Exclude groups of machine from Application installs in CMCB

%3CLINGO-SUB%20id%3D%22lingo-sub-676147%22%20slang%3D%22en-US%22%3EExclude%20groups%20of%20machine%20from%20Application%20installs%20in%20CMCB%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-676147%22%20slang%3D%22en-US%22%3E%3CP%3EI%20work%20for%20a%20large%20organization%20and%20we're%20slowly%20moving%20towards%20user%20based%20deployments.%20The%20issue%20is%20that%20users%20log%20into%20machines%20that%20have%20a%20specific%20uses%20and%20we%20don't%20want%20them%20to%20be%20able%20to%20install%20software%20that%20doesn't%20belong%20on%20those%20machines.%20For%20example%20we%20don't%20want%20MS%20project%20installed%20on%20a%20machine%20used%20to%20manage%20a%20specialized%20device.%20This%20not%20only%20applies%20to%20users%20but%20also%20system%20administrators.%20Basically%20tighter%20control%20of%20what%20can%20and%20can't%20be%20installed%20on%20groups%20of%20machines%20based%20on%20a%20machines%20purpose.%20It%20seems%20like%20neither%20using%20collections%20nor%20primary%20device%20affinity%20fits%20the%20bill%20for%20this%20task%20.%20My%20thinking%20is%20to%20try%20to%20leverage%20a%20custom%20global%20condition%20that%20would%20identify%20the%20machine%20type%20to%20verify%20if%20something%20should%20be%20installed.%20I%20wanted%20to%20see%20if%20anyone%20has%20dealt%20with%20this%20challenge%20and%20maybe%20came%20up%20with%20an%20innovative%20solution.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-676147%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1266179%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20groups%20of%20machine%20from%20Application%20installs%20in%20CMCB%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1266179%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F257496%22%20target%3D%22_blank%22%3E%40Hogan_Klink%3C%2FA%3E%26nbsp%3BPossibly%20put%20those%20machines%20in%20a%20special%20OU%20and%20create%20a%20requirement%20in%20the%20deployment%20type%20using%20the%20OU%20as%20an%20exclusion%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20yeah%2C%20looks%20like%20you%20may%20have%20to%20use%20a%20global%20condition%2C%20possibly%20based%20on%20group%20membership%2C%20to%20exclude%20the%20machine%20install.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314261%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20groups%20of%20machine%20from%20Application%20installs%20in%20CMCB%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314261%22%20slang%3D%22en-US%22%3EThat%E2%80%99s%20what%20we%20are%20doing%20now%20also%20(in%20progress).%20Our%20legacy%20workstation%20OU%20structures%20used%20to%20be%20divided%20up%20in%20regions%20(US%2C%20EU%2C%20APAC...)%20and%20then%20broken%20down%20by%20type%20of%20location%2C%20laptop%20or%20desktop%20etc.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%E2%80%99re%20transitioning%20and%20flattening%20that%20structure%20much%20more%20geographically%20(there%E2%80%99s%20other%20ways%20to%20know%20where%20a%20device%20is%20than%20OU%20membership)%2C%20but%20breaking%20them%20up%20into%20DEV%2FQA%2FPRD%20and%20then%20for%20each%20divided%20by%20device%20type%20(functionality%20based).%20I%20also%20reworked%20our%20SCCM%20collections%20to%20use%20those%20same%20OU%20structures%20for%20our%20patch%20and%20app%20deployments.%20Next%20step%20is%20indeed%20adding%20global%20conditions%20on%20apps%20to%20prevent%20them%20from%20getting%20installed%20on%20certain%20device%20types%20based%20on%20their%20OU%20membership%2C%20whether%20it%E2%80%99s%20through%20a%20device-%20or%20user-targeted%20deployment.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20the%20only%20other%20way%20you%20could%20do%20it%20would%20be%20to%20work%20with%20approvals%20and%20build%20some%20automation%20around%20that%20(maybe%20a%20script%20that%20validates%20a%20few%20things%20from%20the%20device%20when%20a%20user%20requests%20the%20app%2C%20and%20when%20requirements%20are%20met%20automatically%20approve%20it%2C%20if%20not%20decline%20it).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335571%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20groups%20of%20machine%20from%20Application%20installs%20in%20CMCB%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335571%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F257496%22%20target%3D%22_blank%22%3E%40Hogan_Klink%3C%2FA%3E%26nbsp%3Bwe%20use%20a%20registry%20key%20tag%20in%20HKLM%20to%20identify%20specialty%20machines.%26nbsp%3B%20We%20include%20this%20key%20in%20hardware%20inventory%20so%20we%20can%20create%20collections.%26nbsp%3B%20You%20could%20use%20looking%20for%20this%20key%20as%20a%20global%20condition.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363254%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20groups%20of%20machine%20from%20Application%20installs%20in%20CMCB%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363254%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F257496%22%20target%3D%22_blank%22%3E%40Hogan_Klink%3C%2FA%3E%26nbsp%3BIf%20you%20are%20able%20to%20add%20these%20%22special%22%20devices%20to%20a%20device%20collection%2C%20you%20could%20then%20create%20a%20Client%20Settings%20object%20with%20%22Install%20permissions%22%20set%20to%20%22No%20users%22%20and%20deploy%20it%20to%20that%20collection.%20For%20details%2C%20see%26nbsp%3B%3CA%20title%3D%22About%20client%20settings%20in%20Configuration%20Manager%3A%20Install%20permissions%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fcore%2Fclients%2Fdeploy%2Fabout-client-settings%23install-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAbout%20client%20settings%20in%20Configuration%20Manager%3A%20Install%20permissions%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I work for a large organization and we're slowly moving towards user based deployments. The issue is that users log into machines that have a specific uses and we don't want them to be able to install software that doesn't belong on those machines. For example we don't want MS project installed on a machine used to manage a specialized device. This not only applies to users but also system administrators. Basically tighter control of what can and can't be installed on groups of machines based on a machines purpose. It seems like neither using collections nor primary device affinity fits the bill for this task . My thinking is to try to leverage a custom global condition that would identify the machine type to verify if something should be installed. I wanted to see if anyone has dealt with this challenge and maybe came up with an innovative solution.  

4 Replies

@Hogan_Klink Possibly put those machines in a special OU and create a requirement in the deployment type using the OU as an exclusion?

 

But yeah, looks like you may have to use a global condition, possibly based on group membership, to exclude the machine install.

That’s what we are doing now also (in progress). Our legacy workstation OU structures used to be divided up in regions (US, EU, APAC...) and then broken down by type of location, laptop or desktop etc.

We’re transitioning and flattening that structure much more geographically (there’s other ways to know where a device is than OU membership), but breaking them up into DEV/QA/PRD and then for each divided by device type (functionality based). I also reworked our SCCM collections to use those same OU structures for our patch and app deployments. Next step is indeed adding global conditions on apps to prevent them from getting installed on certain device types based on their OU membership, whether it’s through a device- or user-targeted deployment.

I think the only other way you could do it would be to work with approvals and build some automation around that (maybe a script that validates a few things from the device when a user requests the app, and when requirements are met automatically approve it, if not decline it).

@Hogan_Klink we use a registry key tag in HKLM to identify specialty machines.  We include this key in hardware inventory so we can create collections.  You could use looking for this key as a global condition.

@Hogan_Klink If you are able to add these "special" devices to a device collection, you could then create a Client Settings object with "Install permissions" set to "No users" and deploy it to that collection. For details, see About client settings in Configuration Manager: Install permissions