How to manage off-campus MECM endpoints
Microsoft Endpoint Configuration Manager (MECM, formerly SCCM)
University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team
Off-campus endpoints can connect to the MECM infrastructure by either connecting to the campus VPN or utilizing Internet Based Client Management (IBCM). Due to security limitations, the shared HTTPS DP only provides managed content over IBCM connections. By default, custom content will only be accessible over your unit's network boundaries, as defined during provisioning. Units may provision HTTPS-enabled distribution points to allow custom content to be accessible via IBCM connections.
MECM-managed UOFI domain-joined endpoints running a workstation-class Windows OS will receive a workstation certificate for the purpose of communicating with MECM over the internet (a feature known as Internet Based Client Management (IBCM). This is applied via an auto-enrollment group policy linked to the Urbana OU. For those who break GPO inheritance, you will need to link the 'SCCM-ADCS-autoenrollment' GPO, as desired, to target endpoints which may need to make use of IBCM.
Some things to note: