SCCM 2012 Application Approval Process Problem
I am not sure how many of you use the new feature in SCCM called “Application Catalog” to allow users to request & install software.
Well we have implemented it to control what software gets installed & allow us to get users to request software.
Now one problem we had with this was that we would never know that a user has requested an application for approval unless we constantly refreshed the “Approval Requests” tab in the SCCM console. This was a big issue for us as we needed our SAM to be notified when new requests were made & then to be able to approve without having to go into the console to approve.
This is the solution we came up with
• SCCM 2012 SP1
• Orchestrator 2012 SP1
• Visual Studio 2010
• HP Service Manager
• Active Directory
Thanks To the following people:
• For the integration into our HP system I thank our local HPSM guys
• For providing the outline of the runbooks which contained the PowerShell scripts as well as an idea for the ASP.Net page.
Neil Peterson - http://blogs.technet.com/b/neilp/archive/2012/09/25/configuration-manager-application-request-notification-and-approval-solution.aspx
As you will see in my article I have changed the layout a bit to suit my needs & my environment.
• For providing the SCORCH IP’s
Firstly what we did was import the needed IP’s into Orchestrator
• SC Configuration Manager IP
• Data Manipulation IP
• HP Service Manager
• Active Directory IP
Then we created the 3 needed Runbooks, as stated before you will get the same 3 from the above link provided by Neil but I have changed them a bit as follows:
• CM Gather Requests
Here I am running a SQL query to collect all the data on each request from the application catalog in SCCM made by users.
Then the next link would be to split the fields
We would then create link filters where we would let the respective “leg” of the runbook run according to the result from true or false on the query, so if there was a request equal to or less than 2 min then the “First Mail” would be fired off sending a mail to the software asset manager detailing the request.
Mail Body would be as below
The Software asset manager will get the following example mail where a link will be provided to the ASP page so that he can approve or deny the request.
Where they would then be taken to the following page after clicking on the link
I have set my runbook to run every 2 min as done by Neil but I have run it from the Task Scheduler using the Runbook command tool which you can find anywhere on the net.
So as you can see above the runbook will send another mail if the request has not been looked at by the SAM in 1 day & then it will auto deny the request after 10 days of no activity where it will invoke the next required runbook.
• CM Approval Mail
This runbook would be doing the call logging, letting the user know if their request has been approved as well as adding the machine to the SCCM collection for install if approved.
Initialize data inputted from the ASP.Net page that was filled in by the SAM
You would then run the below activity that would run the PowerShell script to approve or deny the request & this entry would be taken from the “Initialize data”
I then gather data about the specific request to get the details of the user as well as the application.
If the request has been approved it will follow my link filters & automatically log a call in HPSM for the requesting user as well as add the user’s computer to the respective SCCM collection, update the machine policy as well as run an application eval cycle.
The Following Activity will add the requesting users machine to the SCCM collection that was collected from the "Gather Data about the request"
The "Update Machine Policy" client action activity will then be run to force the client to look for any new/updated policies.
Next the "Application Deployment Evaluation" client activity will be run so that the agent can get the notification that an application is ready to be installed.
This will then fire off the application install automatically & will start the setup of the requested application.
You will notice that in this runbook is the “Get Email Address” runbook invoke
This would run the next required runbook which would get the requesting users email address & then send them a mail letting them know if the SAM approved or denied their request & what the reason was.
• Get Emails
This would get the username from the “Gather data about the request” & then split the domain field & then query AD for the user’s details returning the email address to the original runbook.
If needed i can mail you the runbook export which would give you a starting point
Please note, there is the new “Application Approval Workflow” which can be downloaded here
I have not used this approach as it makes my users have to go to 2 different portals, the SCCM one as well as the SCSM (System Center Service Manager) & I wanted them to not have to many areas to go to.
We are also working on auto quoting workflow if the user does not have a license which would then be incorporated into the “CM Approval Mail” runbook & will give the SAM an extra option to select something like “No License”
Also, although there might be a lot of data similar to this it has been difficult to find a solution that helped us & many of my other colleagues get the complete solution like this allowing us to automate almost all of the process, even installing the application for us.