locked
How difficult is it to roll out PKI infrastructure in existing SCCM environment? RRS feed

  • Question

  • Hi guys,

    We have yet to roll out SCCM clients on any of our end-user computers as we have been patiently waiting for our SysAdmin team to assist us in developing the PKI infranstructure. It's been taking longer than expected and could be months or longer (if at all) when it will be ready.

    My question is, if we rolled out SCCM to 20-30 closely to us located client computers, how difficult would be the transition to upgrade to PKI? I would really like to get started, at least collecting inventory, maybe do some basic reporting, and just wanted your advice if it's worth it to wait. Is it too much of a headache?

    Thank you!!

    Steve

    Thursday, June 2, 2016 1:41 AM

Answers

  • Yes, the communication would stop; however, if the system is domain joined, it will pick up the fact that the MP now requires HTTPS and switch over -- this should happen within 25 hours but can be forced by simply stopping and restarting the agent.

    If you are wanting to manage your OS X systems, then you really should look at using Parallels for Mac Management. It's a seamless plug-in for ConfigMgr and does not require HTTPS. Capabilities-wise, it far surpasses the built-in capabilities which are barebones at best.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by loss4words83 Thursday, June 2, 2016 3:19 PM
    Thursday, June 2, 2016 2:31 PM

All replies

  • Adding the necessary PKI certificate requirements and configuring ConfigMgr to support HTTPS client communication after an initial ConfigMgr deployment is a fairly straight-forward task and wouldn't take more than a day or so assuming the PKI certificates and infrastructure are properly deployed.

    One huge note here to remember is that client facing site roles like the MP, DP, and SUP can only be HTTP *or* HTTPS and not both. Thus, you need to plan for this if you will be supporting both types of communication.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by TorstenMMVP Thursday, June 2, 2016 6:09 AM
    Thursday, June 2, 2016 2:18 AM
  • Thank you, Jason.

    I guess my concern is if I already deployed an agent using HTTP, and then re-configured the server to HTTPS, would the communication stop? And if it does, what would I need to do to fix it? Would I need to re-deploy the agent on all computers again?

    We plan on only supporting HTTP or HTTPS. We hope to be using HTTPS so we can manage the Macs in our environment as well, but we won't be supporting both.

    Sorry for so many questions :)

    Steve

    Thursday, June 2, 2016 1:23 PM
  • Yes, the communication would stop; however, if the system is domain joined, it will pick up the fact that the MP now requires HTTPS and switch over -- this should happen within 25 hours but can be forced by simply stopping and restarting the agent.

    If you are wanting to manage your OS X systems, then you really should look at using Parallels for Mac Management. It's a seamless plug-in for ConfigMgr and does not require HTTPS. Capabilities-wise, it far surpasses the built-in capabilities which are barebones at best.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by loss4words83 Thursday, June 2, 2016 3:19 PM
    Thursday, June 2, 2016 2:31 PM