote Tools do not work via IBCM.
- User-based deployments may or may not work via IBCM depending on client policy configuration.
- Client Push does not work over IBCM.