locked
SCCM 2012 CAS or Stand-alone to support multiple customer domains RRS feed

  • Question

  • Hi

    We are looking at supporting multiple customers with SCCM 2012 (all features) and I believe that we have two options: -

    1. Deploy stand-alone installation to each customer (pain to manage)

    2. We deploy a CAS and connect each customer into it

    • We know that a two-way trust needs to be established between the customer and us. But I am wondering if it is possible to use Active Directory Federation Services (ADFS) instead of a two-way trust as there may be resistance to a two-way trust
    • If the customer does allow a two-way trust then are there any major issues/risks we should be aware about. We know about SID filtering and that the definition of Authenticated Users and Everyone would include all domains so we would need to review and remove permissions etc... to protect shared resources. Also what happens when you bring another two-way trust in (a bit like a hub and spoke), I assume that only the hub has visibility/access to all the other domains, is this the case?

    Thanks to anyone who can help.

    Monday, July 22, 2013 12:22 PM

Answers

  • Why would you use a CAS for multiple customers? What advantages would it give you? I would not considered using a CAS for this. Specifically, I would keep them segregated.

    Jason | http://blog.configmgrftw.com


    Monday, July 22, 2013 2:21 PM

All replies

  • How many clients and customers are we talking about?
    A two-way trust is required because of Kerberos auth (SQL replication).

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, July 22, 2013 12:34 PM
  • Around 8 to start with ranging in size from 200 - 2000 desktops.
    Monday, July 22, 2013 12:41 PM
  • Why would you use a CAS for multiple customers? What advantages would it give you? I would not considered using a CAS for this. Specifically, I would keep them segregated.

    Jason | http://blog.configmgrftw.com


    Monday, July 22, 2013 2:21 PM
  • Although I am no licensing expert, seem you may run into licensing issues by managing multiple customers with a single CAS?
    Monday, July 22, 2013 7:47 PM
  • Hi,

    I agree with Jason if the clients is in the customers domains and you should support all features of SCCM 2012, I would use separate environments as well.

    It will be a very messy setup with the same application beeing deployed many times e.t.c, Windows Installer Product code import for Windows installer source list updates will not work and so on.

    I would focus my effort in Writing my own custom Tools to manage all the different environments instead.

    regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Monday, July 22, 2013 9:06 PM
  • Hi,

    I agree with Jason if the clients is in the customers domains and you should support all features of SCCM 2012, I would use separate environments as well.

    It will be a very messy setup with the same application beeing deployed many times e.t.c, Windows Installer Product code import for Windows installer source list updates will not work and so on.

    I would focus my effort in Writing my own custom Tools to manage all the different environments instead.

    regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    I agree with Jörgen, but would like to add the possibility to use the "Migration" feature to migrate the same Applications/Packages/Task Sequences between different Sites. So you could create a Skype-application in your own test/development site, then have all the customer's sites connected to that site and migrate over the production ready applications.

    Tim Nilimaa | Global Product Manager Enterprise Client Management at Lumagate

    Tuesday, July 23, 2013 10:34 AM
  • Hi all - thanks for all the input, I now have to go to the powers that be and tell them this is a bad idea.
    Friday, July 26, 2013 9:28 AM
  • Hi guys,

    I know this post is old but I'm also looking into the idea of servicing many clients with one sccm installation.

    Do you know if this is something viable now or do you still feel that it cannot work? 

    Monday, March 19, 2018 7:41 PM
  • Hi,

    I have been thinking about this topic too during long time. And what I got after my research is that on my opinion SCCM stand alone is not the right tool to achieve this goal. I think the that the best option would be to use Intune, MDM and MAM and if you pay attention looks like this is the way that Microsoft is pointing to us. At the moment almost all tasks related to software deployment, patches and policies can be managed in this way. 

    The problem arises when trying to manage OS deployment, on which I think that all scenarios are being covered except "computer replacement migrating user settings", always that you will have all your Pcs migrated to Windows 10. If you have still computers on Windows 7, I think customers could drive the migration by using MDT and then once the environment will be migrated to Windows 10 use MDM and MAM to manage all the devices, On Premise and Mobile. 

    Of course this approach means that company should replicate his On Prem AD into Azure AD and many other technical aspects, and forget about using other important SCCM Functions like license management, or software metering. 

    This solution would be suitable only for medium and small companies, no more than 5000 clients. Big companies I think should complement this with SCCM on the Cloud, Peer Cache and Branch Cache. 

    Regards,

    Guillermo

    Wednesday, September 26, 2018 11:32 AM