3

I have a couple of questions of using SCCM to deploy software for a user on a Windows laptop:

  1. Does user need to be logged in to the target laptop, or is it sufficient that it is on the corporate network?
  2. Or would it be sufficient that the target laptop is simply online? Meaning, not necessarily on corporate domain but maybe on users home network (for users who work at home). This would probably require some kind of component running on the users laptop, but does SCCM provide this functionality?
Dave M
  • 4,494
  • 21
  • 30
  • 30
coderworks
  • 133
  • 5

1 Answers1

5
  1. Does user need to be logged in to the target laptop, or is it sufficient that it is on the corporate network?

In general, the answer is no the user does not need to be logged in, the only exception being that if in the Application-Program model the Deployment Type you are using in this instance requires a user presence (Deployment Type - User Experience - Logon Requirement). I am not very familiar with the Package-Program model but I believe it does not have the ability to make this distinction.

All that is required for software deployment is that the SCCM client can successfully pull the machine policy, download the content from the Distribution Point to the local ccmcache via BITS, have an actionable service window (either a Maintenance Window or an expired deadline) and away you go.

The Management Point and Distribution Point need to be reachable by the client on HTTP and HTTPS. For Software Updates (i.e., SUP/WSUS) you need HTTP/HTTPS or 8530/8531 if you are using the alternative ports.

See here for details.

You also need to have your Boundary Groups and Distribution Point assigned appropriated. Naturally you will also need fresh DNS records and a network path from the client to the MP and DP in question. Generally if you the laptop comes in and sits on the corporate network long enough to "normalize" you should be fine without any additional configuration of SCCM infrastructure.


  1. Or would it be sufficient that the target laptop is simply online? Meaning, not necessarily on corporate domain but maybe on users home network (for users who work at home). This would probably require some kind of component running on the users laptop, but does SCCM provide this functionality?

This won't work... without some work. :)

The feature you are looking for is called Internet-based Client Management, which in a nutshell means you setup or utilize a PKI hierarchy so your SCCM clients can do do client authentication in their HTTPS negotiations, configure your Management Point/s, Distribution Point/s and Software Update Point/s to use HTTPS and make a MP and DP available to the Internet in your DMZ.

Clients will be able to tell when they are off network and will utilize whatever connection they have to try to reach the Internet-based MP and DP. SCCM is entirely a pull technology so as long as your clients can reach those servers and ports they can get their updates and send state messages back. Pretty frickin' sweet.

It is a PiTA to setup, especially getting the certificates correct since IBCM requires specific OIDs but it is pretty neat when it's all done.

I recommend Scenario 3 with No SQL Server Replica for a general trade-off between security and complexity but obviously your needs will vary depending on your organization.

  • 1
    So I got this bat signal to check this answer out, and I'm honored :-). Solid answer. The only things I would add is that there are applications that can be targeted to user collections and not machine collections, so that would obviously require a user logged on. Also, a person on another network logged into the corp. VPN at would (at least in our setup) would get requires SCCM deployments, and like you said kce ICBM is an option, we never got it fully setup – MDMoore313 Aug 06 '15 at 12:41
  • 1
    @BigHomie We got IBCM all setup and then our security plan got held up in red-tape. In five years I'll let you know how it turns out. –  Aug 06 '15 at 23:57