SCCM 2012 Application Approval workaround
Published:
Browse All Articles > SCCM 2012 Application Approval workaround
SCCM 2012 Application Approval Process Problem
I am not sure how many of you use the new feature in SCCM called “Application Catalog” to allow users to request & install software.
Well we have implemented it to control what software gets installed & allow us to get users to request software.
Now one problem we had with this was that we would never know that a user has requested an application for approval unless we constantly refreshed the “Approval Requests” tab in the SCCM console. This was a big issue for us as we needed our SAM to be notified when new requests were made & then to be able to approve without having to go into the console to approve.
This is the solution we came up with
Systems Used
• SCCM 2012 SP1
• Orchestrator 2012 SP1
• Visual Studio 2010
• HP Service Manager
• Active Directory
Thanks To the following people:
• For the integration into our HP system I thank our local HPSM guys
Chris.Visagie
• For providing the outline of the runbooks which contained the PowerShell scripts as well as an idea for the ASP.Net page.
Neil Peterson - http://blogs.technet.com/b/neilp/archive/2012/09/25/configuration-manager-application-request-notification-and-approval-solution.aspx
As you will see in my article I have changed the layout a bit to suit my needs & my environment.
• For providing the SCORCH IP’s
http://technet.microsoft.com/en-us/library/hh295851.aspx
Firstly what we did was import the needed IP’s into Orchestrator
• SC Configuration Manager IP
• Data Manipulation IP
• HP Service Manager
• Active Directory IP
Then we created the 3 needed Runbooks, as stated before you will get the same 3 from the above link provided by Neil but I have changed them a bit as follows:
• CM Gather Requests
![Gather Requests Runbook]()
Here I am running a SQL query to collect all the data on each request from the application catalog in SCCM made by users.
![Gather all requests activity]()
Then the next link would be to split the fields
![Split fields activity]()
We would then create link filters where we would let the respective “leg” of the runbook run according to the result from true or false on the query, so if there was a request equal to or less than 2 min then the “First Mail” would be fired off sending a mail to the software asset manager detailing the request.
![First Mail activity]()
Mail Body would be as below
![Mail Body]()
The Software asset manager will get the following example mail where a link will be provided to the ASP page so that he can approve or deny the request.
![Approval Mail]()
Where they would then be taken to the following page after clicking on the link
![ASP.Net link]()
I have set my runbook to run every 2 min as done by Neil but I have run it from the Task Scheduler using the Runbook command tool which you can find anywhere on the net.
So as you can see above the runbook will send another mail if the request has not been looked at by the SAM in 1 day & then it will auto deny the request after 10 days of no activity where it will invoke the next required runbook.
• CM Approval Mail
![CM Approval Runbook]()
This runbook would be doing the call logging, letting the user know if their request has been approved as well as adding the machine to the SCCM collection for install if approved.
![Initialize Data Activity]()
Initialize data inputted from the ASP.Net page that was filled in by the SAM
You would then run the below activity that would run the PowerShell script to approve or deny the request & this entry would be taken from the “Initialize data”
![Run.Net Script Activity]()
I then gather data about the specific request to get the details of the user as well as the application.
![Gather data about the request activity]()
If the request has been approved it will follow my link filters & automatically log a call in HPSM for the requesting user as well as add the user’s computer to the respective SCCM collection, update the machine policy as well as run an application eval cycle.
The Following Activity will add the requesting users machine to the SCCM collection that was collected from the "Gather Data about the request"
![Add to collection]()
The "Update Machine Policy" client action activity will then be run to force the client to look for any new/updated policies.
![Update Machine Policy]()
Next the "Application Deployment Evaluation" client activity will be run so that the agent can get the notification that an application is ready to be installed.
![Application Deployment Evaluation]()
This will then fire off the application install automatically & will start the setup of the requested application.
You will notice that in this runbook is the “Get Email Address” runbook invoke
This would run the next required runbook which would get the requesting users email address & then send them a mail letting them know if the SAM approved or denied their request & what the reason was.
• Get Emails
![Get Emails]()
This would get the username from the “Gather data about the request” & then split the domain field & then query AD for the user’s details returning the email address to the original runbook.
If needed i can mail you the runbook export which would give you a starting point
Please note, there is the new “Application Approval Workflow” which can be downloaded here
http://www.microsoft.com/en-us/download/details.aspx?id=29687
I have not used this approach as it makes my users have to go to 2 different portals, the SCCM one as well as the SCSM (System Center Service Manager) & I wanted them to not have to many areas to go to.
We are also working on auto quoting workflow if the user does not have a license which would then be incorporated into the “CM Approval Mail” runbook & will give the SAM an extra option to select something like “No License”
Also, although there might be a lot of data similar to this it has been difficult to find a solution that helped us & many of my other colleagues get the complete solution like this allowing us to automate almost all of the process, even installing the application for us.
Thanks
I am not sure how many of you use the new feature in SCCM called “Application Catalog” to allow users to request & install software.
Well we have implemented it to control what software gets installed & allow us to get users to request software.
Now one problem we had with this was that we would never know that a user has requested an application for approval unless we constantly refreshed the “Approval Requests” tab in the SCCM console. This was a big issue for us as we needed our SAM to be notified when new requests were made & then to be able to approve without having to go into the console to approve.
