Blog Post

Configuration Manager Blog
7 MIN READ

Application approval improvements in ConfigMgr 1810

yvetteomeally's avatar
yvetteomeally
Icon for Microsoft rankMicrosoft
Dec 18, 2018

Thank you for all the feedback on the improvements to application approvals and faster software installation in Configuration Manager 1806. We have added several new improvements in Configuration Manager current branch 1810

 

Machine-based pre-approved requests

Beginning with the Configuration Manager current branch 1810 release, you can use the CreateApprovedRequest API to create a pre-approved request for a device with no user required. This allows you to install and uninstall applications in real time.  Currently this functionality is only available in the SDK. For machine-based pre-approved requests to work, you must also enable the "Approve application requests for users per device" feature.

 

Administrators can create a machine-available deployment that requires approval using the New-CMApplicationDeployment cmdlet. Here’s an example:

New-CMApplicationDeployment -CollectionName “All Systems” -Name “Test app” -DeployAction Install -DeployPurpose Available -ApprovalRequired $true

A deployment created with the “requires approval” flag set to true stays on the server and can be used with larger collections. The user-request flow is not yet available for machine-targeted deployments that require approval, so the application isn’t visible in Software Center until you create a pre-approved request to the individual device.

 

The following Windows PowerShell sample script shows how to invoke the WMI method for a machine and application to create a pre-approved request.

 

$machinename = $args[0]
$appid = $args[1]
$autoInstall = $args[2]
$comments = $args[3]

$scObj=Get-WmiObject -Namespace root\sms -Query 'select SiteCode from sms_providerlocation'
$sitecode = $scObj.SiteCode
$namespace ="root\sms\site_" + $sitecode
$machine = Get-WmiObject -Namespace $namespace -Query "SELECT * FROM SMS_R_SYSTEM WHERE Name = '$machinename'" 
$clientGuid = $machine.SMSUniqueIdentifier             
Invoke-WmiMethod -Path "SMS_ApplicationRequest" -Namespace $namespace -Name CreateApprovedRequest -ArgumentList @($appid, $autoInstall, $clientGuid, $comments) 

 

The following command line is an example to run this sample script:

 

.\CreateApprovedRequest.ps1 "PC_Melissa" "ScopeId_2E4DAE44-C9A0-4694-8B7A-474424C080D4/Application_88808a3a-86e4-4820-be59-aa7d61cb8c33 "true" "Application has been approved"

 

Note: Setting the autoInstall parameter to "false" has no effect in ConfigMgr 1810 for machine-based pre-approved request.

As soon as the pre-approved request is created on the site, the device will attempt to install the application. You can deny the approval request to remove the application from the device.

 

 

Re-approve a previously denied application request

Also new in version 1810 (via an SDK API only) is the ability to re-approve an application request after a previous request has been denied.

The following PowerShell sample script demonstrates approving the application request after the request has been denied:

$machinename = $args[0]
$username = $args[1]
$appid = $args[2]
 
$scObj=Get-WmiObject -Namespace root\sms -Query 'select SiteCode from sms_providerlocation'
$sitecode = $scObj.SiteCode
$namespace ="root\sms\site_" + $sitecode
$reqObj = Get-WmiObject -Namespace $namespace -Class SMS_UserApplicationRequest | Where {$_.ModelName -eq $appid -and $_.RequestedMachine -eq $machinename -and $_.User -eq $username }
$reqObjPath = $reqObj.__PATH
Invoke-WmiMethod -Path $reqObjPath -Name Approve

 

The following command line is an example to run this sample script:

 

.\ApprovedRequest.ps1 "PC_Melisa" "DomainName\Melissa" "ScopeId_2E4DAE44-C9A0-4694-8B7A-474424C080D4/Application_88808a3a-86e4-4820-be59-aa7d61cb8c33"

 

Email notifications for application approval requests

Administrators can configure email notifications for application approval requests. You can now specify application approvers during the application deployment.  All approvers will receive an email notification when a user requests an application and can then approve or deny the request using the links provided in the email.

 

You can also now configure the cloud management gateway to enable approving application requests outside of the internal network.

