Thank you for all the feedback on the improvements to application approvals and faster software installation in Configuration Manager 1806. We have added several new improvements in Configuration Manager current branch 1810.
Beginning with the Configuration Manager current branch 1810 release, you can use the CreateApprovedRequest API to create a pre-approved request for a device with no user required. This allows you to install and uninstall applications in real time. Currently this functionality is only available in the SDK. For machine-based pre-approved requests to work, you must also enable the "Approve application requests for users per device" feature.
Administrators can create a machine-available deployment that requires approval using the New-CMApplicationDeployment cmdlet. Here’s an example:
New-CMApplicationDeployment -CollectionName “All Systems” -Name “Test app” -DeployAction Install -DeployPurpose Available -ApprovalRequired $true
A deployment created with the “requires approval” flag set to true stays on the server and can be used with larger collections. The user-request flow is not yet available for machine-targeted deployments that require approval, so the application isn’t visible in Software Center until you create a pre-approved request to the individual device.
The following Windows PowerShell sample script shows how to invoke the WMI method for a machine and application to create a pre-approved request.
$machinename = $args[0] $appid = $args[1] $autoInstall = $args[2] $comments = $args[3] $scObj=Get-WmiObject -Namespace root\sms -Query 'select SiteCode from sms_providerlocation' $sitecode = $scObj.SiteCode $namespace ="root\sms\site_" + $sitecode $machine = Get-WmiObject -Namespace $namespace -Query "SELECT * FROM SMS_R_SYSTEM WHERE Name = '$machinename'" $clientGuid = $machine.SMSUniqueIdentifier Invoke-WmiMethod -Path "SMS_ApplicationRequest" -Namespace $namespace -Name CreateApprovedRequest -ArgumentList @($appid, $autoInstall, $clientGuid, $comments)
The following command line is an example to run this sample script:
.\CreateApprovedRequest.ps1 "PC_Melissa" "ScopeId_2E4DAE44-C9A0-4694-8B7A-474424C080D4/Application_88808a3a-86e4-4820-be59-aa7d61cb8c33 "true" "Application has been approved"
Note: Setting the autoInstall parameter to "false" has no effect in ConfigMgr 1810 for machine-based pre-approved request.
As soon as the pre-approved request is created on the site, the device will attempt to install the application. You can deny the approval request to remove the application from the device.
Also new in version 1810 (via an SDK API only) is the ability to re-approve an application request after a previous request has been denied.
The following PowerShell sample script demonstrates approving the application request after the request has been denied:
$machinename = $args[0] $username = $args[1] $appid = $args[2] $scObj=Get-WmiObject -Namespace root\sms -Query 'select SiteCode from sms_providerlocation' $sitecode = $scObj.SiteCode $namespace ="root\sms\site_" + $sitecode $reqObj = Get-WmiObject -Namespace $namespace -Class SMS_UserApplicationRequest | Where {$_.ModelName -eq $appid -and $_.RequestedMachine -eq $machinename -and $_.User -eq $username } $reqObjPath = $reqObj.__PATH Invoke-WmiMethod -Path $reqObjPath -Name Approve
The following command line is an example to run this sample script:
.\ApprovedRequest.ps1 "PC_Melisa" "DomainName\Melissa" "ScopeId_2E4DAE44-C9A0-4694-8B7A-474424C080D4/Application_88808a3a-86e4-4820-be59-aa7d61cb8c33"
Administrators can configure email notifications for application approval requests. You can now specify application approvers during the application deployment. All approvers will receive an email notification when a user requests an application and can then approve or deny the request using the links provided in the email.
You can also now configure the cloud management gateway to enable approving application requests outside of the internal network.
Let’s start with the prerequisites:
Note: This checkbox is per primary site but if the checkbox is enabled on any of the primary sites, then Configuration Manager-generated certificates will be used on all providers (including the CAS and other primary sites).
You can test the SMTP server by sending an email sample. Select Test SMTP Server in the Email Notification Properties dialog. You can review errors in NotiCtlr.log under <SCCM_Install_Directory>\Logs.
If everything described above is configured correctly and the prerequisites are met, the email receiver can approve application requests in the internal network.
Note: It is recommended to configure SSL with a PKI certificate on the SMS Provider to successfully approve or deny the request in the internal network when cloud management gateway isn’t set up. Otherwise, you’ll see the page containing a warning “There is a problem with this security certificate”.
To be able to approve application requests outside of the internal network, additional settings are required:
Redirect URI: https://<CMG FQDN>/CCM_Proxy_ServerAuth/ImplicitAuth. Use the fully qualified domain name (FQDN) of the cloud management gateway (CMG) service, for example, GraniteFalls.Contoso.com.
Manifest: set oauth2AllowImplicitFlow to true: "oauth2AllowImplicitFlow": true,
Now, let’s walk through the end-to-end scenario.
To be able to create the deployment successfully, the administrator should have rights to create a subscription.
An email receiver chooses Approve or Deny. A success message is shown in the bowser if the site successfully processed the application request.
Once an application request is approved or denied via email, links expire and can no longer be used by anyone else.
We are looking for feedback! Let us know what you like, what you didn’t like or doesn’t work for you, and your suggestions to improve this feature.
The Configuration Manager Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.