Monday, October 1, 2012

Deploy Applications from the Application Catalog with Custom Group Membership Global Condition.

Deploy Applications from the Application Catalog with Custom Group Membership Global Condition.

Problem

Forgive my frustration and venting but there is a resolution to this below.  The application catalog is a fantastic idea in ConfigMgr 2012.  The biggest issue I have, along with many others, is I want to display all of my applications to my end users not just the ones they are allowed to install.  Part of this is supposed to be overcome by the Requires Approval section of the application deployment.  This is supposed to allow you to advertise the application in the app catalog but give the Admin control as to approve the installation or not.  This is a great thought for licensed applications or other restricted applications. The issue that many people have with it is there is not a way to remove an approval once the application is approved for install.  If you approve an application for installation and later deem it not needed then there is no way to revoke the approval.  Yes you can uninstall it but the user can just go back into the app catalog and reinstall it as the approval requirement has already been approved.

Solution

There is a vbscript that I have that once imported in as a global condition it lists all of the group memberships of a computer (I made it computer to satisfy our primary machine rule as well) that you can utilize in your requirements rule of your application.  This will allow you to setup your own approval process and control it via group membership.  All of your applications can be advertised to your users in the application catalog and then on the software you need restricted add the new global condition.  I have created a couple error scripts (SoftwareApprovalNotice Try both and see which you like best) that displays a popup on the end users machine if the global condition is not met. That way they have a reason why the application failed.  The process is defined below on how to import the global condition and how best to utilize it in the application deployment requirements.

Prerequisites

1.       ComputerGroupMembership.vbs Global Condition script

a.       Copy this to a location on your ConfigMgr Server that holds your existing custom global conditions.  If one does not exist create one

2.       ComputerGroupMembershipv2.vbs Global Condition script (allows for Group Nesting)

a.       Copy this to a location on your ConfigMgr Server that holds your existing custom global conditions.  If one does not exist create one

3.       SoftwareApprovalNotice.vbs Application Deployment Type (Optional)

a.       Copy this to your application source files on your ConfigMgr Server

4.       SoftwareApprovalNoticev2.vbs Application Deployment Type (Optional and Configurable)

a.       Copy this to your application source files on your ConfigMgr Server

 

Process

Create the Global Condition

1.       Open ConfigMgr 2012 console

2.       Select Software Library

3.       Expand Application Management

4.       Expand Global Conditions

5.       Select Create Global Condition from the Ribbon

a.       Name: Computer Group Membership

b.      Description: Checks the Computer Accounts domain group memberships

c.       Device Type: Windows

d.      Condition Type: Setting

e.      Setting Type: Script

f.        Data type: String

g.       Click Add Script

                                                               i.      Script Language: VBScript

                                                             ii.      Click Open

1.       Browse to the ComputerGroupMembership.vbs file you downloaded from the prerequisites section

2.       Click Open

                                                            iii.      Click OK

h.      Click OK

Setup Application

1.       Open Active Directory Users and Computers

a.       Create a new group for your application

2.       Open ConfigMgr 2012 console

3.       Select Software Library

4.       Expand Application Management

5.       Expand Applications

6.       Browse and open your existing application or create a new one

a.       Open the Deployment Types tab

b.      This is where I usually add in one of the SoftwareApprovalNotice’s as a deployment type

                                                               i.      This will alert your users to contact the helpdesk if the computer is not a member of the group specified.  This is not needed but is useful

                                                             ii.      If you do not want to Add the Software Approval Notice Deployment then skip to step (6.c)

                                                            iii.      Click Add

1.       Type: Script Installer (Native)

2.       Click Next

a.       General Information

                                                                                                                                       i.      Name: Software Approval Notice

                                                                                                                                     ii.      Administrator comments: Whatever you want

                                                                                                                                    iii.      Languages: English

                                                                                                                                   iv.      Click Next

b.      Content

                                                                                                                                       i.      Content location: Browse to the folder you saved SoftwareApprovalNotice.vbs on your ConfigMgr Server

                                                                                                                                     ii.      Installation program: wscript.exe “SoftwareApprovalNotice.vbs” or : wscript.exe “SoftwareApprovalNoticev2.vbs”

                                                                                                                                    iii.      Click Next

c.       Detection Method

                                                                                                                                       i.      Add Clause

1.       Setting Type: File System

2.       Type: File

3.       Path: C:\

4.       File or folder name: SoftwareApprovalNotice.txt (This file will never exist)

5.       Click OK

                                                                                                                                     ii.      Click Next

d.      User Experience

                                                                                                                                       i.      Accept Defaults

                                                                                                                                     ii.      Click Next

e.      Requirements

                                                                                                                                       i.      Click Add

1.       Category: Custom

2.       Condition: Computer Group Membership

3.       Operator: Does Not Contain

4.       Value: <Your AD Group Membership Common Name>

c.       Add or Edit your existing deployment type for your application installation

                                                               i.      Open the requirements section

                                                             ii.      Click Add

1.       Category: Custom

2.       Condition: Computer Group Membership

3.       Operator: Contains

4.       Value: <Your AD Group Membership Common Name>

7 comments:

  1. There was a French article written about this methodology which I would like to address...Here is the issues they saw (sorry had to use google translate so it may not flow the best
    I would put more warnings on this methodology:
    • Users can be frustrated to see which applications they can access
    • Refusal installation can generate support calls to understand why the user could not get its application
    • This solution can generate an impact on the performance of the infrastructure. The optional aspect deployments targeting the user to limit the impact. It is not possible to deploy applications on all systems and global conditions and use Active Directory groups to assess whether machines can install the application.

    First I do update the description so the Users know if there are additional approval required before they download

    Second I don't see how this puts anymore stress on the environment as it processes on the client and checks the local DC as soon as it runs. You wouldn't put this restriction on apps you want to deploy to everyone or let everyone have access to.

    ReplyDelete
  2. Replies
    1. I just tested them. They still appear to work.

      Delete
  3. Links should be working again. Sorry all who tried to get to them and couldn't.

    ReplyDelete