 

Let’s start with the prerequisites:

  1. The server with the SMS Provider role must have .NET version 4.5.2 or higher installed.
  2. Enable the feature to “Approve application requests for users per device”.
  3. If PKI certificate infrastructure is not set up, Configuration Manager-generated certificates feature should be enabled. Select the primary site under Administration -> Site Configuration -> Sites. Then open its properties dialog and choose the Client Computer Communication tab. Enable the “Use Configuration Manager-generated certificates for HTTP client systems” checkbox.

     

    Note: This checkbox is per primary site but if the checkbox is enabled on any of the primary sites, then Configuration Manager-generated certificates will be used on all providers (including the CAS and other primary sites).
  1. Configure email notifications for alerts following these steps:
    1. In the Configuration Manager console go to Administration -> Site Configuration -> Sites 
    2. Select the top-level site in your hierarchy and select Configure Site Components on the ribbon.
    3. Select Email Notification to open the Properties dialog.
    4. Check Enable email notification for alerts and specify the port of your SMTP server. If you’re using Office 365, you can use the Office 365 SMTP server documented here.
    5. Enter the FQDN or IP address of the SMTP server.
    6. Select to Specify an account, select Set, and then select New Account.
    7. Provide a username and password for the new account and select OK.
    8. Enter the Sender address for email alerts.
    9. Select Apply.

     

 

You can test the SMTP server by sending an email sample. Select Test SMTP Server in the Email Notification Properties dialog. You can review errors in NotiCtlr.log under <SCCM_Install_Directory>\Logs.

 

If everything described above is configured correctly and the prerequisites are met, the email receiver can approve application requests in the internal network.

 

Note: It is recommended to configure SSL with a PKI certificate on the SMS Provider to successfully approve or deny the request in the internal network when cloud management gateway isn’t set up. Otherwise, you’ll see the page containing a warning “There is a problem with this security certificate”.

 

To be able to approve application requests outside of the internal network, additional settings are required:

  1. Enable Allow Configuration Manager cloud management gateway traffic in Administration - > Site Configuration - > Servers and Site Systems Roles -> SMS Provider -> Properties.
  2. Configure the Cloud Management Gateway
  3. Enable Azure AD User Discovery
  4. Configure the following settings for this native app (client app) in Azure AD (should be configured manually on the Azure Portal)

     

    Redirect URI: https://<CMG FQDN>/CCM_Proxy_ServerAuth/ImplicitAuth. Use the fully qualified domain name (FQDN) of the cloud management gateway (CMG) service, for example, GraniteFalls.Contoso.com.

     

     

     Manifest: set oauth2AllowImplicitFlow to true: "oauth2AllowImplicitFlow": true,

      

 

Try It

Now, let’s walk through the end-to-end scenario.

  1. The administrator deploys an application as available to a user collection. On the Deployment Settings page he enables it for approval. Also, he enters a few email addresses to receive notification about application requests.

     

     

    To be able to create the deployment successfully, the administrator should have rights to create a subscription.

  1. The user sees the new application in Software Center and sends the request to get the application. The site sends the email notification within 5 minutes to the addresses specified in the application deployment:

     

     

    An email receiver chooses Approve or Deny. A success message is shown in the bowser if the site successfully processed the application request.

     

    Once an application request is approved or denied via email, links expire and can no longer be used by anyone else.

Known issues:

