Configuration Manager Application Approval Engine - Detailed Documentation
Index:
Introduction:
Configuration Manager Application Approval Engine Overview:
CMAAE Portal Installation and Core Configuration:
Delegation:
Detection and Notification Overview:
Sample Detection and Notification Runbook:
Sample Detection and Notification PowerShell Script:
Post Approval Automaton Overview:
Sample Post Approval Automation Runbook:
Sample Post Approval Automation PowerShell Script:
Disclaimer:
The Configuration Manager Application Approval Engine is designed as a sample solution and is not intended for ‘out of the box’ use. Ensure that if using the CMAAE you have fully tested for compatibility and functionality within your environment. All source code is available for examination, use, and extension. No support is provided with the CMAAE sample. This sample solution is provide "as is" with no warrantees and confers no rights.
Introduction:
The following document contains detailed documentation for deploying and administering the Configuration Manager Application Approval Engine. In addition to this detailed documentation see the following items:
- Quick overview including demonstration and configuration videos – Link
- Download the CMAAE Sample Installer – Link
- View and Download the CMAAE Source code - Link
Configuration Manager Application Approval Engine Overview:
Problem: System Center Configuration Manager 2012 includes the ability to configure requested software to require an approval before being installed on the requesting user’s computer. This system however does not include an engine for providing notification of new or pending approvals, nor does the system allow for a streamlined approval process.
Solution: CMAAE Provide a simple and flexible solution for automating the Configuration Manager Application request notification and approval process. This solution has been created such that any automation tool can be used to drive the application approval process (PowerShell, System Center Orchestrator, or even VBScript / Managed code). Once implemented and configured, as new application requests are submitted through System Center Configuration Manager, notification emails are delivered which link to a very simple approval portal. This solution is fully extensible using common datacenter automation tools such as System Center Orchestrator or PowerShell.
The Configuration Manager Application Approval Engine process consists of three stages.
Stage 1 - Request Discovery and Notification:
During this stage Configuration Manager is monitored for new application requests. This monitoring is done via. a simple WMI query against a Configuration Manager provider and can be performed by any automation tool. Once a new application request has been discovered an email message is created with a specially crafted URL which links back to the Application Approval Portal. Included with the CMAAE download is a sample PowerShell script and Orchestrator Runbook that can be used for this purpose.
Stage 2 – Application Approval:
Once the application request email has arrived at the intended recipient, the URL is engaged which navigates to the Application Approval Engine portal. Here the recipient can approve or deny the specific request.
Stage 3 – Post Approval Automation:
CMAAE can be configured to execute post approval automation using either a System Center Orchestrator Runbook or a PowerShell script. This allows for flexible post approval automation such as delivering additional notifications or interacting with associated service requests. The CMAAE solution includes both a sample post approval Orchestrator Runbook and PowerShell script.
CMAAE Portal Installation and Core Configuration:
Prerequisites:
- Configuration Manager 2012 SP1 or R2
- IIS Instance to host Application Approval Engine (Detailed Below)
- Proper Delegation for Application Approval Engine (Detailed Below)
- Method for discovering new application requests (PowerShell and Orchestrator sample solution provided)
- Optional Post Approval automation (PowerShell and Orchestrator sample solution provided)
Prepare the Windows environment:
- Add the Web Server (IIS) Role.
- Add Security - Windows Authentication.
- Add Application Development – ASP.NET 4.5
- Add Management Tools – IIS 6 Management Compatibility and IIS 6 WMI Compatibility.
Install the Application Approval Engine:
- Execute the CMAAE setup MSI – this may require elevated privileges to execute
- During the installation, name the application virtual directory, CMAAE is selected by default
- Once Completed the CMAAE Portal is installed
- Support files and sample automations are found under the application installation directory
Post Deployment Configuration:
- Within the IIS management tool, navigate to the CMAAE application and then Authentication.
- Ensure that ASP.NET Impersonation and Windows Authentication are enabled and the remaining authentication methods are disabled (Figure 1)
- Navigate to the Application Settings for the CMAAE application and configure the following settings (Figure 2 and figure 3)
- SiteCode = CM Site Code
- SiteServer = CM Site Server or CM Provider
- siteTitle = the title you would like to appear on the CMAAE approval application
Figure 1:
Figure 2:
Figure 3:
This completes the core application configuration.
Delegation:
When the CMAAE application is installed on a server separate from a CM provider, a double hop / authentication issue will occur.
There are two methods for mitigating this occurrence.
Active Directory Delegation: Enable delegation for the computer hosting the CMAAE web application such as seen in the below image. The trusted computer in this case is the CM Site Server or other CM Provider.
Collocate the CMAAE Portal with a CM Provider: If configuring delegation for the web server is not an acceptable configuration, the CMAAE Portal can be collocated on a system with the Configuration Manager provider. In this configuration a second Configuration Provider would need to be deployed. Do not collocate the CMAAE portal on a Configuration Manager Site Server.
Detection and Notification Overview:
Before using the CMAAE portal a method must be engaged that will detect new application requests and provide notification of these requests. This can completed be any method, the only requirement being that the notification include a specially crafted URL specific to the detected application request.
URL Sample: https://CMAAEServer/VDir/?UID=<insert id>
Where UID = the application request unique id.
