Jun 06 2019 01:09 PM
I work for a large organization and we're slowly moving towards user based deployments. The issue is that users log into machines that have a specific uses and we don't want them to be able to install software that doesn't belong on those machines. For example we don't want MS project installed on a machine used to manage a specialized device. This not only applies to users but also system administrators. Basically tighter control of what can and can't be installed on groups of machines based on a machines purpose. It seems like neither using collections nor primary device affinity fits the bill for this task . My thinking is to try to leverage a custom global condition that would identify the machine type to verify if something should be installed. I wanted to see if anyone has dealt with this challenge and maybe came up with an innovative solution.
Mar 30 2020 03:37 PM
@Hogan_Klink Possibly put those machines in a special OU and create a requirement in the deployment type using the OU as an exclusion?
But yeah, looks like you may have to use a global condition, possibly based on group membership, to exclude the machine install.
Apr 16 2020 03:08 PM
Apr 24 2020 06:19 AM
@Hogan_Klink we use a registry key tag in HKLM to identify specialty machines. We include this key in hardware inventory so we can create collections. You could use looking for this key as a global condition.
May 06 2020 05:02 AM
@Hogan_Klink If you are able to add these "special" devices to a device collection, you could then create a Client Settings object with "Install permissions" set to "No users" and deploy it to that collection. For details, see About client settings in Configuration Manager: Install permissions