SCCM Updates to the application approval process in Configuration Manager

Y

Yvette O'Meally

Guest
#1
First published on CLOUDBLOGS on Aug 30, 2018
One of the important scenarios for application management is providing a controlled installation and uninstallation process for software that requires approval. In the last few releases of Configuration Manager (current branch) we’ve made several improvements to help you implement an application approval workflow in your environment. These improvements include faster evaluation of the approval action, and faster software delivery to the client. Also, the new workflow doesn’t require creating individual collections to manage installations and uninstallations for each application, which reduces the overall load on the Configuration Manager infrastructure and improves performance.

Let’s walk through a few examples.
Scenario #1


Sophia is the IT administrator at Contoso. She uses Software Center to make software available to the users. These applications must be approved before they are installed. Sophia deploys an application to all users and configures it to require approval.

Tim is a user. He browses the list of applications in Software Center but can’t install the application until the request is approved. Tim submits the request from Software Center and specifies the reason for the request. If the Configuration Manager version 1802 option, “Approve application requests for users per device” is enabled, Tim has to request approval from every device where he wants to install the application. Sophia then approves or denies the request for each of Tim’s devices where he made the request.

Here is Tim’s experience in Software Center:

Software Center requires Tim to submit the request for the application from his device.



Tim specifies the reason and submits the approval request.



Once Sophia approves the request, Tim can install the application on his device. If Tim takes no action, Configuration Manager automatically installs the application during non-business hours.




Scenario #2


The Northwind Traders has an existing application approval system, and Emma wants to integrate the approval system with Configuration Manager.

Emma deploys an application to all users and configures it to require approval. With Configuration Manager version 1802, Emma enables the Software Center client setting to "Hide unapproved applications in Software Center".



With this option, Liam doesn’t see the application in Software Center until the application request is approved for installation on the device. When approval is granted via the organization’s approval system, the orchestration system can make an approved request for Liam and his device in Configuration Manager. It uses the “CreateApprovedRequest” WMI method in Configuration Manager version 1802. This method then uses the existing Configuration Manager application deployment mechanism. It doesn’t modify collection memberships, and takes effect immediately. The application is now available to Liam in Software Center. Emma can also configure the automation to automatically install the application on Liam’s device. No other users will see the application as available in Software Center until the approval is granted. This solution provides per-user and per-device control of the software without the need to create separate collections.

The WMI method CreateApprovedRequest has the following input parameters:

Required parameters:
  • ClientGUID - Unique identifier of the client
  • Username - Unique username of the user, for example Liam
  • ApplicationID - Model name of the application

The ApplicationID is the ModelName property of the SMS_Application instance. This value is the unique ID of the application without the version. For example, "ScopeId_21A9ED3B-D8C6-49DC-87A6-01F296182F14/Application_40243740-01f2-48db-abf0-c95259986d94".

Optional parameters:
  • Comments - Comments for the approved request to be displayed in the Software Center. By default, it specifies an empty string.
  • AutoInstall - Install the application immediately after the request is approved. By default, this parameter is true.



The following code sample is a Windows PowerShell script that shows how to invoke the WMI method for a specific user, machine, and application.
$machinename = $args[0]
$username = $args[1]
$appid = $args[2]
$autoInstall = $args[3]
$comments = $args[4]

$scObj=Get-WmiObject -Namespace root\sms -Query 'select SiteCode from sms_providerlocation'
$sitecode = $scObj.SiteCode
$namespace ="root\sms\site_" + $sitecode
$machine = Get-WmiObject -Namespace $namespace -Query "SELECT * FROM SMS_R_SYSTEM WHERE Name = '$machinename'"
$clientGuid = $machine.SMSUniqueIdentifier
Invoke-WmiMethod -Path "SMS_UserApplicationRequest" -Namespace $namespace -Name CreateApprovedRequest -ArgumentList @($appid, $autoInstall, $clientGuid, $comments, $username)


The following command line is an example to run this sample script:
.\CreateApprovedRequest.ps1 "MachineName" "Domain\Melissa" "ScopeId_2E4DAE44-C9A0-4694-8B7A-474424C080D4/Application_88808a3a-86e4-4820-be59-aa7d61cb8c33 "true" "Application has been approved"


Emma can still see the approved requests in the Configuration Manager console in the Software Library, under Application Management, in the Approval Requests node.

The following screenshot shows an application request that is approved for Melissa on device R31578937.



The current version of this application approval WMI method has the following limitations:
  1. The CreateApprovedRequest method can be called only once for a unique machine ID, application ID, and username combination. It returns an error if the method is called with the same parameters more than once. The details about this error are in SMSProv.log.
  2. To enable the automatic install of the application, deploy the application to a collection of users or user groups before calling the WMI method. If you create the deployment after calling the WMI method, the application is made available to the user for install and won’t be automatically installed.

Scenario #3


If Emma revokes the approval, or the application is no longer in use, uninstall the application.

Emma revokes the approval of the application using the Configuration Manager console, a PowerShell script, or WMI. Even if the application was already approved, she can use the Deny option. Revoking the approval prevents Liam from installing the application on his device. Starting in Configuration Manager version 1806, the same action also causes uninstallation of the application on Liam’s device if the application was previously installed.

Learn more about the Deny-CMApprovalRequest cmdlet .

Prerequisites:
  1. Enable the “Use new Software Center” client setting
  2. Enable the feature to “Approve application requests for users per device”
  3. Prior to version 1806, the application catalog web service point and application catalog website point roles are required. For 1806 and later, these roles aren’t required.

We are looking for feedback ! Let us know what you like, what you didn’t like or doesn’t work for you, and your suggestions to improve this feature.

Continue reading...
 
Top