Most every organization, and really most of humanity, is currently navigating uncharted territory.  With a global pandemic arriving at the doorstep of nearly every continent, every nation, every local community…humankind is left scrambling to embrace what little is left of normalcy.  A large part of normalcy for many of us, where we usually spend 40 or more hours a week, is, of course, our job.  Disruptions like the coronavirus pandemic can certainly do a lot to upend not only our personal lives but our professional lives too.  Fortunately, we are in the golden age of technology where platforms and tools have evolved and matured to make working remotely not only easy but to facilitate productivity to be on par with that of physically being in the office.

Microsoft Endpoint Manager

Leverage MEM for Managing Remote Employees

Providing VPN or cloud services to allow employees to work from anywhere is certainly a first step, but once they are able to work remotely, how can we leverage Microsoft Endpoint Manager to manage and secure those devices when they are working from their home office?  Or a coffee shop?  Or waiting in their car outside a Walmart for a toilet paper delivery?

MEM has two different options to extend your device management into the cloud — 1.) Cloud Management Gateway (will refer to this further as CMG) or 2.) Co-Management. For more information on what is Microsoft Endpoint Manager (MEM), visit:

Cloud Management Gateway

CMG has been around since even before co-management with Intune.  For the SCCM/SMS lifers out there, we know CMG as the evolution of internet-based client management or IBCM for short.  Prior to CMG, you could build SCCM infrastructure in your demilitarized zone (DMZ) that could facilitate communication to your on-prem SCCM without giving direct access to your data center using a firewall between the DMZ and the network on which your SCCM infrastructure resided.  Now, instead of investing in your own infrastructure and administering the firewall rules to allow connectivity, you can simply provide the CMG service in Azure from your SCCM console.  This process connects your on-prem SCCM environment to the Azure cloud and, thus, allows your devices to communicate through the internet through CMG.  CMG acts as a proxy to manage your devices.  Once your CMG is operational, you can manage these devices through the internet.  Most importantly, you can rest assured that they will be able to get security updates directly from Windows Updates (at no additional cost for outbound data!) and even can receive applications that you choose to deploy to them.


While a CMG is certainly your foot in the door when it comes to extending your management into the cloud, co-management between Microsoft Endpoint Configuration Manager (MECM) and Intune provides the richest set of features and management.  Not to mention, if you already own licensing for MECM, you can start enrolling your devices in Intune immediately without incurring any additional cost for licensing (see here).  Something else to consider when deciding whether to use CMG or Co-Management, and I’m purely speculating here, but don’t be surprised to see Microsoft deprecate CMG functionality in favor of co-management as the only solution to manage devices over the public internet.  Again, this is NOT something that Microsoft is socializing at this point, but it would only seem like the natural evolution of internet-based client management to move fully to MEM Co-Management.

Like the CMG, Co-management allows you to deploy security updates and applications…and much more!  In addition to the likewise functionality, Co-management also allows you to do OS provisioning (AutoPilot), Endpoint Protection (Windows Defender ATP, BitLocker), Inventory (hardware and software), and Compliance just to name a few.  Not to mention once they are enrolled in Intune, and co-management is established, it unlocks the ability for you to start using Conditional Access to allow or restrict access to all your corporate data (email, documents, spreadsheets, etc.).

Final Thoughts

While managing remote employees working certainly isn’t new to any organization, the growth of it spurred on by the coronavirus pandemic has probably got a lot of us wondering how we can leverage technology to not only allow employees to be productive but to continue to manage and secure their devices and the organizational data that they are accessing while on those devices.  If that is true, then you can deploy either CMG or Co-management to begin managing this quickly and effectively.


Microsoft Endpoint Configuration Manager / SCCM Services:

MessageOps can deliver these services to assist you:

  • Setup/ configure Cloud Management Gateway and/or cloud distribution points
  • Develop a plan to assist in managing devices that are off the company network
  • Discuss Intune licensing is included within SCCM licensing
  • Establish co-management with Intune
  • Complete Desktop Analytics to demonstrate the advantages it provides in a Win 10 migration
  • Create or enhance OSDs for Win 10 imaging or feature upgrades
  • Create or enhance software updates, ADRs, peer caching or Windows updates for business
  • Create or enhance Servicing Rings for Win 10 feature updates

Get started today by contacting us at or call 877-788-1617

Was this article helpful?