Included with the CMAAE sample automation is an Orchestrator Runbook and a PowerShell script which both provided detection and notification services.
Sample Detection and Notification Runbook:
Overview:
A sample detection and notification Runbook is delivered with the CMAAE installation package and can be found under the installation directory / Automation Samples.
The CMAAE Detection and Notification Sample Runbook runs on a configurable schedule (15 minutes by default) and checks the specified Configuration Manager Provider for new application requests. When a new application request is detected a notification email is sent which contains a link to the CMAAE approval portal. After a configurable amount of time if the application request has not been approved or denied, a second notification is sent. Finally after a second configurable amount of time if not approved or denied, the application request is auto denied and an email stating thus is delivered.
This sample Runbook is to be used as a guide and can be adjusted and or extended to fit any particular pre approval automation needs.
Configuration:
- Import CMAAE_DetectionAndNotification.ois_export into a System Center Orchestrator (no Orchestrator integration packs are necessary)
- Configure the Variables found under the App Approval Folder as per the provided descriptions.
- Start the Runbook
Sample Detection and Notification PowerShell Script:
Overview:
A sample detection and notification PowerShell script is delivered with the CMAAE installation package and can be found under the installation directory / Automation Samples.
The CMAAE_DetectionAndNotification.ps1 PowerShell script performs the exact same functions as the CMAAE Runbooks.
This sample PowerShell script is to be used as a guide and can be adjusted and or extended to fit any particular post approval automation needs.
Configuration:
- Modify script parameters to match environment
- Sign Script if necessary
- Configure Scheduled Task to execute script every 15 minutes (adjust if necessary)
Post Approval Automation Overview:
Optionally CMAAE can be configured to execute a post approval System Center Orchestrator Runbook or PowerShell script. These can be used to include post approval automation such as sending additional notifications, modifying related service requests, or validating successful application installation.
Both the post approval Runbook and PowerShell automation solutions have been configured such that it is simple to provide data output from the application approval process to required Runbook or script parameters.
Sample Post Approval Automation Runbook:
Overview:
A sample post approval automation Runbook is delivered with the CMAAE installation package and can be found under the installation directory / Automation Samples.
The CMAAE post approval sample automation Runbookis executed once the Approve / Deny decision has been submitted in the CMAAE portal. The Runbook consumes the following data from the application request:
- Requesting User
- Application Name
- Approval Decision
- Approvers Comments
The post approval Runbook automation then discovers the requesting users email address from an Active Directory and delivers an email with the approval details.
This sample Runbook is to be used as a guide and can be adjusted and or extended to fit any particular post approval automation needs.
Configuration:
- Ensure that the Active Directory Integration Pack has been imported into the Orchestrator environment
- Import the CMAAE_PostExecutionSampleAutomation.ois_export into System Center Orchestrator
- Configure the necessary Orchestrator variables (Figure 1)
- Reconfigure the Get User Active Directory activity with environmental specific global configuration
- Gather the Unique ID of the Runbook from the Orchestrator database or Orchestrator Web Service
- Configure the CMAAE Portal Application settings as detailed below (Figure 2)
Figure 1:
Application Portal Settings:
Note: it is not required to specify a value for each possible post approval data output. Only those marked as required must be completed.
- RB: False or True - this enables or disables post approval Orchestrator Runbook automation (required)
- RB_SCOWS: Address to the Orchestrator Web Service (required if RB = True)
- RB_UID: Unique ID of the Post Approval Runbook (required if RB = True)
- RB_User: Parameter to which you would like to provide the requesting users user name
- RBAppAproveDeny: Parameter to which you would like to provide the approval decision
- RBAppComments: Parameter to which you would like to provide the approvers comments
- RBApplication: Parameter to which you would like to provide the name of the requested application
- RBUserComments: Parameter to which you would like to provide the requesting users comments
Figure 2 – notice here that Approval: Application, User:, and Comments: are the names of Runbook parameters defined in the post approval sample Runbook.
Post Approval Automation PowerShell Script:
Overview:
A sample post approval automation PowerShell script is delivered with the CMAAE installation package and can be found under the installation directory / Automation Samples.
The CMAAE_PostExecutionSampleAutomation.ps1 PowerShell script performs the same function as the previously discussed Orchestrator Runbook.
This sample PowerShell script is to be used as a guide and can be adjusted and or extended to fit any particular post approval automation needs.
Configuration:
- Modify script parameters to match environment
- Store the script on an accessible file share
- Sign Script and ensure that the associated certificate is available on the CMAAE portal computer
- Ensure that the Active Directory PowerShell module has been installed on the hosting computer
- Configure the CMAAE Portal Application settings as detailed below
Application Portal Settings:
Note: it is not required to specify a value for each possible post approval data output. Only those marked as required must be completed.
- PS: False or True – this enables or disables post approval PowerShell automation (required)
- PSScriptPath: Path to Script (required if PS = True)
- PSAppApproveDeny: Parameter to which you would like to provide the approval decision
- PSAppComments: Parameter to which you would like to provide the approvers comments
- PSApplication: Parameter to which you would like to provide the name of the requested application
- PSUser: Parameter to which you would like to provide the requesting users user name
- PSUserComments: Parameter to which you would like to provide the requesting users comments
Notice that approval, comments, application, and userFromCM are the names of parameters defined in the post approval sample PS script.