Updates to the application approval process in Configuration Manager

Published 09-08-2018 11:24 AM 8,161 Views
Community Manager
First published on CloudBlogs on Aug 30, 2018
One of the important scenarios for application management is providing a controlled installation and uninstallation process for software that requires approval. In the last few releases of Configuration Manager (current branch) we’ve made several improvements to help you implement an application approval workflow in your environment. These improvements include faster evaluation of the approval action, and faster software delivery to the client. Also, the new workflow doesn’t require creating individual collections to manage installations and uninstallations for each application, which reduces the overall load on the Configuration Manager infrastructure and improves performance. Let’s walk through a few examples.

Scenario #1

Sophia is the IT administrator at Contoso. She uses Software Center to make software available to the users. These applications must be approved before they are installed. Sophia deploys an application to all users and configures it to require approval. Tim is a user. He browses the list of applications in Software Center but can’t install the application until the request is approved. Tim submits the request from Software Center and specifies the reason for the request. If the Configuration Manager version 1802 option, “Approve application requests for users per device” is enabled, Tim has to request approval from every device where he wants to install the application. Sophia then approves or denies the request for each of Tim’s devices where he made the request. Here is Tim’s experience in Software Center: Software Center requires Tim to submit the request for the application from his device. Tim specifies the reason and submits the approval request. Once Sophia approves the request, Tim can install the application on his device. If Tim takes no action, Configuration Manager automatically installs the application during non-business hours.

Scenario #2

The Northwind Traders has an existing application approval system, and Emma wants to integrate the approval system with Configuration Manager. Emma deploys an application to all users and configures it to require approval. With Configuration Manager version 1802, Emma enables the Software Center client setting to "Hide unapproved applications in Software Center". With this option, Liam doesn’t see the application in Software Center until the application request is approved for installation on the device. When approval is granted via the organization’s approval system, the orchestration system can make an approved request for Liam and his device in Configuration Manager. It uses the “CreateApprovedRequest” WMI method in Configuration Manager version 1802. This method then uses the existing Configuration Manager application deployment mechanism. It doesn’t modify collection memberships, and takes effect immediately. The application is now available to Liam in Software Center. Emma can also configure the automation to automatically install the application on Liam’s device. No other users will see the application as available in Software Center until the approval is granted. This solution provides per-user and per-device control of the software without the need to create separate collections. The WMI method CreateApprovedRequest has the following input parameters: Required parameters:
  • ClientGUID - Unique identifier of the client
  • Username - Unique username of the user, for example Liam
  • ApplicationID - Model name of the application
The ApplicationID is the ModelName property of the SMS_Application instance. This value is the unique ID of the application without the version. For example, "ScopeId_21A9ED3B-D8C6-49DC-87A6-01F296182F14/Application_40243740-01f2-48db-abf0-c95259986d94". Optional parameters:
  • Comments - Comments for the approved request to be displayed in the Software Center. By default, it specifies an empty string.
  • AutoInstall - Install the application immediately after the request is approved. By default, this parameter is true.
The following code sample is a Windows PowerShell script that shows how to invoke the WMI method for a specific user, machine, and application. $machinename = $args[0] $username = $args[1] $appid = $args[2] $autoInstall = $args[3] $comments = $args[4] $scObj=Get-WmiObject -Namespace root\sms -Query 'select SiteCode from sms_providerlocation' $sitecode = $scObj.SiteCode $namespace ="root\sms\site_" + $sitecode $machine = Get-WmiObject -Namespace $namespace -Query "SELECT * FROM SMS_R_SYSTEM WHERE Name = '$machinename'" $clientGuid = $machine.SMSUniqueIdentifier             Invoke-WmiMethod -Path "SMS_UserApplicationRequest" -Namespace $namespace -Name CreateApprovedRequest -ArgumentList @($appid, $autoInstall, $clientGuid, $comments, $username)   The following command line is an example to run this sample script: .\CreateApprovedRequest.ps1 "MachineName" "Domain\Melissa" "ScopeId_2E4DAE44-C9A0-4694-8B7A-474424C080D4/Application_88808a3a-86e4-4820-be59-aa7d61cb8c33 "true" "Application has been approved"   Emma can still see the approved requests in the Configuration Manager console in the Software Library, under Application Management, in the Approval Requests node. The following screenshot shows an application request that is approved for Melissa on device R31578937. The current version of this application approval WMI method has the following limitations:
  1. The CreateApprovedRequest method can be called only once for a unique machine ID, application ID, and username combination. It returns an error if the method is called with the same parameters more than once. The details about this error are in SMSProv.log.
  2. To enable the automatic install of the application, deploy the application to a collection of users or user groups before calling the WMI method. If you create the deployment after calling the WMI method, the application is made available to the user for install and won’t be automatically installed.

Scenario #3

If Emma revokes the approval, or the application is no longer in use, uninstall the application. Emma revokes the approval of the application using the Configuration Manager console, a PowerShell script, or WMI. Even if the application was already approved, she can use the Deny option. Revoking the approval prevents Liam from installing the application on his device. Starting in Configuration Manager version 1806, the same action also causes uninstallation of the application on Liam’s device if the application was previously installed. Learn more about the Deny-CMApprovalRequest cmdlet . Prerequisites:
  1. Enable the “Use new Software Center” client setting
  2. Enable the feature to “Approve application requests for users per device”
  3. Prior to version 1806, the application catalog web service point and application catalog website point roles are required. For 1806 and later, these roles aren’t required.
We are looking for feedback ! Let us know what you like, what you didn’t like or doesn’t work for you, and your suggestions to improve this feature.
New Contributor

I get a generic Failure, if it tries to invoke-wmimethod….

Can you provide maybe a link to the Powershell Script because its maybe a copy and paste problem (bad formatting here in the in the article..)

A question to Scenario 2: "Emma can also configure the automation to automatically install the application on Liam’s device" How can I achieve that? If I deploy the app to Users to require approval, I only can deploy this as "Available" and not "Required"(for automatic installation). Would be nice if you can explain this a little more detailed, how I can automate this. Thanks!

Regular Visitor

The script worked for me but I found I had to have the values exactly right - otherwise I would get a generic failure. In particular, I had a typo in the computer name and the app GUID had a "/1" at the end (I suppose I was pulling the value from a table that had some kind of extended version of the app ID).


As to your other question, see the discussion about "AutoInstall" above. When you use approvals as per scenario 2, the question of whether the software should be installed automatically or not is defined at the point the approval is created (by the PowerShell script in this case), not when the deployment is created (in the ConfigMgr console). That's what the AutoInstall property is for.

Regular Visitor

I should also note that you'll get a generic failure if the approval request already exists. i.e. you can't create the same request twice (unless you cheat by deleting the first one, but there's no official way to do that)



Version history
Last update:
‎Sep 08 2018 11:24 AM
Updated by: