Application Approvals

The ability to control and manage licensed software is always a priority for software deployment.  Configuration Manager has built-in mechanism to facility the approval process.

Classic Method

The classic method does not require the built-in approval Configuration Manager process. Create a user or device collection and deploy the software to the collection. Use an approval process outside of Configuration Manager. When approved, add the user or device to the appropriate collection. Eventually Software Center lists the software available for installation. The user/device can be added to the collection by:

  • Direct membership in the console
  • Direct membership with a PowerShell cmdlet Add-CMDeviceCollectionDirectMembershipRule or Add-CMUserCollectionDirectMembershipRule
  • Add the user/device to an Active Directory group the collection is based on (Adam Gross has a blog post on this:  click here.)

The limitations of this method are:

  • If deploying to the user, they can install on any device they connect.
  • There is more processing required for collection evaluation.
  • The software is not removed from the device when removed from the collection.

One positive aspect of this method is that it works on applications, packages, and task sequence objects.

Modern Methods

Use the built-in configuration manager approval process. The Configuration Manager team has continued to make this process more efficient and versatile. Configuration Manager version 1802 offered a new option, “approve application requests for users per device.” This setting eliminates the issue of a user installing approved software on more than one device. Each device requires approval. Since this is a modern deployment method, the approval workflow only works with Application objects.

The approval workflow has several components:  deployment of the software, approval process, installation process, and removal process.

Deployment

No new collections are needed to deploy the software. Instead, use the built-in “All Users and User Groups” collection. For devices, use the”All Desktop and Server Clients” collection. If the software should not be installed on servers, create a new collection for “All Workstations” that excludes servers. Use the “All Workstations” collection instead.

Determining whether to deploy to a user or device is the first step. If you deploy to a user, they are now limited to just one device. Depending on client settings, when deployed to a user, the application is listed in the Software Center application. Software Center never displays device deployment with approval workflow. The ability to display the application in Software Center for user approval workflows.

There is a new client setting under the “Software Center” option that determines if user workflow approval software appears in Software Center. This option is available in the “customize” section. There is a checkbox to hide unapproved applications in the Software Center application. Checking this checkbox prevents the application from being listed.

When creating the deployment to a user or user group, there is an option on the Deployment Settings dialog box, to require administrator approval. There is also the option to list an e-mail address for e-mail approval.

When deploying to a device collection, the option to add e-mail address for approval is not available.

Approval Process

There are three methods to approve software requests: Configuration Manager console, PowerShell, or e-mail. For e-mail needs to be configured in the Monitoring / Alerts / Subscriptions workspace for e-mail approvals. See a full list of prerequisites below.

Request Approval – Software Center

When the Software Center application displays the software title, the user can select it to install: the approval dialog box is displayed. The user can then enter an explanation on why they need the software and request approval.

Once they request approval, the Request History dialog box is displayed. Users can check the status of the request at any time by selecting the software title in the Software Center application.

Approve the request

Now for the approval. For deployments not configured with e-mail approval, two approval methods are available. The first method is to approve in the Configuration Manager console.

Approve in the Open the console and browse to the Software Library\Application Management\Application Request workspace. Once there, select the approval request and approve or deny it.

To see the details of the request, select Properties from the ribbon.

Click on the approve or deny button on the ribbon.

The appropriate application requests dialog box is displayed. If desired, enter a comment.

Approve using the PowerShell cmdlet. First find the approval request.

Get-CMApprovalRequest -CurrentState Requested
SmsProviderObjectPath : SMS_UserApplicationRequest.RequestGuid="6B101EDB-162D-46BD-8534-76B414455EAE"
Application           : Microsoft Edge Dev
CI_UniqueID           : ScopeId_EC50924B-AE13-4D0B-B92C-F0950EB076D0/Application_8a0aad8d-ad7e-4287-b185-025768fb0228/2
Comments              : I need to use the app on my second computer
CurrentState          : 1
LastModifiedBy        : dawniverselab\test1
LastModifiedDate      : 9/1/2019 4:07:19 PM
ModelName             : ScopeId_EC50924B-AE13-4D0B-B92C-F0950EB076D0/Application_8a0aad8d-ad7e-4287-b185-025768fb0228
RequestedMachine      : PC0001
RequestGuid           : 6B101EDB-162D-46BD-8534-76B414455EAE
RequestHistory        :
User                  : dawniverselab\test1
UserSid

Next, approve or deny the request.

Approve-CMApprovalRequest -RequestGuid '6B101EDB-162D-46BD-8534-76B414455EAE' -Comment 'I approve the application'

Deny-CMApprovalRequest -RequestGuid '6B101EDB-162D-46BD-8534-76B414455EAE' -Comment 'I approve the application'

You can view the status of the request with:

get-CMApprovalRequest -RequestGuid '6B101EDB-162D-46BD-8534-76B414455EAE'

SmsProviderObjectPath : SMS_UserApplicationRequest.RequestGuid="6B101EDB-162D-46BD-8534-76B414455EAE"
Application           : Microsoft Edge Dev
CI_UniqueID           : ScopeId_EC50924B-AE13-4D0B-B92C-F0950EB076D0/Application_8a0aad8d-ad7e-4287-b185-025768fb0228/2
Comments              : I approve the applicaiotn
CurrentState          : 4
LastModifiedBy        : dawniverselab\cm_admin
LastModifiedDate      : 9/1/2019 4:23:41 PM
ModelName             : ScopeId_EC50924B-AE13-4D0B-B92C-F0950EB076D0/Application_8a0aad8d-ad7e-4287-b185-025768fb0228
RequestedMachine      : PC0001
RequestGuid           : 6B101EDB-162D-46BD-8534-76B414455EAE
RequestHistory        :
User                  : dawniverselab\test1
UserSid               :

You can also view the status in the console.

