ConfigMgr Application Approval via Email

  • Article

ConfigMgr 1810 introduced the feature to receive email-based notifications for application approval requests.

Here's a step by step configuring the flow for a user requesting an application, an email is sent to the application approver to either Approve or Deny the request.

Prerequisites

  • Turn on the Feature "Approve application requests for users per device"

Configure Email Notification

  • Go to Monitoring > Overview > Alerts > Subscription
  • Click on Configure Email Notification from the ribbon menu.

  • Populate SMTP server information and Port. For Office 365 EXO use smtp.office365.com with port 587
  • Specify a connection account.
  • Specify sender email address for the notification.

Use the Test SMTP Server button to send a test email for validation. Refer the NotiCtrl.log for troubleshooting.

Access SMS Provider over Internet

You may want the approval/deny workflow to work even outside corporate network. It's now possible to access WMI over HTTPS via CMG leveraging the ARM model with AAD User Discovery enabled.

  • On your ConfigMgr console go to Administration > Site Configuration > Servers and Site System Roles
  • Select the Server holding SMS Provider Role. [If unsure, check the Site Properties to confirm]
  • Go to the Properties of SMS Provider and check the box Allow Configuration Manager cloud management gateway traffic for administration service.

  • Back in ConfigMgr console go to Administration > Cloud Services > Azure Services
  • Select the Cloud Management Azure Service and go to its Properties > Applications tab.
  • Make a note of the Native Client App

  • Click the Discovery tab to ensure AAD User discovery is enabled.
  • Back in ConfigMgr console go to Administration > Cloud Services > Cloud Management Gateway
  • Make a note of the CMG Service Name

  • Go to the Azure portal, select Azure Active Directory, and then select App registrations. You may need to click View all applications

  • Search for the Native Client App you noted from ConfigMgr console.

  • Click to open the app and select Settings

  • From the Settings blade select Redirect URIs.

  • In the Redirect URIs blade, paste in the following path: https://<CMG FQDN>/CCM_Proxy_ServerAuth/ImplicitAuth

    [Replace <CMG FQDN> with the CMG Service Name you noted from the ConfigMgr console. ]

  • Click Save. Close the Settings pane.

  • In the app properties, select Manifest.

  • In the Edit manifest blade, find the oauth2AllowImplicitFlow property.

  • Change its value to true. For example, the entire line should look like the following line: "oauth2AllowImplicitFlow": true,

  • Select Save.

Deploy Application

Now its time to deploy your desired application to a User Group.

  • Check the box An administrator must approve a request for this application on the device.
  • You can also specify email address of the application owner or approver. This can be unique for each application and supports multiple email addresses.

From here the user requests the Application from Software Center

The approver receives the email notification to Approve/Deny.

When I hover over the approve link, it points to my CMG to access the SMS Provider over Internet.

The application is automatically installed, and the requestor doesn't need any action to take! However for a decline, the user isn't notified and has to check Software Center.

Thanks,

Arnab Mitra