locked
Managing clients in an unknown boundary RRS feed

  • Question

  • we have an odd scenario with , and one which we for now cannot influence so please bear with me.

    We have a single site 2012 installation with a number of  "known" location boundaries, which most will have a "workstation DP" with an appropriate number of content boundary groups for content assignment  and a single site assignment group.

    However, there is a large number of new remote and small locations where currently there is no IP information other than the overall class A subnet information for the whole environment - so we cannot include this in a boundary.  We would like to set up a "catch all"  to enable content to be deployed to clients in these locations.  They are all in the same domain as the SCCM servers.

    So, bottom line,  I assume we need to set up for "internet management" in this scenario - however if we do, do we require a full PKI solution or will  the use of SCCM self signed certificates allow for this level of  management ?

    Apologies for the obscure question

    many thanks

    Nick B 


    Solutions Architect


    • Edited by Nick_B64 Tuesday, July 8, 2014 11:49 AM
    Tuesday, July 8, 2014 11:48 AM

Answers

  • I hate to say it but you didn’t need boundaries in CM07 either.

    1. It not windows authentication but self-sign certs, aka the same process as CM07
    2. Yes, they will fall back to any unprotected DP, therefore you must ensure that you have at least 1 unprotected DP. Also you need to ensure that your deployment are setup to allow PCs to fallback to an unprotected DP.

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    • Marked as answer by Joyce L Monday, July 21, 2014 9:06 AM
    Tuesday, July 8, 2014 1:48 PM

All replies

  • Self signed certs are not sufficient for internet based clients.
    Do you want to manage them over the internet? Or are they part of your corp network? Boundaries/groups are basically not needed at all for ConfigMgr (with limitations) so you could use a fallback DP for those clients.


    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, July 8, 2014 12:13 PM
  • Err why do you need internet management?

    Any PC that has the CM12 client install will fall back to any unprotect DP. They will be considered to be on a slow boundaries and therefore you might need to adjust your deploys to take this into account. There is no need for IBCM to have clients access your CM12 environment, assuming they are on the LAN/WAN.


    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Tuesday, July 8, 2014 12:16 PM
  • thanks guys, as I said, it is an 'odd' scenario. 

    These are "normal"  domain clients, in the same AD/domain as all the other devices in this solution, including the SCCM servers.  All on corporate locations,  for reasons I cant go into here,  the specific IP subnet information for these locations is unknown (other than they will be 10.x.anything.anything ) and we cannot use that as a boundary as we already have existing boundaries(and groups) for specific subnets in that range

    We (the customer) wants a catch all for content assignment (to a data centre DP) for any client that is in 10.x.anything.anything  at a location that isnt already a defined boundary.

    So we can use one group for site assignment - that could include a boundary of 10.x.x.x subnet,  and then set a fallback DP of "primary site server"  ??


    thanks for this, guys - hard to explain not using "voice"  :)   


    Solutions Architect



    • Edited by Nick_B64 Tuesday, July 8, 2014 1:14 PM
    Tuesday, July 8, 2014 1:07 PM
  • Again you don’t need any boundaries to manage CM12 clients. If they are on the same network then all you need to do is install the CM12 client and you are done. Why would the MP not provide policy? There is no limitation on MP and boundaries.


    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Tuesday, July 8, 2014 1:13 PM
  • OK  - thanks Gareth.

    Coming from a 2007 background, the boundary thing is kind of imprinted on my brain !  One last post (hopefully) to clarify.

    1. the MP will provide "policy" to the client based on windows authentication (ie its in the same domain?) and the fact it is on the same network 

    2. Because it is in no boundary, it will have no content resource assigned, therefore it will fall back to any DP that has been configured for 'fall back' (ie DPs in the data centre) 

    thanks again



    Solutions Architect

    Tuesday, July 8, 2014 1:26 PM
  • I hate to say it but you didn’t need boundaries in CM07 either.

    1. It not windows authentication but self-sign certs, aka the same process as CM07
    2. Yes, they will fall back to any unprotected DP, therefore you must ensure that you have at least 1 unprotected DP. Also you need to ensure that your deployment are setup to allow PCs to fallback to an unprotected DP.

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    • Marked as answer by Joyce L Monday, July 21, 2014 9:06 AM
    Tuesday, July 8, 2014 1:48 PM
  •  have to say I thought with 2007, in "mixed mode"  if a client wasnt in a "recognised boundary"  it didnt get assigned, thus it didnt get managed

    thats 8 years of my life gone :) -  

    anyway - all been very helpful, many thanks


    • Edited by Nick_B64 Tuesday, July 8, 2014 2:54 PM
    Tuesday, July 8, 2014 2:14 PM