cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclude groups of machine from Application installs in CMCB

Hogan_Klink
Copper Contributor

‎Jun 06 2019 01:09 PM

‎Jun 06 2019 01:09 PM

Exclude groups of machine from Application installs in CMCB

I work for a large organization and we're slowly moving towards user based deployments. The issue is that users log into machines that have a specific uses and we don't want them to be able to install software that doesn't belong on those machines. For example we don't want MS project installed on a machine used to manage a specialized device. This not only applies to users but also system administrators. Basically tighter control of what can and can't be installed on groups of machines based on a machines purpose. It seems like neither using collections nor primary device affinity fits the bill for this task . My thinking is to try to leverage a custom global condition that would identify the machine type to verify if something should be installed. I wanted to see if anyone has dealt with this challenge and maybe came up with an innovative solution.  

Labels:
1,082 Views
0 Likes
4 Replies
Reply
4 Replies
Riveraray

‎Mar 30 2020 03:37 PM

‎Mar 30 2020 03:37 PM

Re: Exclude groups of machine from Application installs in CMCB

@Hogan_Klink Possibly put those machines in a special OU and create a requirement in the deployment type using the OU as an exclusion?

 

But yeah, looks like you may have to use a global condition, possibly based on group membership, to exclude the machine install.

0 Likes
Reply
Andy D'Hollander

‎Apr 16 2020 03:08 PM

‎Apr 16 2020 03:08 PM

Re: Exclude groups of machine from Application installs in CMCB

That’s what we are doing now also (in progress). Our legacy workstation OU structures used to be divided up in regions (US, EU, APAC...) and then broken down by type of location, laptop or desktop etc.

We’re transitioning and flattening that structure much more geographically (there’s other ways to know where a device is than OU membership), but breaking them up into DEV/QA/PRD and then for each divided by device type (functionality based). I also reworked our SCCM collections to use those same OU structures for our patch and app deployments. Next step is indeed adding global conditions on apps to prevent them from getting installed on certain device types based on their OU membership, whether it’s through a device- or user-targeted deployment.

I think the only other way you could do it would be to work with approvals and build some automation around that (maybe a script that validates a few things from the device when a user requests the app, and when requirements are met automatically approve it, if not decline it).
0 Likes
Reply
Dawn M Wertz

‎Apr 24 2020 06:19 AM

‎Apr 24 2020 06:19 AM

Re: Exclude groups of machine from Application installs in CMCB

@Hogan_Klink we use a registry key tag in HKLM to identify specialty machines.  We include this key in hardware inventory so we can create collections.  You could use looking for this key as a global condition.

0 Likes
Reply
Michiel Overweel

‎May 06 2020 05:02 AM

‎May 06 2020 05:02 AM

Re: Exclude groups of machine from Application installs in CMCB

@Hogan_Klink If you are able to add these "special" devices to a device collection, you could then create a Client Settings object with "Install permissions" set to "No users" and deploy it to that collection. For details, see About client settings in Configuration Manager: Install permissions

0 Likes
Reply