Endpoint Manager and Communication Client – Unified endpoint management (UEM) unifies Microsoft’s various mobile device management and data protection services into one comprehensive product suite, with Windows Autopilot, Intune and Configuration Manager all sharing a common administrative interface via Intune’s admin center.
Unified endpoint management protects corporate data and applications on any device with conditional user access, automated rules enforcement, compliance guidelines, and security safeguards.
Endpoint Manager Client Communication EMCC
Endpoint Manager infrastructure consists of high-performance, redundant servers which serve as an information repository and data store for computer programs, applications and operating system images, which are distributed to end-user computers through Endpoint Manager clients installed on each computer. It also automates updates and security patches installation. An Endpoint Manager client installed on each computer communicates securely with Endpoint Manager servers through HTTP to inventory hardware specifications and software installations as well as report device and system status data back to them and perform periodic software scans in order to detect problems on each system.
As soon as a user logs onto an EMCC-registered cluster, its EM service queries the home cluster for that user (in Unified CM web administration, select one for every user). The search returns an ordered list of up to three remote EM Service nodes available for EMCC communication.
The visiting cluster’s EM service utilizes these communication channels to construct a configuration file for visiting phones. This file incorporates device configuration from both clusters as well as configuration parameters from home cluster and the user’s EMCC CSS field (which determines calling search space when routing calls to visiting cluster).
Configure Communication Client Settings
The Configure Communication Client Settings dialog box allows you to configure client mobile client settings that will be transferred onto and used by CMC applications on devices. You can set these up either using user setting templates or individually for each user.
Communication Client Settings provide several options you can enable or disable for client communication on metered Internet connections, as well as setting a default listening port.
This option helps reduce Internet bandwidth consumption and speed updates in large networks by downloading update packages to a managed endpoint, which then serves as the source from which other clients collect their updates. Clients can limit how many other endpoints can receive their updates; furthermore, device count limitations can be activated or disabled as desired.
The Configure Communication Client Settings dialog box also enables you to choose an organizational unit (OU) or user group to which the settings apply, as well as assign priority ratings for individual client settings – higher priority settings will take precedence over lower ones when it comes time for deployment or updates across your network. This helps manage resources efficiently when installing software and updating devices across a network.
Communications between endpoints in Configuration
The Communication Client allows you to remotely interact with endpoints and configure their settings remotely, saving both time and effort when managing large groups of mobile users. Furthermore, it offers an effortless method for synchronizing updates from server to endpoints quickly; this helps minimize network inbound traffic while increasing bandwidth utilization.
Administrators making configuration changes at remote endpoints automatically synch them up to a central site system for application to devices, groups or entire sites. A default source for these updates can be selected via the Communications Client Distribution menu.
Communication Client can be configured as the SLO agent to receive logout messages from identity providers, when using front-channel bindings or back-channel bindings to connect to Control Center. You must enter this URL in its SLO service configuration for identification providers, while also setting its communication mode mode on them.
Communications between site systems in a site
Millions of endpoint devices access networks each day, from PCs and laptops to industrial sensors and IoT hardware. Enterprises manage these endpoints using mobile device management (MDM) software for enrollment, configuration and deployment purposes as well as protecting corporate data across endpoints and cloud services.
Clients communicating with site system roles use service location to locate roles compatible with their protocol; for example, clients with IPv6 addresses might look for an HTTPS server. You can control how clients locate site system roles using network security policies and MDM settings on the server hosting them.
Certain site system roles require communication with both the site server and other servers in the same site, creating the need for secure tunneling options to increase communication security. In these instances, Secure Tunneling options within the site server role offer further safeguarding of these communications.
Configuring a fallback status point allows you to monitor client installations and report PKI certificate issues that prevent clients from reaching their management points. However, you should carefully consider the security implications of running an unauthenticated role that accepts communications in a publicly accessible network; one way of mitigating these risks would be installing it within its own separate perimeter network.
Site server to distribution point
Distribution points are server roles designed to store packages, programs, endpoint protection updates, applications and operating system images for delivery to computers. Each primary and secondary site can install up to 250 distribution points; clients accessing each distribution point send information back to the management console about its connection; this helps when troubleshooting connection issues between management console and distribution points.
Website point and web service point work together to present software catalogs on a user-friendly website that users can browse. Furthermore, website point communicates with site system to access database records stored within it.
When clients request content from a pull-distribution point, the server notifies of it and attempts to download the requested package; if this fails, retries based on Software Distribution component retry settings. Furthermore, pull-distribution points also report status to site servers via Software Distribution component status polling settings so as to offload processing from them; these reporting settings also allow offload processing from said distribution point itself. When configured as pull-distribution points they do not utilize schedule or rate limit configurations found within Software Distribution component properties General tab properties on Software Distribution component properties when configured as pull-distribution points compared to regular distribution points.
Communications from clients to site systems
Endpoint Management provides the framework to configure, secure, and administer PCs, laptops, tablets and smartphones. In addition, Endpoint Management oversees industrial controls, remote sensors and other IoT devices.
The communication client installed on each managed device transmits commands and information to site systems through site systems servers. Once received, these updates include applying policies, updating modules and sending status/report updates back out. In addition, each communication client collects troubleshooting data for use by server systems as well as informing it of the status of each managed device.
Before communicating with a site system role, clients need to know its address. Service location allows communication clients to search for site system roles that support various protocols; by default, these roles typically utilize secure communication channels like HTTPS or Enhanced HTTP.
The site system role requires computers in untrusted networks to use a local account with local administrative privileges when connecting to its server, to prevent other users from connecting through accounts used for installing the communications client and gain entry via that same account. Furthermore, all communications between computers and servers in such networks must be encrypted using security certificates.
Client to management point communication
The client notification infrastructure provides a communication channel that enables Configuration Manager clients to submit time-sensitive tasks more quickly than the traditional polling method, using push rather than polling techniques. TCP requires management point and client computers open an additional port within their firewalls while HTTP requires no such configuration steps.
Clients, when communicating with the server, begin by querying their assigned management point (PMP) for registration messages and certain policy messages. If it can’t find its PMP, however, it will attempt contacting several other points starting with its preferred PMP setting during installation of client.
Each time a client connects to a management point, their list of management points is updated. A client may opt for either a local MP list or central MP list – in the latter instance they create their initial list upon installation and periodically download updates from MPs ranked higher in their list for faster downloading speeds and reduced bandwidth consumption compared with directly downloading updates from their server.