Configuration Manager Enhanced HTTP Support
Enhanced HTTP is a feature implemented in Configuration Manager (CM) to enable administrators to secure client communication with site systems without the need for PKI server authentication certificates. Primarily this feature is used to support a Cloud Management Gateway (CMG) or to support Azure AD joined devices, both of which scenarios would otherwise require Management Points to be configured to use HTTPS with a PKI Server Authentication certificate.
Enhanced HTTP also allows clients to download content from a Distribution Point without the need for a Network Access Account, PKI client authentication certificates or Windows authentication as it establishes a new endpoint on the Distribution Point (CCMTOKENAUTH) that uses token-based access.
Refer to the Microsoft documentation for a full explanation of Enhanced HTTP and how to configure site systems to use it - https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http
Supported scenarios
Nomad supports downloading content from Distribution Points configured to use Enhanced HTTP without the need for a Network Access Account in the following scenarios.
Note
These scenarios assume the Management Point is configured to use HTTP (not HTTPS) as required for Enhanced HTTP.
Clients and site systems on the corporate network
Scenario | Clients supported | Notes |
|---|---|---|
Configuration Manager Package, Application, Software Update and Task Sequence Deployments | Workgroup AD Domain-joined Azure AD-joined Hybrid-joined | When content is deployed through CM, Nomad needs to obtain the access token for the Enhanced HTTP DP endpoint from the Management Point, which it is able to do using HTTP. For Task Sequences, the access token is available in the _SMSTSDPAuthToken Task Sequence variable, so Nomad does not need to obtain it from the MP. |
Nomad Pre-caching | Workgroup AD Domain-joined Azure AD-joined Hybrid-joined | Pre-caching requires Nomad to access the Management Point to locate the content and DP access token, which it is able to do using HTTP. |
These scenarios are also supported if the client on the corporate network gets a Cloud DP as a source.
Internet clients with CMG / Cloud DP
For the purpose of this discussion, Cloud DP refers to either a classic Cloud DP or a content-enabled CMG.
Scenario | Clients supported | Notes |
|---|---|---|
Configuration Manager Package, Application, Software Update and Task Sequence Deployments | Workgroup AD Domain-joined Azure AD-joined Hybrid-joined | When content is deployed through CM, Nomad is able to obtain the access token for Cloud DP from the CM client (1). If there are multiple Cloud DPs, the client will be able to download content from the Cloud DP for which the CM client queued the download job using the Cloud DP access token provided by the CM client. If that DP becomes unavailable, Nomad will attempt to connect to the other Cloud DPs in the list and will query the CMG for the new Cloud DP access token. If Nomad is unable to authenticate with the CMG(1) it will continue to retry the available DPs returned by the CM client until it is able to connect to the original DP. |
Nomad Pre-caching | Workgroup AD Domain-joined Hybrid-joined | Pre-caching requires Nomad to access the CMG to locate the content and obtain the Cloud DP access token(1). |
(1) If the CM client is not using a PKI client authentication certificate to authenticate with the CMG, Nomad will not be able to request content location or obtain the Cloud DP access token from the CMG. Note that CM requires Workgroup and AD Domain-joined clients to have a PKI client authentication certificate (refer to https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/certificates-for-cloud-management-gateway#bkmk_mphttps), so this will only affect Azure AD Joined / Hybrid devices that use Azure AD or token-based authentication with the CMG.