A little over a year ago we released the first version of our Application E-mail approval utility. Ever since our first release we have received lots of positive feedback and ideas to new features. Most of the ideas are implemented in this new release. Thanks for all the feedback and please keep it coming.

This blog post will explain how you can install CTAA (Coretech Application Approval tool) – Download Additional blog posts will follow and explain how you can customize the tool.

Why the need for this utility

The idea with this utility is to integrate a “real approval flow” with the standard ConfigMgr 2012 application request feature. Out of the box, ConfigMgr requires that you approve all application requests in the ConfigMgr console. What many of our customers want is a flow where application requests are mailed to the business manager and/or a fallback mail address like servicedesk. Both of those features can be implemented if you have System Center Service Manager and System Center Orchestrator in place. If those products are not installed yet, the Coretech Application Approval tool can be used instead. The process flow is described below.

image

As you can see in the illustration a mail can be send to either the designated manager in Active Directory or to a fallback mail address like servicedesk. Users can also be added to a predefined security in Active Directory where approval requests are automatically approved.

The requirements

The solution is a website running on any of the servers in the same domain. In this example the website will be installed on the primary site server.

  • IIS
  • IIS Application Pool
  • ASP.Net 4.0
  • Windows Authentication
  • 3 Active Directory Security groups
  • AppReqWebsiteApprovers (users who can approve/deny all application requests. By default the manager can only approve/deny requests for users they manage). The managers and other users that can approve application requests must be a member of this group.
  • AppReqManagerExclude (users where approval requests will always be forwarded to the fallback mail address and not to the manager)
  • AppReqAutoApprove (users who will have applications requests automatically approved).
  • Mail addresses
  • 1 mail address used as the sender for all mails.
  • 1 mail address used as the fallback solution
  • 1 licensing mail address (optional), used to send a mail informing that a license is about to be used.
  • Information about the SMTP server and port.

The installation process

The installation process consist of a website and a web service. During the installation you’ll be prompted for information about mail addresses, security groups and SMTP server. In the example below you start by creating a new application pool in IIS, install the CTAA website, install the CTAA service and finally import a customer user role in ConfigMgr. The user role is mapped to the AppReqWebsiteApprovers Active Directory group.

Select Administrative Users, Add User or Group.Add the group, AppReqWebsiteApprovers, assign the group the Application Approver security role and click OK.

image Launch the IIS console, navigate to Application Pools. Create a new Application Pool with the properties
Name: CTAA

.Net Framework Version: V4.0%

Manage pipeline mode: Integrated

image Right click the CTAA application pool and open the Advanced Settings. Change the Process Model, Identity to NetworkService and click OK.
image Start the installation by running CTAAWebsite.msi from an Administrator elevated command prompt
image Click Next.
image Fill in these information:Configuration Manager Site Server:

Name of the primary site server: <FQDN of Server>

Configuration Manager Site: <Site code>

Group Approval: Name of the group that that can approve/deny all application requests.

image Change application Pool from DefaultAppPool to CTAA and click Next twice to start the installation.
image Start the installation by running CTAAService.msi from an Administrator elevated command prompt
image Click Next.
image Fill in these information and click Next.

Configuration Manager Site Server: <FQDN of Server>
 
Configuration Manager Site: <Site code>

Application Request Web Server: the server where you installed the web site

Application request Action Website: Default is CTAAWebsite.

image Fill in information about SMTP, port and the mail address to be used for all outgoing mails from the tool.
image Fill in these information and click Next twice to start the installation.Fallback mail: requests will be mailed to this address if no manager is assigned to the user or if configured in the configuration XML file.

Licensing mail: Mail will be send to the address informing that a license has been requested.

Group – AutoApproveApproval requests are automatically approved to members of this group.

Group – Manager Exclude: The AD group where requests be forwarded to the Fallback mail instead of the manager.

image Next step in the process is to import a custom security role. Open the ConfigMgr. Administrator console. In the Administration workspace, navigate to Security, Security Roles.
image From the Ribbon click Import Security Role and import the Application Approver.xml file. The file is part of the zip file and is located where you extracted the zip file.
image Select Administrative Users, Add User or Group. Add the group, AppReqWebsiteApprovers, assign the group the Application Approver security role and click OK.
image Start Active Directory Users and Computers. Add all managers and other users who can approve applications to the AppReqWebsiteApprovers group.

Testing the Application Approval tool

  1. Create a new user target deployment, the deployment must be Available and you need to ensure you ask for Approval.
  2. Ensure that your test user either has a manager in Active Directory otherwise the request will be mailed to the fallback e-mail address.

    image

  3. Log on to the Application Catalog and request an application

    image

  4. In this example Mike is the manager and will receive a mail informing that Bob “the user” has requested an application.

    image

  5. Mike will be taken to the Appliation Request website from where he can approve or deny the application requst.

    image

    image

  6. Bob will receive a mail with the approval information and can start installating the application.

    image

    image

Kudos for this project goes to Claus Codam, who has been the main developer.