My company is fairly small with approximately 700 Configuration Manager endpoints. We currently have one MECM primary server (currently on v2111) that includes the DP, MP, SUP with a few other roles. My company has approximately 100 laptops all working from home these days. The laptops have the ability to connect to our network via VPN, but we want to ensure we can deploy Microsoft updates and applications when the laptop is either on or off our internal network.
The goal is to setup a IBCM server in our DMZ. I have review Microsoft resources and 3rd party resources on how to do this. Some resources refer to setting up DP, MP and SUP roles (including WSUS) on the IBCM server while resource only reference the DP and MP roles. I think I only need to install the DP role and the MP role on the IBCM server. My thinking is I would still create the software update group on the primary server, download the software and create the deployment on the primary server and just push to the DP on the IBCM server.
Please confirm if my thinking as stated above is correct. If I do need a SUP role (including WSUS) on the IBCM server, would someone please clarify why.