November 13, 2018
Posted by on
I decided to set up a test lab for co-management. Here is what I have:
Azure AD tenant. In addition to Primary *.onmicrosoft.com I have multiple custom domains registered.
SCCM 1806 on-prem
I started from deploying CMG as demonstrated in Justin’s video: https://www.youtube.com/watch?v=kTOPhVHyZtE
The only difference – I did not use internal domain name for CMG, just left it as myname.cloudapp.net. That allowed me to avoid CNAME requirement.
after that I configured co-management as per https://www.youtube.com/watch?v=rTapalSHv6U
but unfortunately SCCM client was not installed on my test machine joined to Azure AD.
I am using enhanced HTTP on SCCM side; my internal MP operates in HTTP mode and there is no certificate installed on the the Client. I tried to be as close as possible to real BYOD scenario.
After some troubleshooting I sent the question to Technet forums https://social.technet.microsoft.com/Forums/en-US/4a7bb933-0f6e-4588-a5a1-c3b71f38d090/sccm-1806-client-installation-from-cmgdp?forum=ConfigMgrMDM
Based on the forum discussion I replaced Intune MSI-based SCCM Client deployment to W32 App which Microsoft has currently in preview. Just as Martin recommended: https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/
Nick provided great help with tokens troubleshooting. I found his article here: https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/
And do not forget to Approve the Client in SCCM console (at least in my case it was a workgroup machine and auto-approval was not enabled on SCCM).
It took ~15 min after approval before the Client got policy from SCCM MP.
After all everything is working, but took some time with research and troubleshooting…