If you want the ability to manage clients over internet, then you will need CMG. You can configure your ConfigMgr environment for full PKI or you have the option to use EHTTP with token based authentication. However, you will still need a CMG server certificate which can be a PKI cert or a 3rd party.
You also have the option of configuring Co-management which doesn't require any kind of certs. However, you will need to hybrid join your devices to be able to manage all the supported Workloads. It all depends on your requirements.