This is the solution we came up with
Systems Used
• SCCM 2012 SP1
• Orchestrator 2012 SP1
• Visual Studio 2010
• HP Service Manager
• Active Directory
Thanks To the following people:
• For the integration into our HP system I thank our local HPSM guys
Chris.Visagie
• For providing the outline of the runbooks which contained the PowerShell scripts as well as an idea for the ASP.Net page.
Neil Peterson - http://blogs.technet.com/b/neilp/archive/2012/09/25/configuration-manager-application-request-notification-and-approval-solution.aspx
As you will see in my article I have changed the layout a bit to suit my needs & my environment.
• For providing the SCORCH IP’s
http://technet.microsoft.com/en-us/library/hh295851.aspx
Firstly what we did was import the needed IP’s into Orchestrator
• SC Configuration Manager IP
• Data Manipulation IP
• HP Service Manager
• Active Directory IP
Then we created the 3 needed Runbooks, as stated before you will get the same 3 from the above link provided by Neil but I have changed them a bit as follows:
• CM Gather Requests
Here I am running a SQL query to collect all the data on each request from the application catalog in SCCM made by users.
Then the next link would be to split the fields
We would then create link filters where we would let the respective “leg” of the runbook run according to the result from true or false on the query, so if there was a request equal to or less than 2 min then the “First Mail” would be fired off sending a mail to the software asset manager detailing the request.
Mail Body would be as below
The Software asset manager will get the following example mail where a link will be provided to the ASP page so that he can approve or deny the request.
Where they would then be taken to the following page after clicking on the link
I have set my runbook to run every 2 min as done by Neil but I have run it from the Task Scheduler using the Runbook command tool which you can find anywhere on the net.
So as you can see above the runbook will send another mail if the request has not been looked at by the SAM in 1 day & then it will auto deny the request after 10 days of no activity where it will invoke the next required runbook.
• CM Approval Mail
This runbook would be doing the call logging, letting the user know if their request has been approved as well as adding the machine to the SCCM collection for install if approved.
Initialize data inputted from the ASP.Net page that was filled in by the SAM
You would then run the below activity that would run the PowerShell script to approve or deny the request & this entry would be taken from the “Initialize data”
I then gather data about the specific request to get the details of the user as well as the application.
If the request has been approved it will follow my link filters & automatically log a call in HPSM for the requesting user as well as add the user’s computer to the respective SCCM collection, update the machine policy as well as run an application eval cycle.
The Following Activity will add the requesting users machine to the SCCM collection that was collected from the "Gather Data about the request"
The "Update Machine Policy" client action activity will then be run to force the client to look for any new/updated policies.
Next the "Application Deployment Evaluation" client activity will be run so that the agent can get the notification that an application is ready to be installed.
This will then fire off the application install automatically & will start the setup of the requested application.
You will notice that in this runbook is the “Get Email Address” runbook invoke
This would run the next required runbook which would get the requesting users email address & then send them a mail letting them know if the SAM approved or denied their request & what the reason was.
• Get Emails
This would get the username from the “Gather data about the request” & then split the domain field & then query AD for the user’s details returning the email address to the original runbook.
If needed i can mail you the runbook export which would give you a starting point
Please note, there is the new “Application Approval Workflow” which can be downloaded here
http://www.microsoft.com/en-us/download/details.aspx?id=29687
I have not used this approach as it makes my users have to go to 2 different portals, the SCCM one as well as the SCSM (System Center Service Manager) & I wanted them to not have to many areas to go to.
We are also working on auto quoting workflow if the user does not have a license which would then be incorporated into the “CM Approval Mail” runbook & will give the SAM an extra option to select something like “No License”
Also, although there might be a lot of data similar to this it has been difficult to find a solution that helped us & many of my other colleagues get the complete solution like this allowing us to automate almost all of the process, even installing the application for us.
Thanks
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (2)
Commented:
Have you finished the "We are also working on auto quoting workflow if the user does not have a license which would then be incorporated into the “CM Approval Mail” runbook & will give the SAM an extra option to select something like “No License”?
I'm working on creating one like this as well and I wanted to know if you have completed it and if I can borrow the code?
I want to also add the "Optional Reference" field in the application to signify if the application requires a license or not. Thoughts?
James
Author
Commented:Sorry for the late reply, it has been madness :)
I have not had a chance to get going with the Application Approval work flow because I have been focusing on some other urgent requirements that were needed like New Infrastructure Requests/Quotes, New Drive Backup Requests, Telephone Requests and now currently New Desktop/Laptop and personal Equipment requests.
Now all of the above work from a custom web page where the user inputs their details and either gets the quote directly on the page dynamically or requests the quote from our Facilities team and then gets the quote back for approval before order. Really very cool, and the back end is all SCSM, Orchestrator and some custom DB's :)
What I was thinking about is looking at taking our local DB which our software asset manager currently looks at and then every time there is a request for an application then I reference that DB and if they are not found then it would send them a link or a price for that requested application where they would either use the link to say approve and be required to fill in a form with their cost code and so on and then only approved afterwards.
I have so many ideas on it but it is just to get it going, I know this doesn't help you much right now but if you would like more help or ideas let me know and I would be more than willing to help anytime, it might be a little delayed but I will always reply :)
If I get this quoting going for the application approval I will most definitely share this with you.
Let me know
Thanks