Managing remote devices with SCCM doesn't necessarily require the introduction of Microsoft Intune. With the SCCM Cloud Management Gateway (CMG), you can securely expand your on-premise IT infrastructure into the cloud. Without a VPN or additional hardware, CMG allows you to centrally manage and update your devices with SCCM — anywhere, anytime, and without sacrificing security. Find out here how to successfully set up and use the CMG.
The most important things in brief
- Extension for SCCM without Intune — Enables remote devices to be managed via the cloud, without a VPN connection.
- Flexible authentication — Supports Entra ID for modern identities, PKI for domain-joined devices, and tokens for special cases.
- Cost-effective & safe — Saves VPN and infrastructure costs while ensuring regular updates and security policies.
- Only for Windows devices — Works exclusively with SCCM and doesn't provide a full Intune alternative.
With the Cloud Management Gateway, we bring SCCM securely and efficiently to your endpoints outside the company network.
1. What is Cloud Management Gateway (CMG)?
Even companies that have not yet Microsoft Intune , can no longer evade the requirement to manage devices that are not regularly on the corporate network. The solution for this is the Cloud Management Gateway (CMG) for SCCM/MECM. It brings many of SCCM's features to the cloud. Especially at a time when hybrid work models and remote access have become the norm, the CMG offers significant advantages.
It makes it possible to manage devices outside the corporate network without relying on a direct connection to the internal network. Provided they are connected to the Internet, devices remain compliant, secure and always up to date with minimal effort. This not only reduces dependency on VPN connections, but also increases security through modern authentication methods such as Microsoft Entra ID or token-based systems.
In addition, the CMG ensures seamless communication between a company's IT systems and devices, regardless of their location. This flexibility makes it an indispensable solution for IT departments that work with a globally distributed workforce and sometimes rely on SCCM for their device management.
2. Why companies should rely on the cloud management gateway
The CMG not only offers flexibility, but also cost savings. By making VPN connections unnecessary, companies can significantly reduce their operating costs.
At the same time, it ensures a continuous connection to devices, regardless of where they are located. Whether for remote employees, mobile devices or small branches without their own IT infrastructure — CMG creates a secure and scalable solution that can be seamlessly integrated into existing systems.
Particularly in crisis situations, such as network and VPN disruptions, IT remains able to act and ensures smooth processes. Companies can also benefit from increased productivity, as employees can access required resources more quickly and without technical hurdles.
3. How the Cloud Management Gateway works
The CMG acts as an interface between devices and a company's IT infrastructure by ensuring communication via the Microsoft Azure cloud. It acts as a proxy that forwards requests from devices — whether for software updates, security policies, or inventory data.
Architecture and data flow
that CMG processes client requests and forwards them to the appropriate on-premises systems. Communication takes place via the following components:
Communication process
- client requests — A roaming device that is connected to the Internet sends a request to the CMG in Azure.
- Processing by CMG — The CMG receives the request and forwards it to the CMG Connection Point.
- Transfer to infrastructure — The CMG Connection Point routes the requests to the Management Point or the Software Update Point, depending on the content of the request.
- Reply to the device — After processing the request, the CMG sends the response back to the device.
Thanks to modern protocols such as HTTPS and encrypted communication, sensitive data remains protected. Integration with Microsoft Endpoint Configuration Manager (MECM) gives IT administrators centralized control that maximizes both efficiency and security. The interplay of cloud services and local infrastructure also offers the opportunity to standardize and simplify IT management processes, which further reduces administrative costs.
4. Practical advantages of the cloud management gateway
The CMG particularly shines in scenarios where SCCM is reaching its limits, but there are good reasons why Microsoft Intune is not yet the tool of choice. Remote workplaces benefit from the ability to receive updates and patches directly via the cloud without the need for a VPN connection.
As an intermediary between clients and the Configuration Manager infrastructure, it ensures that devices regular updates, security patches, and policies received — no matter where they are.
The most important benefits at a glance:
Easy management of mobile and remote devices
The CMG ensures that employees working from home, on business trips or at external locations can be managed and updated just as reliably as devices in the internal network. Updates are delivered directly from the cloud, so no complicated or expensive VPN infrastructure is required.
Supporting small branches without their own IT
Locations without local servers or IT personnel benefit from a secure and cost-effective connection to central corporate resources. This saves costs and reduces complexity, particularly when compared to traditional WAN or VPN solutions.
Centralized control and uniform standards
Companies with distributed or international locations can use the CMG to create a uniform platform to monitor and consistently comply with IT standards across the company. This increases IT compliance and reduces risks.
Improved security and resilience
Since updates and security patches for remote devices are distributed continuously and automatically — even with third-party software — the CMG significantly reduces the risk of security gaps or cyber attacks. Even in disaster situations or network outages, the management of the devices is guaranteed. The integration of the Cloud Management Gateway with Entra ID enables secure authentication of clients.
Lower infrastructure costs
Reducing or eliminating VPN and WAN connections results in significantly lower costs. At the same time, the infrastructure can be easily scaled without the need for additional hardware or servers on site.
5. Steps to successfully set up a cloud management gateway
- Azure subscription: A CMG is operated via Azure, so an appropriate subscription is required.
- authentication certificate: HTTPS communication requires a certificate, either from a public certification authority or your PKI.
- Microsoft Entra ID: Integrates ConfigMgr with the Entra environment to monitor and authenticate the CMG
- client authentication: Configuration of the authentication method (such as Entra ID, PKI, or Token) for clients to communicate.
- CMG configuration: Add the CMG connection point, management point and SUP to your IT infrastructure.
- client setup: Installing the Configuration Manager client on remote devices using a bulk registration token or using ccmsetup.exe.
6. Secure authentication methods in the Cloud Management Gateway
The Cloud Management Gateway (CMG) offers multiple authentication options tailored to different scenarios. The selection of the appropriate method depends primarily on the devices and identities in the company to be managed:
- Microsoft Entra ID (formerly Azure AD): Entra ID enables modern, cloud-based authentication and is ideal for devices with a hybrid or purely cloud-based identity. It is easier to set up and requires less maintenance compared to more complex PKI systems.
- PKI certificates: PKI-based authentication is required for traditional devices managed locally via Active Directory (AD). Here, PKI certificates are used to securely encrypt the communication channel between client and CMG.
- Token-based authentication: Token-based authentication extends support to devices where neither PKI-based nor Entra ID-based authentication is possible or practicable. This method is particularly useful for clients that are rarely or not connected to the internal network and are therefore unable to obtain PKI certificates. Here, Configuration Manager creates and manages its own authentication tokens
7. Deployment scenarios of the Cloud Management Gateway
The Cloud Management Gateway is particularly useful in the following scenarios:
Managing traditional Windows clients with Active Directory (AD)
Companies that use domain-bound devices benefit from PKI-secured communication for software updates, endpoint protection, compliance settings, and inventory.
Modern identity with Microsoft Entra ID
Windows 10 and later versions can be managed hybrid or cloud-based with Microsoft Entra ID. This method does not require a complex PKI architecture and also enables software distribution at user level.
Installing the Configuration Manager Client from the Internet
Windows 10/11 devices can be authenticated directly from the CMG for client registration and assignment using Entra ID, without having to be connected to the internal network.
Co-managed device deployment
The CMG is required when new devices have Windows Autopilot, Microsoft Entra ID, Intune, and Configuration Manager should be managed. Existing devices do not need the CMG for automatic registration.
{{cta-box=” /dev/components "}}
8. Conclusion: Why the Cloud Management Gateway is a must for SCCM users
The Cloud Management Gateway (CMG) is a valuable extension for companies that already use Microsoft Configuration Manager and have an increasing number of remote or hybrid devices, but are not yet fully using Microsoft Intune. It enables efficient management of devices outside the internal network, particularly Windows clients, without relying on a complex VPN infrastructure.
The CMG reduces operating costs as no additional WAN connections or complex VPN configurations are required, and at the same time improves security by allowing devices to be regularly patched and security updates. Although CMG is limited to Windows devices and selected Configuration Manager features, it offers significant advantages, especially in environments with classic domain-joined clients.
Companies that currently rely on on-premise management and are gradually striving for a more modern IT infrastructure benefit from the seamless integration of CMG. It thus creates a bridge between traditional and modern cloud-native device management and opens up opportunities to make existing IT processes more flexible and adapt them to changing requirements.
Since 2011, Thore has focused exclusively on endpoint management and endpoint security topics. Initially focused on software packaging and software distribution with Microsoft MECM/SCCM and Ivanti DSM, he is now a sought-after interlocutor when it comes to unified endpoint management, system hardening, patch management and endpoint protection. The focus is in particular on the Microsoft technologies Intune, Configuration Manager, Entra and Defender. Thore is co-founder of the “Endpoint Management” expert group at IAMCP e.V.
