I installed CMG for one of my Customers. The Clients use internal PKI certs and CMG uses a public wildcard cert.
When I put one of the Clients on the Internet and tried to get an app installed, the attempt failed, as well, the Client went grey in SCCM console.
I checked the Client settings and found it knows about CMG, but cannot connect to it. in ccmMessaging.log I saw:
I ran CMG Connection analyzer
1. With AAD credentials it was all green
2. I generated a client certificate and tried authenticate with it. This time Analyzer gave me a message saying CMG does not trust my cert. That was interesting, because I provided the certificate chain root cert for internal PKI during CMG configuration and I disabled revocation list check (since PKI was not configured as per best practice and did not have CRL properly published publicly).
So I tried removing the root certificate, resync configuration to CMG, add the certificate back and resync again. That did not help.
Resolution: with the root certificate added to the configuration I stopped CMG and start it back (it initiates re-deployment). After that the messages were delivered successfully, the client went green in SCCM console and the app has been download and installed successfully: