Yes, otherwise it will just be self-signed. I just wrapped on having to design something similar to this, give me some time to TechNet dive. Most of this came from testing, logs, and discussions with MS employees though rather than what I could research online.
This blog from Adam Meltzer summarizes the selection process of MPs. http://blogs.msdn.com/b/ameltzer/archive/2013/06/17/quick-summary-on-how-management-point-selection-works-in-flexible-formerly-native-mode-in-configuration-manager-2012.aspx The gist though is either make the HTTPS site less appealing to the client or let the clients fail to HTTP. From: [email protected] [mailto:[email protected]] On Behalf Of Todd Hemsell Sent: Tuesday, August 5, 2014 3:36 PM To: [email protected] Subject: Re: [mssms] Sanity check on management points and MDM Any documentation around this and what does "pki enabled" mean? Have a cert? "but if it’s not PKI enabled it won’t use it and move to the next MP (your unsecured). " On Tue, Aug 5, 2014 at 3:30 PM, Belcher, Daniel (US - Hermitage) <[email protected]<mailto:[email protected]>> wrote: It’s not exactly clean, but setting up 2 side by side MPs with one secured and the other unsecured shouldn’t cause any major impact outside of your clients native MP assessments. The largest headaches I’ve seen from this have come from the initial client install more than anything, and that’s just a matter of pointing them to the correct MP from the install string. I might be missing something here in terms of your end goal though that complicates this more. However it is right, the client will prefer the HTTPS, but if it’s not PKI enabled it won’t use it and move to the next MP (your unsecured). From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Todd Hemsell Sent: Tuesday, August 5, 2014 3:16 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Sanity check on management points and MDM too much complexity. I like to keep it simple and easy to maintain. I do not like to implement things where I am the only one that understands them or can support them. On Tue, Aug 5, 2014 at 3:11 PM, Marcum, John <[email protected]<mailto:[email protected]>> wrote: Another option… You could unpublish the HTTPS one if there's a way to hard code it to the CE clients so they know where to go. http://blogs.technet.com/b/michaelgriswold/archive/2014/04/22/how-to-get-clients-to-avoid-one-of-your-management-points.aspx From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Todd Hemsell Sent: Tuesday, August 05, 2014 3:04 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Sanity check on management points and MDM well, so much for that. whoever added The requirement to use https before you can manage devices needs to be horsewhipped. If I want to manage 50 Windows CE scan guns I need to deploy a cert to every system in the enterprise and force them to use https instead of http. Makes sense. On Tue, Aug 5, 2014 at 2:20 PM, Niall Brady <[email protected]<mailto:[email protected]>> wrote: And thep prefer https over http Sent from my phone, please excuse any typo's as a result. On 05 Aug 2014, at 20:50, "Marcum, John" <[email protected]<mailto:[email protected]>> wrote: No. MP's don't use boundaries. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Todd Hemsell Sent: Tuesday, August 05, 2014 1:48 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Sanity check on management points and MDM Right now I have 1 management point using http Can I add an https management point for mobile devices on a separate server and set the subnet the mobile devices are on to use the new management point without affecting the existing systems and existing management point? /Todd ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1
