Configure clients for cloud management gateway
Applies to: Configuration Manager (current branch)
Once the cloud management gateway (CMG) and the supporting site system roles are operational, you may need to make configuration changes on Configuration Manager clients.
Clients that can communicate with the management point automatically get the location of the CMG service on the next location request. The polling cycle for location requests is every 24 hours. If you don't want to wait for the normally scheduled location request, you can force the request. To force the request, restart the SMS Agent Host service (ccmexec.exe) on the computer.
For devices that aren't connected to the internal network, there are several options to configure them with a CMG location. For more information, see Install off-premises clients using a CMG.
Note
By default all clients receive CMG policy. Control this behavior with the client setting, Enable clients to use a cloud management gateway. For more information, see About client settings.
Client location
The Configuration Manager client automatically determines whether it's on the intranet or the internet. If the client can contact a domain controller or an on-premises management point, it sets its connection type to Currently intranet. Otherwise, it switches to Currently Internet, and uses the location of the CMG service to communicate with the site.
Note
You can force the client to always use the CMG regardless of whether it's on the intranet or internet. This configuration is useful for testing purposes, or for clients that you want to force to always use the CMG. Set the following registry key on the client:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1
You can also specify this setting during client installation using the CCMALWAYSINF property.
This setting will always apply, even if the client roams into a location where boundary group configurations would otherwise leverage local resources.
To verify that clients have the policy specifying the CMG, open a Windows PowerShell command prompt as an administrator on the client computer, and run the following command:
Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}
This command displays any internet-based management points the client knows about. While the CMG isn't technically an internet-based management point, clients view it as one.
Note
To troubleshoot CMG client traffic, use CMGService.log and SMS_Cloud_ProxyConnector.log. For more information, see Log files.
Install off-premises clients using a CMG
There are two methods to install the Configuration Manager client on devices that aren't currently connected to your intranet. Both require a local administrator account on the target system.
The first method is to use a bulk registration token to install the client on a device. For more information on this method, see Create a bulk registration token.
For the second method, when you run ccmsetup.exe, use the
/mpparameter to specify the CMG's URL. For more information, see About client installation parameters and properties. This method requires one of the following conditions:The Configuration Manager site is properly configured to use PKI certificates for client authentication. Additionally, the client systems each have a valid, unique, and trusted client authentication certificate previously issued to them.
The systems are Microsoft Entra domain-joined or hybrid Microsoft Entra domain-joined.
Configure off-premises clients for CMG
You can connect devices to a recently configured CMG where the following conditions are true:
They already have the Configuration Manager client installed.
They aren't connected and can't be connected to your intranet.
They meet one of the following conditions:
A valid, unique, and trusted client authentication certificate previously issued to it.
Microsoft Entra domain-joined
Hybrid Microsoft Entra domain-joined
You don't want to or can't completely reinstall the existing client.
You have a method to change a machine registry value and restart the SMS Agent Host service using a local administrator account.
To force the connection on these devices, create the REG_SZ registry entry CMGFQDNs in the key HKLM\Software\Microsoft\CCM. Set its value to the URL of the CMG, for example, https://GraniteFalls.contoso.com. Then restart the SMS Agent Host Windows service on the device.
If the Configuration Manager client doesn't have a current CMG or internet-facing management point set in the registry, it automatically checks the CMGFQDNs registry value. This check occurs every 25 hours, when the SMS Agent Host service starts, or when it detects a network change. When the client connects to the site and learns of a CMG, it automatically updates this value.
Next steps
Your CMG is now set up and functional with clients communicating to the site. Next, understand how to monitor the CMG service and clients:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for