  1. 404 error is shown after “Approve” or “Deny” links clicked
    • There is no certificate bound to the Admin Service. Check if Configuration Manager-generated certificates feature is enabled. Otherwise, you need to set up your own PKI certificates infrastructure.
    • Check SMS_REST_PROVIDER.log for any errors.
  2. Warning “There is a problem with this security certificate” after “Approve” or “Deny” links clicked
    • Configuration Manager-generated certificate is not trusted by the web browser on the client. It is recommended to set up PKI certificates infrastructure when links are used in the internal network.
  3. Message “Service is unavailable, HTTP Error 503”
    • Check if Admin Service is running. On a provider machine, go to Task Manager => Details. Make sure there is an active process: sccmprovidergraph.exe
    • Open the Configuration Manager Console, Administration - > Site Configuration - > Servers and Site Systems Roles -> SMS Provider, right click on “Properties”. Make sure that “Allow Configuration Manager cloud management gateway traffic.” is checked when email approval feature is intended to use with Cloud Management Gateway; and not checked when the feature is used to approve or deny requests in the internal network.
  4. Links to approve or deny request through Cloud Management Gateway do not work
    • Verify that AAD User Discovery is enabled
    • Verify that Cloud Management Gateway is set up correctly
    • Verify Redirect URI is added for the client app on Azure: https://<CMGFQDN>/CCM_Proxy_ServerAuth/ImplicitAuth and oauth2AllowImplicitFlow is set to true: ("oauth2AllowImplicitFlow": true), in Manifest of the client app on Azure.
  5. Cloud Management Gateway is set up but received links to approve the request in the internal network
    • Verify that AAD User Discovery is enabled
    • Make sure that e-mail address specified during application deployment belongs to your organization
  6. Email is not sent when user has requested an application
    • Check if email address is correct
    • Make sure email notifications for alerts are configured
    • Check NotiCtrl.log for any errors
  7. Error in “Create Application Deployment” wizard
    • Make sure Administrator has rights to create subscription because subscription will be automatically created during application deployment.

 We are looking for feedback! Let us know what you like, what you didn’t like or doesn’t work for you, and your suggestions to improve this feature.

 

The Configuration Manager Team

Updated Dec 18, 2018
Version 2.0
  • todd tyler's avatar
    todd tyler
    Copper Contributor

    Any way to modify the email that is sent.  Like add the users common name instead of login Id. Our login id’s are not comprised of the users name.   So the approver might have to look up the requesters Id to see who it is and or there department.  

  • Hello todd tyler

     

    Thank you for the question.  Currently we include name of the user as well as account name based on the discovered user information from Active Directory or Azure Active Directory. By default, the name of the user comes from “name” field in the Active Directory user object.  

     

    Please use Configuration Manager User Voice to share ideas for email customization options you would like to see. Any feedback is highly appreciated!

     

    Best Regards

    -Yvette

  • AmberLea's avatar
    AmberLea
    Copper Contributor

    Is it possible to add a dynamic user to the email field?  Such as through powershell CM Commands?  I'm wondering if it is possible to use the user's manager from active directory for application approval.

  • Hello AmberLea

     

    The email subscription gets created based on the specified email address in the application deployment wizard. The option of reading the user’s manager from active directory is not currently supported. 

     

    I see that you have added this idea to our UserVoice.  Thank you!

     

    Warm Regards

    -Yvette

  • TroelsET's avatar
    TroelsET
    Copper Contributor

    I have configured Enhanced-HTTP on my Primary Site, which results in an SMS Role SSL Certificate being bound to 443 on that server (SMS Provider). This gives me some problems if I also want to bind a PKI cert to avoid certificate trust-issues for the approver. Do you have any recommendations? Do I have to choose one or the other or can both Enhanced-HTTP and CMG-connections for SMS Provider be enabled at the same time somehow?

     

    Also I get "Email approval link not valid, or the service is unavailable" when I try to approve via CMG. Without CMG (i.e. via internal network) the approval links work fine. My CMG is also working fine for client communication in general, so I am a bit confused as to what might be causing this issue.

  • Can a user uninstall the Application later in Software Center, or does it show up as required?

  • BHansen's avatar
    BHansen
    Copper Contributor

    I noticed that if you open an existing deployment the checkbox for Approval is there but the box to add the approval emails is not. If you create a new deployment you have the check box and the space to input the email addresses, but when you save it and open it again the emails are gone so you cannot change them. This means to add approvals to an existing deployment, or change the email list on an existing deployment, you have to create a NEW deployment.

  • BMJOnes's avatar
    BMJOnes
    Copper Contributor

    It seems that if an approved application has a dependency, and that dependency requires a reboot,  after the restart the approved application will not complete its install.  Are there any plans to fix this behavior or maybe have an option to allow the full dependency chain to install through reboots?

  • Lord_Arokh's avatar
    Lord_Arokh
    Copper Contributor

    Hi, does anyone have it function the uninstallation of the software when the application approval is denied ? There might be some obscure perquisites but I couldn't figure out them. For ex. you should have an active Maintenance Window to uninstall the software. But yet still it does not get uninstalled when approval is denied.