Skip to main content
University of Florida

off-campus and off-domain machines

Installing the SCCM client on off-campus and off-domain machines

Preface

The procedures described in this doc are assuming that you are running the installation manually on the endpoint. Either method could be incorporated into a GPO to be used to install while the machine is on a campus network (on campus or vpn).

The “ConfigMgrClientHealth script” mentioned in this doc refers to the following 3rd party PowerShell script:

https://gallery.technet.microsoft.com/ConfigMgr-Client-Health-ccd00bd7

UFIT has placed a copy of this script here:

\\ad.ufl.edu\ufad\SCCM\UF2-ClientInstallation\ConfigMgrClientHealth-0.7.6

This copy has had its config.xml file modified to be used for on-campus installs, but we can use it as a base for our off-campus installer as described in this doc.

NOTE: the UFIT-SCCM-Client-Install-Health-Template GPO is not meant to be linked directly. It is intended to be a template that units can copy and build from. Likewise, the contents of the \\ad.ufl.edu\ufad\SCCM\UF2-ClientInstallation share are not meant to be used to deploy installs from. The contents of this folder is meant to be copied to a share that is hosted by the unit. Endpoints should read the health script and client install files from the unit-hosted share. Directly utilizing the UFIT provided GPO or share could cause problems for units after any SCCM updates, as these items may change.

Off Campus SCCM Client Install

If an endpoint will be spending a significant amount of time off campus, it is best to configure it to use SCCM’s “Internet-based client management”, or “IBCM” for short. Internet clients provide only a subset of the features that are available to on campus clients. For detailed information regarding the site system roles that support internet clients, please refer to the following Microsoft article:

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/plan-internet-based-client-management#client-communications

Install without using ConfigMgrClientHealth script

Below is the full install string with all ccmsetup.exe options to setup an endpoint to use the IBCM:

ccmsetup.exe source:<installation files path> /UsePKICert /NoCRLCheck SMSSITECODE=UF2 CCMHOSTNAME="ufit-cm-ibcm.it.ufl.edu"

<Installation files path> represents the location from which to download installation files. You can use a local or UNC installation path. Files are downloaded by using the server message block (SMB) protocol.

Install using ConfigMgrClientHealth script

If you are using the ConfigMgrClientHealth script method to install (as is used in the UFIT-SCCM-Client-Install-Health-Template GPO), you will need to make some changes to the “config.xml” file that is part of the ConfigMgrClientHealth script.

First, make a copy of the \\ad.ufl.edu\ufad\SCCM\UF2-ClientInstallation\ConfigMgrClientHealth-0.7.6 folder to a location that will be accessible to the endpoint (ie. Usb key or network share)

<ClientInstallProperty>FSP=ufit-cm-p-09.ad.ufl.edu</ClientInstallProperty>

Then add in the following

<ClientInstallProperty>/UsePKICert</ClientInstallProperty>

<ClientInstallProperty>/NoCRLCheck</ClientInstallProperty>

<ClientInstallProperty>CCMHOSTNAME="ufit-cm-ibcm.it.ufl.edu</ClientInstallProperty>

You will also need to change the following line to point to the share path where your unit’s copy of the SCCM client install files are located:

<Client Name="Share">\\ad.ufl.edu\ufad\SCCM\UF2-ClientInstallation\Client</Client>

Off-Domain SCCM Client Install

It is highly recommended that all SCCM clients be on domain. Microsoft has geared SCCM specifically towards managing on-domain machines. Off-domain machines cannot take advantage of all management features.

The trick to getting an off-domain machine to work with SCCM is ensuring that it has the proper UFAD client cert. Listed below are possible methods to install an SCCM client on an off-domain machine. Please note that these tasks will need to be repeated every time the client cert expires.

  • Add machine to domain temporarily so that it receives the necessary UFAD client cert. Once added to domain, perform the SCCM client install. Once install is complete, remove the machine from domain.
  • Once the self-serve portal is available, unit admins can submit cert requests for their off domain machines. A separate request will need to be made for every endpoint to have the SCCM client installed. There is not a current ETA on this portal but an announcement will be made once it is ready.