My favorite feature in Systems Center 2012 Configuration Manager (Configuration Manager) is without a doubt the new and shiny self-service Application Catalog portal. The new Application Catalog feature is packed with benefits for both the application owner and the end user. As an IT department or Line of business (LOB) application owner, you can easily make all or some of your applications available to users via an internal web portal. As an end-user, if you need to obtain a new business application all you need to do is pay a visit to your company’s internal application portal, search or select the application you’re interested in and install it all by yourself.
However, Configuration Manager Application Catalog is not a free for all place where users can install any application they like. First, when end-users visit the application portal, they will only see those applications they’ve been granted explicit access to by the application owner. Second, for many reasons (licensing being one of them), corporations may require a manager’s approval before an end-user can install a particular application. This is where Configuration Manager Application Catalog’s approval workflow feature comes in.
If the application owner requires administrator or manager’s approval before a user can install a particular application, the user will be able to submit a request for approval directly from the application portal.
After submitting a request for approval using my lab, I quickly realized that, well I realized that nothing else happened. It was at that moment that I started pondering (just like you are now I am sure): If a user goes to the Configuration Manager Application Catalog portal and submits a request for approval but no one knows about it, did the request really happen?
You see, as of RC2, Configuration Manager has no ability to notify administrators/approvers when users submit requests for approval from the Application Catalog site. Firing up the Configuration Manager Console and navigating to the “Approval Requests” section is the only way to see and manage (approve/deny) user requests. See below.
Now, before you head out to find your pitch forks and shovels, you may want to consider that Configuration Manager provides a very handy API that allows developers to easily query the Application Catalog for new user requests. The bad news here is that there’s no built-in mechanism to notify administrators of new requests but the good news is that you can build your own and have it do anything you like. J
For instance, I was able to build a VB.NET Windows service that queries Configuration Manager at a configurable time interval and retrieves any new user requests.
To obtain the list of requests from Configuration Manager, you simply query the UserApplicationRequest class and retrieve all entries that have the CurrentState property set to 1.
The following sample WMI query retrieves all user requests from Configuration Manager 2012:
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\SMS\site_P01")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM SMS_UserApplicationRequest",,48)
For Each objItem in colItems
Wscript.Echo "SMS_UserApplicationRequest instance"
Wscript.Echo "Application: " & objItem.Application
Wscript.Echo "UniqueID: " & objItem.CI_UniqueID
Wscript.Echo "RequestGUID: " & objItem.RequestGUID
Wscript.Echo "CurrentState: " & objItem.CurrentState
Wscript.Echo "Comments: " & objItem.Comments
Wscript.Echo "ModelName: " & objItem.ModelName
Wscript.Echo "LastModifiedBy: " & objItem.LastModifiedBy
Wscript.Echo "LastModifiedDate: " & objItem.LastModifiedDate
Wscript.Echo "User: " & objItem.User
Wscript.Echo "RequestHistory: " & objItem.RequestHistory
Wscript.Echo "UserSid: " & objItem.UserSid
Once I have the list of user requests, all I need to do is send a notification email to the application approvers using the provided email address or Distribution List. Lastly, I store each Request GUID in a text file with today’s date so that approvers are notified only once-per-day.
After the approvers receive the notification email, they can fire up the Configuration Manager Console and approve or deny the user requests.
I know, I know. You’re thinking that now that you solved the email notification issue you still have to use Configuration Manager’s Console to manage these requests. You may also be thinking of creative ways to deploy the console across your organization to all your approvers and administrators. A daunting task, no doubt!
Luckily, once again, there’s no need to panic. Using the same API, you can create a custom (web) interface to allow approvers and admins the ability to manage user requests without having to rely on the Configuration Manager Console. However, that as they say, is a topic for another day and will be covered on my next blog post on the topic. For now, thank you for your time and I look forward to seeing you again soon.
This post was contributed by guest author Rafael Dominguez, a Senior Consultant with Microsoft Services USA specializing in Windows and Office deployment using Configuration Manager and Microsoft Deployment Toolkit