Under SCCM 2007, Native Mode was a bit of a pain. You couldn’t mix and match http and https enabled clients in one site, so even where you didn’t need the HTTPS level security, you had to have it and there was always a client with a certificate issue somewhere.
So, with Configuration Manager 2012 we’re moving on significantly. Native mode is no more and everything got much simpler. A site can now serve HTTP and HTTPS based clients, the site and site systems also individually understand if a client is Internet or Intranet based and can be configured to respond to one or the other or both.
Here the site is configured:
This week we’ve deployed a few hundred SCCM 2012 RC2 clients as a test bed.
The majority of the clients we’re managing at this customer are purely Internet based with no access into the core network at any time. We’ve having to manually provision them with the requisite certificates, more of which in another post, following which the client is installed using some of the nice new switches we have on the ccmsetup command line:
ccmsetup /usePKICert /NOCRLCheck /mp:https://ServerPublicFQDN.co.uk SMSSITECODE=AAA CCMHOSTNAME= ServerPublicFQDN.co.uk
usePKICert tells the client to load the certificate
/NOCRLCheck tells the client not to try to find a CRList for the client download (this is for the client download from the MP only, CRL checking will be enabled for clientà site communications unless specifically disabled in the site properties dialogue box above.)
CCMHOSTNAME just tells the machine where its internet based MP is.
When the client is installed the control panel applet knows how the client is accessing the infrastructure:
This one is on the internet and is happy about it.
Our client has joined a collection and gets an app, so we can see end-to-end that it’s working.
The app downloads and is installed. The DataTransferService log confirms the https connection (not that it could be working any other way, but it’s nice to see!)
We did a few other cool things with the solution. Here’s a screenshot of the console with the clients reporting in:
We deployed System Center Endpoint Protection:
SCEP is pretty cool now. The SCEP agent is policy-based, so as the client performs its first policy check upon installation, it is force-fed the SCEP client. No need to join a collection or submit inventory or any of those delays, straight in with the anti-malware! (It’s a shame it thinks VNC is a virus though).
So in rambling conclusion… SCCM 2012 RC2 IBCM = good. SCEP = good, everything = good.