As of Configuration Manager 1810, the third method is e-mail. Supplying an e-mail address in the deployment allows Configuration Manager to send an e-mail to the specified address. From this e-mail, the recipient can approve or deny the request. Be careful with the e-mail notification. Anyone can approve the request; this means the recipient can approve any forwarded request.

As with all good things, there are prerequisites to using the e-mail approval process. To approve the request on the internal network, use the list below, which is a direct cut and paste from Microsoft documentation.

  • Enable the optional feature Approve application requests for users per device.
  • Configure email notification for alerts.
  • Enable the SMS Provider to use a certificate. Use one of the following options:
    • Enable Enhanced HTTP (recommended)
    • Manually bind a PKI-based certificate to port 443 in IIS on the server that hosts the SMS Provider role

Approving from the Internet locations require a few more steps. See the Microsoft documentation for detailed instructions.

  • Enable the SMS Provider administration service through the cloud management gateway
  • Cloud Management Gateway
  • In Azure Services for Cloud Management Gateway, modify the redirect URIs and change oauth2AllowImplicitFlow to True.

Below are examples of the e-mail request and the response received on submission.

What about approving software not listed in Software Center

As mentioned above if the client setting “Hide unapproved applications in Software Center” is checked, or if you are deploying to a device, the application is not displayed in the Software Center application. There are WMI and PowerShell commands that allow other software applications such as ServiceNow to initiate the approval process.

Use PowerShell or another programming language to create the approval request. The approval request is created using the WMI method “CreateApprovedRequest”. This WMI method can only be once for each unique client, user name, and application id. The “CreateApprovedRequest” method has the following input parameters:

  • ClientGUID – Unique identifier of the client
  • Username – Unique username of the user, for example, domain\userid
  • ApplicationID – the Model name of the application
  • Comments – Optional value
  • AutoInstall – Optional value, the default is True

Yvette O’Meally’s blog “Updates to the application approval process in Configuration Manager” provided the starting place for the code below on how to create the approval request for a specific machine, user, and application. I named the script Create-ApprovalRequest.ps1

[CmdletBinding()]
Param (
    [Parameter(Mandatory=$true)] [string] $AppName,
    [Parameter(Mandatory=$true)] [string] $MachineName,
    [Parameter(Mandatory=$true)] [string] $UserName,
    [Parameter(Mandatory=$false)] [string] $AutoInstall = $true,
    [Parameter(Mandatory=$false)] [string] $Comments
)

Process {
    $scObj=Get-WmiObject -Namespace root\sms -Query 'select SiteCode from sms_providerlocation' 
    $sitecode = $scObj.SiteCode 
    $namespace ="root\sms\site_" + $sitecode 
    $clientGuid = (Get-WmiObject -Namespace $namespace -Query "SELECT SMSUniqueIdentifier FROM SMS_R_SYSTEM WHERE Name = '$machinename'").SMSUniqueIdentifier
    $AppID = (Get-WmiObject -Namespace $namespace -Query "SELECT ModelName FROM SMS_application WHERE LocalizedDisplayName = '$AppName' and IsLatest = 'True'").ModelName
    Invoke-WmiMethod -Path "SMS_UserApplicationRequest" -Namespace $namespace -Name CreateApprovedRequest -ArgumentList @($appid, $autoInstall, $clientGuid, $comments, $username) 
}

Run the script:

.\Create-ApprovalRequest.ps1 -AppName 'Microsoft Edge Dev' -MachineName PC0002 -UserName 'dawniverselab\test2' -Comments "This is a test approval" -AutoInstall $false

The execution of the PowerShell script created the approval request and performed the approval all in one step. The Configuration Manager console contains this approval request the same as it would if created from the Software Center application.

Installation process

Upon approval, the device automatically installs the application. The screen prints below show the request status and the installation of the software in the AppEnforce.log file.

Removal process

Approving software and having it install automatically has been great. However, what if the user switches positions and no longer needs the software? I do not want it installed on his device any longer. Well if you are running Configuration Manager version 1806, you are in luck. With version 1806, when you deny the software either in the console or via PowerShell, the software is automatically removed from the device.

In one of the examples above, user “test1” requested “Microsoft Edge Dev” on device “PC001”. The user no longer needs the software. Change the request status from Approved to Deny in the console and Configuration Manager client removes the software from the device. Review the AppEnforce.log file extract.

View the Status

There are four methods to view a request status:

MethodComments
Software CenterUsers to view status
Config Mgr ConsoleAdministrators to view status of all request
PowerShell Get-CMApprovalRequest cmdlet can list information for a computer, user, application, or request status.
SQL QuerySQL view “V_UserAppRequests” stores information about the application request. The [UserApplicationRequestStates] table converts the “CurrentState” value to a user friendly name. See example below.
SELECT DisplayName, Unique_User_Name0, Netbios_Name0, 
	CASE WHEN CurrentState = 1 then 'Requested'
	WHEN CurrentState = 2 then 'Canceled'
	WHEN CurrentState = 3 then 'Denied'
	WHEN CurrentState = 4 then 'Approved'
	END as 'State'
	, Comments, RequestGuid, LastChanged, LastChangedBy
FROM V_UserAppRequests

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s