Deploy Applications from the
Application Catalog with Custom Group
Membership Global Condition.
Problem
Forgive my frustration and venting but there is a resolution to this below. The application catalog is a fantastic idea in ConfigMgr 2012. The biggest issue I have, along with many others, is I want to display all of my applications to my end users not just the ones they are allowed to install. Part of this is supposed to be overcome by the Requires Approval section of the application deployment. This is supposed to allow you to advertise the application in the app catalog but give the Admin control as to approve the installation or not. This is a great thought for licensed applications or other restricted applications. The issue that many people have with it is there is not a way to remove an approval once the application is approved for install. If you approve an application for installation and later deem it not needed then there is no way to revoke the approval. Yes you can uninstall it but the user can just go back into the app catalog and reinstall it as the approval requirement has already been approved.
Solution
There is a vbscript that I have that once imported in as a global condition it lists all of the group memberships of a computer (I made it computer to satisfy our primary machine rule as well) that you can utilize in your requirements rule of your application. This will allow you to setup your own approval process and control it via group membership. All of your applications can be advertised to your users in the application catalog and then on the software you need restricted add the new global condition. I have created a couple error scripts (SoftwareApprovalNotice Try both and see which you like best) that displays a popup on the end users machine if the global condition is not met. That way they have a reason why the application failed. The process is defined below on how to import the global condition and how best to utilize it in the application deployment requirements.
Prerequisites
1. ComputerGroupMembership.vbs Global Condition script
a. Copy this to a location on your ConfigMgr Server that holds your existing custom global conditions. If one does not exist create one
2. ComputerGroupMembershipv2.vbs Global Condition script (allows for Group Nesting)
a. Copy this to a location on your ConfigMgr Server that holds your existing custom global conditions. If one does not exist create one
3. SoftwareApprovalNotice.vbs Application Deployment Type (Optional)
a. Copy this to your application source files on your ConfigMgr Server
4. SoftwareApprovalNoticev2.vbs Application Deployment Type (Optional and Configurable)
a. Copy this to your application source files on your ConfigMgr Server
Process
Create the Global Condition
1. Open ConfigMgr 2012 console
2. Select Software Library
3. Expand Application Management
4. Expand Global Conditions
5. Select Create Global Condition from the Ribbon
a. Name: Computer Group Membership
b. Description: Checks the Computer Accounts domain group memberships
c. Device Type: Windows
d. Condition Type: Setting
e. Setting Type: Script
f. Data type: String
g. Click Add Script
i. Script Language: VBScript
ii. Click Open
1. Browse to the ComputerGroupMembership.vbs file you downloaded from the prerequisites section
2. Click Open
iii. Click OK
h. Click OK
Setup Application
1. Open Active Directory Users and Computers
a. Create a new group for your application
2. Open ConfigMgr 2012 console
3. Select Software Library
4. Expand Application Management
5. Expand Applications
6. Browse and open your existing application or create a new one
a. Open the Deployment Types tab
b. This is where I usually add in one of the SoftwareApprovalNotice’s as a deployment type
i. This will alert your users to contact the helpdesk if the computer is not a member of the group specified. This is not needed but is useful
ii. If you do not want to Add the Software Approval Notice Deployment then skip to step (6.c)
iii. Click Add
1. Type: Script Installer (Native)
2. Click Next
a. General Information
i. Name: Software Approval Notice
ii. Administrator comments: Whatever you want
iii. Languages: English
iv. Click Next
b. Content
i. Content location: Browse to the folder you saved SoftwareApprovalNotice.vbs on your ConfigMgr Server
ii. Installation program: wscript.exe “SoftwareApprovalNotice.vbs” or : wscript.exe “SoftwareApprovalNoticev2.vbs”
iii. Click Next
c. Detection Method
i. Add Clause
1. Setting Type: File System
2. Type: File
3. Path: C:\
4. File or folder name: SoftwareApprovalNotice.txt (This file will never exist)
5. Click OK
ii. Click Next
d. User Experience
i. Accept Defaults
ii. Click Next
e. Requirements
i. Click Add
1. Category: Custom
2. Condition: Computer Group Membership
3. Operator: Does Not Contain
4. Value: <Your AD Group Membership Common Name>
c. Add or Edit your existing deployment type for your application installation
i. Open the requirements section
ii. Click Add
1. Category: Custom
2. Condition: Computer Group Membership
3. Operator: Contains
4. Value: <Your AD Group Membership Common Name>
There was a French article written about this methodology which I would like to address...Here is the issues they saw (sorry had to use google translate so it may not flow the best
ReplyDeleteI would put more warnings on this methodology:
• Users can be frustrated to see which applications they can access
• Refusal installation can generate support calls to understand why the user could not get its application
• This solution can generate an impact on the performance of the infrastructure. The optional aspect deployments targeting the user to limit the impact. It is not possible to deploy applications on all systems and global conditions and use Active Directory groups to assess whether machines can install the application.
First I do update the description so the Users know if there are additional approval required before they download
Second I don't see how this puts anymore stress on the environment as it processes on the client and checks the local DC as soon as it runs. You wouldn't put this restriction on apps you want to deploy to everyone or let everyone have access to.
The links have been updated
ReplyDeleteLinks are dead.
ReplyDeleteI just tested them. They still appear to work.
DeleteThe links are broken again :(
ReplyDeleteLinks should be working again. Sorry all who tried to get to them and couldn't.
ReplyDeletehttps://saglamproxy.com
ReplyDeletemetin2 proxy
proxy satın al
knight online proxy
mobil proxy satın al
HA5CAR