RE: [mssms] Sanity check on management points and MDM

[Belcher, Daniel (US - Hermitage)]

Haven't encountered any debilitating issues outside of improperly configured 
client install strings. However in the non pki portions we are imaging out of a 
different environment entirely. Only connecting to SCCM post build.  We have 
segments of the hierarchy performing OSD but they are generally all pki.  Our 
environment is rather diverse to say the least in use cases, but I've not seen 
any non standard OSD headaches, at least not that I can recall.

Daniel Belcher
________________________________
From: elsalvoz<mailto:elsal...@gmail.com>
Sent: ‎8/‎5/‎2014 5:35 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Sanity check on management points and MDM

Daniel, did you encountered any issues around imaging? or adding a HTTPS MP 
internally addressed your OSD issues if you encountered any?


Thanks,
Cesar


On Tue, Aug 5, 2014 at 2:12 PM, Belcher, Daniel (US - Hermitage) 
<dbelc...@deloitte.com<mailto:dbelc...@deloitte.com>> wrote:
Hah, I need to write up some scrubbed blogs on all I've been working on, but 
can't share out right as the company I work for loves it's confidentiality.  
Same reason I've been non-existent on these mail groups the past 2 years.

Daniel Belcher
________________________________
From: Todd Hemsell<mailto:hems...@gmail.com>
Sent: ‎8/‎5/‎2014 3:55 PM

To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Sanity check on management points and MDM

would really like to see your doc if you do not mind.
I have a few good ones I could trade you :)


On Tue, Aug 5, 2014 at 3:46 PM, Belcher, Daniel (US - Hermitage) 
<dbelc...@deloitte.com<mailto:dbelc...@deloitte.com>> wrote:
Yes, otherwise it will just be self-signed.  I just wrapped on having to design 
something similar to this, give me some time to TechNet dive.  Most of this 
came from testing, logs, and discussions with MS employees though rather than 
what I could research online.

This blog from Adam Meltzer summarizes the selection process of MPs.
http://blogs.msdn.com/b/ameltzer/archive/2013/06/17/quick-summary-on-how-management-point-selection-works-in-flexible-formerly-native-mode-in-configuration-manager-2012.aspx

The gist though is either make the HTTPS site less appealing to the client or 
let the clients fail to HTTP.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Todd Hemsell
Sent: Tuesday, August 5, 2014 3:36 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Sanity check on management points and MDM

Any documentation around this and what does "pki enabled" mean? Have a cert?  
"but if it’s not PKI enabled it won’t use it and move to the next MP (your 
unsecured). "


On Tue, Aug 5, 2014 at 3:30 PM, Belcher, Daniel (US - Hermitage) 
<dbelc...@deloitte.com<mailto:dbelc...@deloitte.com>> wrote:
It’s not exactly clean, but setting up 2 side by side MPs with one secured and 
the other unsecured shouldn’t cause any major impact outside of your clients 
native MP assessments.

The largest headaches I’ve seen from this have come from the initial client 
install more than anything, and that’s just a matter of pointing them to the 
correct MP from the install string.

I might be missing something here in terms of your end goal though that 
complicates this more.  However it is right, the client will prefer the HTTPS, 
but if it’s not PKI enabled it won’t use it and move to the next MP (your 
unsecured).

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Todd Hemsell
Sent: Tuesday, August 5, 2014 3:16 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Sanity check on management points and MDM

too much complexity. I like to keep it simple and easy to maintain.

I do not like to implement things where I am the only one that understands them 
or can support them.

On Tue, Aug 5, 2014 at 3:11 PM, Marcum, John 
<jmar...@babc.com<mailto:jmar...@babc.com>> wrote:
Another option… You could unpublish the HTTPS one if there's a way to hard code 
it to the CE clients so they know where to go.

http://blogs.technet.com/b/michaelgriswold/archive/2014/04/22/how-to-get-clients-to-avoid-one-of-your-management-points.aspx




From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Todd Hemsell
Sent: Tuesday, August 05, 2014 3:04 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Sanity check on management points and MDM

well, so much for that.

whoever added The requirement to use https before you can manage devices needs 
to be horsewhipped.
If I want to manage 50 Windows CE scan guns I need to deploy a cert to every 
system in the enterprise and force them to use https instead of http. Makes 
sense.

On Tue, Aug 5, 2014 at 2:20 PM, Niall Brady 
<any...@gmail.com<mailto:any...@gmail.com>> wrote:
And thep prefer https over http

Sent from my phone, please excuse any typo's as a result.


On 05 Aug 2014, at 20:50, "Marcum, John" 
<jmar...@babc.com<mailto:jmar...@babc.com>> wrote:
No. MP's don't use boundaries.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Todd Hemsell
Sent: Tuesday, August 05, 2014 1:48 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] Sanity check on management points and MDM

Right now I have 1 management point using http

Can I add an https management point for mobile devices on a separate server and 
set the subnet the mobile devices are on to use the new management point 
without affecting the existing systems and existing management point?

/Todd

________________________________

Confidentiality Notice: This e-mail is from a law firm and may be protected by 
the attorney-client or work product privileges. If you have received this 
message in error, please notify the sender by replying to this e-mail and then 
delete it from your computer.

________________________________

Confidentiality Notice: This e-mail is from a law firm and may be protected by 
the attorney-client or work product privileges. If you have received this 
message in error, please notify the sender by replying to this e-mail and then 
delete it from your computer.



________________________________

Confidentiality Notice: This e-mail is from a law firm and may be protected by 
the attorney-client or work product privileges. If you have received this 
message in error, please notify the sender by replying to this e-mail and then 
delete it from your computer.

________________________________

Confidentiality Notice: This e-mail is from a law firm and may be protected by 
the attorney-client or work product privileges. If you have received this 
message in error, please notify the sender by replying to this e-mail and then 
delete it from your computer.








This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law. If you 
are not the intended recipient, you should delete this message and any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, by you is strictly prohibited.

v.E.1