As System Center Configuration Manager 2012 is now available in Release Candidate, I decided to test some of the new functionality of the product.
One of the features that catched my eye is Software Approval.
How it works :
When the user launches the Application Center (new silverlight based ‘Run Advertised Program’), he gets the usual available programs for the machine.
But on the top of the page, the user can click on the link to the Application Catalog
By clicking on the link the user is redirected to the Application Catalog
The view is divided into three tabs:
The application catalog itself where administrators can publish available software (wether it is directly available for user install or can be requested for future install.
The ‘My application Requests’ tab lists the requests made by the user and the current state of approval
The ‘My Devices’ tab list the devices linked to the user (there are different ways to do this, one being to let the user decide if the current device is it’s primary one).
If the user requests a software that does not require approval, the software can be directly installed.
If on the other hand, the application requested has been marked as ‘Request Approval’ then the installation will not occur at once, but only when the approval process has been completed, and even in this case, the user will have to go back to the tab to install it, it won’t be automatic.
From the administrator’s point of view, this is a very convenient way of managing freely-available software (file viewers, optional software,etc), or to make users aware of the list of company approved software available.
Indeed, in the application catalog, you do not just find the default application display name but you can define software attributes and link to external content or your company web site for additional information.
You could for instance make different versions of a software suite available to the client, explaining the differences between the versions and the price tag, then let the user request the software but not install it directly. This guarantees that users don’t install non-approved software.
When the user wants to request the software he is prompted with additional information, basically the reason why he needs the application.
Note that the user can Cancel a request while approval is pending.
Behind the scenes
As soon as the user requests the application it will appear within the Sccm Console under Approval Requests. The administrator or any delegate with proper priviledges can approve the software request from the user (only) directly from the console.
Good, you think ? Think again! While in a small company a couple of persons could authorize software for everybody, imagine how you would manage hundreds of requests per week …
The first thing that comes to mind is: ‘how am I going to notice that there is a software request from a user ? ‘. Indeed there is -afaik- no alerting based on new requests.
Once you notice the request, another problem is to contact the person in charge of the department or purchasing in order to confirm that the request can be fulfilled.
Finally, if the request is granted or rejected, there is no obvious way for the user to know it, except of checking his requests regularly from the client.
Finally, the view is not filtered by RBAC, so you don’t have a way to filter what software each approver will be able to approve based on collection membership.
Let’s try to improve the process…
While Sccm 2012 general availability should be announced at MMS 2012, in fact the whole System Center suite will get updated. (Scom, Scsm, Orchestrator, Scvmm…).
I decided to install Orchestrator 2012 in order to see if it could help with this kind of problem. Being presented as a Datacenter Automation tool, I guessed it would at least be able to solve this little problem
I don’t have much experience with Opalis/Orchestrator, I won’t go into details on how to install or configure the server. Just note that Orchestrator runs Actions that you define through runbooks. It is a kind or workflow for your enterprise management.
All data is here: the Database
The basic way of getting alerts when new requests are submitted would be to monitor the Sccm database for unfulfilled requests.
The table where the request are stored is v_UserAppRequests
Note that the requests have a state of 1 until they are accepted (the state then changes to 4; rejected requests get a state of 3)
In the same table, you get the requesting user, the computer on which the request has been done as well as the application name and request id.
That is what our first Orchestrator Query will monitor (you can schedule how frequently the query will run)
This query will return all requests that are neither approved nor rejected.
The second query will check if the user requesting the application is a primary user in User Device Affinity (this means that the person that needs to approve the software install will know if the target machine is the requestor’s primary computer or not)
The Sccm table that contains the information is vUsersPrimaryMachines (it contains only IDs, so we need to find also the user name linked to the ID.
Once we know what software has been requested, on which computer and by who, we just need to contact the right person for the approval.
In this example, I can send a message to both a fixed email address (Helpdesk for instance) and the Manager of the user if defined in Active Directory
We start with a ‘.Net Action’: Powershell script
you need to load the AD module of Powershell
get the name of the requestor that we got from the first db request
since the account is in the format domain\user, change it to a samaccountname format in order to query AD to find the Manager attribute of the user.
The script also queries the email address of the Manager (note: not visible up here)
Wrap it all together:
Finally a mail is sent with the appropriate information:
Since Orchestrator is very flexible, you can also open directly a call in your ticketing application so that a proper Itil based workflow is launched, and get back the result of the approval via the same path before updating the Sccm database and closing the ticket once the software is installed.
Note that SC Service Manager 2012 has native connectors to Orchestrator, Scom, Sccm and the level of automation for this kind of workflows is simply amazing.
I received today a Solutions Accelerators mail mentionning that there would be a tool for this
named “Application Approval Workflow tool”. I will keep you posted as I guess this will make the approval process much more simple for enterprises that don’t use Orchestrator and SCSM. (I was wrong on this one, see below)
Update 2: While the Solution Accelerator is now in Beta, it in fact requires both Scsm and Orchestrator, which means it will help you get to the level of interaction you can see in the linked video, but you still need the both Sccm, Scsm and Orchestrator to make it work.
Update 3: Coretech provides a tool to do this and it seems to be free. have a look if you need the functionality and miss the components: http://blog.coretech.dk/kea/coretech-application-e-mail-approval-tool/