Archive for February, 2012|Monthly archive page
Apajove
Leave a CommentThe past six months have been quite hectic and my blog output has suffered somewhat. The primary reason for this is our establishment of Apajove. Apajove is the name of our new UK System Center consultancy. Since July 2011 we have been working hard to establish the company and delivery some excellent technical projects for our customers across various scales and sectors.
Apajove is growing as our workload increases, particularly with the release of the 2012 iteration of System Center. We are working with a few companies as early adopters of the System Center Suite, some of our findings from those projects are appearing here and at the Apajove blog.
There’s more detail over at Apajove.com. I will also be blogging there from here-on along with Andy, Shaun and Ben, and the others joining our technical team.
Best Regards
John
SCCM 2012 Internet-Based Client Deployment
Under SCCM 2007, Native Mode was a bit of a pain. You couldn’t mix and match http and https enabled clients in one site, so even where you didn’t need the HTTPS level security, you had to have it and there was always a client with a certificate issue somewhere.
So, with Configuration Manager 2012 we’re moving on significantly. Native mode is no more and everything got much simpler. A site can now serve HTTP and HTTPS based clients, the site and site systems also individually understand if a client is Internet or Intranet based and can be configured to respond to one or the other or both.
Here the site is configured:
This week we’ve deployed a few hundred SCCM 2012 RC2 clients as a test bed.
The majority of the clients we’re managing at this customer are purely Internet based with no access into the core network at any time. We’ve having to manually provision them with the requisite certificates, more of which in another post, following which the client is installed using some of the nice new switches we have on the ccmsetup command line:
ccmsetup /usePKICert /NOCRLCheck /mp:https://ServerPublicFQDN.co.uk SMSSITECODE=AAA CCMHOSTNAME= ServerPublicFQDN.co.uk
usePKICert tells the client to load the certificate
/NOCRLCheck tells the client not to try to find a CRList for the client download (this is for the client download from the MP only, CRL checking will be enabled for clientà site communications unless specifically disabled in the site properties dialogue box above.)
CCMHOSTNAME just tells the machine where its internet based MP is.
When the client is installed the control panel applet knows how the client is accessing the infrastructure:
This one is on the internet and is happy about it.
Our client has joined a collection and gets an app, so we can see end-to-end that it’s working.
The app downloads and is installed. The DataTransferService log confirms the https connection (not that it could be working any other way, but it’s nice to see!)
We did a few other cool things with the solution. Here’s a screenshot of the console with the clients reporting in:
We deployed System Center Endpoint Protection:
SCEP is pretty cool now. The SCEP agent is policy-based, so as the client performs its first policy check upon installation, it is force-fed the SCEP client. No need to join a collection or submit inventory or any of those delays, straight in with the anti-malware! (It’s a shame it thinks VNC is a virus though).
So in rambling conclusion… SCCM 2012 RC2 IBCM = good. SCEP = good, everything = good.
