Realtime Software Deployment with ConfigMgr

Did you now that ConfigMgr is able to assign and deploy Software in Real-Time to a device? No need to sync. AD Groups, update Collection Memberships, update the Device/User Policy...

All this "Magic" is part of Software Approval enhancements from Build 1806 (and the last few releases).

Source: https://cloudblogs.microsoft.com/enterprisemobility/2018/08/30/updates-to-the-application-approval-process-in-configuration-manager/…

To be honest, I was never a big Fan of "Software Approval" as ConfigMgr is not a real Service-Management tool and the functionality is very limited. In real life, most companies already have a solution to offer Self-Service requests, with approval workflows based on the organizational structure, application owners etc.

But all these external Service-Management tools must talk with ConfigMgr to assign (or remove) software based on the Software-Request. As a result, most companies ended up in creating hundreds of collections just to install or uninstall specific software on devices.

And that's where the "new" Software Approval features can bring some enhancements...

Enforced Install/Uninstall

With CB1806 (have not tested it with a previous version), you can create an "Approved Request" on your Site to automatically install or remove the targeted Application for a User on a specific Device.

Once you have created a such an "Approved-Request", the installation will be enforced immediately or if you Decline an existing request, it will asap uninstall the application...

Requirements

There must be an available, user targeted deployment for the application, so the user can see the Application in SW Center. It does not matter if approval is required or not.

If you don't want users to see the Software, there is a new option in the Client-Settings where you can hide unapproved applications in Software Center. In this case, you must enable approval on the deployment and the user will not be able to see the Software in Software Center.
alt

There is currently no UI available to create a such a request from the Console, you must call the WMI Method CreateApprovedRequest which is located in the Class:
\\<Server>\ROOT\SMS\site_<SiteCode>:SMS_UserApplicationRequest

As Input parameters, you need the following Information to generate a CreateApprovedRequest":

  • ApplicationId - string
    • Example: "ScopeId_1831662F-9DA8-44D4-9EFD-637CC6E3DFE2/Application_a92e5d53-960a-47fc-9c83-d23e8ac83b7f"
  • (Optional) AutoInstall - boolean
    • Default: true
  • ClientGUID - string
    • Example: "GUID:FECB96F8-96F5-4777-B87F-95CBE3485512"
  • (Optional) Comments - string
  • Username - string
    • Example: myDomain\roger.zander

Use Case

Instead of creating direct-Membership Rules in Collections, or using query based device collections depending on AD Group memberships, your external Service-Management Tool "just" has to generate a CreateApprovedRequest on your Site Server and you no longer have to wait for AD Sync, Device Collection evaluations and Policy refresh cycles on the client. It just starts installing the requested application… No need to create an "Install" and "Uninstall" collection for every application.

I'm looking forward and hope this approach will help to simplify ConfigMgr collection structures in the future...

Limitations

As this is a new way to assign Software, there are some challenges in the current implementation (CB 1806):

  • No UI available to create ApprovedRequests
  • You need to know ConfigMgr internal ID's like ApplicationID and ClientGUID. Therefore, you will have to write a logic to translate the key values from Service-Requests (e.g. Application-Name or Asset-ID) into ConfigMgr values.
  • There is no (official) way to cleanup or remove "Approval Requests"
  • Enforced installation only triggers if deployment already exists when creating an ApprovedRequest