Free enhanced application approval for SCCM 2012

Posted: August 29, 2014 in SCCM

The SCCM 2012/R2 Application Catalog provides a request/approval capability to facilitate the distribution of applications that require approval due to licensing cost or other reasons.  Unfortunately, this function is only exposed within the SCCM console and does not provide any notification capability for pending approvals. As a result, widespread use of approvals within an organization can be challenging to implement as IT team members responsible for SCCM, who are already overloaded in many cases, are required to regularly check the console to provide reasonable turnaround on requests and must do the research themselves to determine if the request should be approved or denied.

Luckily there is a solution to this problem that is not only simple to implement, quite flexible but also free. The solution is provided by Coretech, a respected System Center solution provider based in Denmark. We have successfully used Coretech’s Application Email Approval Tool in multiple environments to provide email notification for pending and completed requests as well as provide a flexible framework to manage the approval or denial of the request.

The solution, available here: http://blog.coretech.dk/kea/coretech-application-e-mail-approval-tool/, is typically installed directly on a primary site server and has not been seen to cause any conflict with normal primary site server operations.  Note that it can be installed on a dedicated server which does require a more complex security configuration.

The article linked above describes the installation and testing process as well the ways to use it in a way that suits the specific environment. While it does not cover every conceivable scenario, it can handle several core scenarios and use cases quite well:

  • Notification for pending approvals – the most basic scenario allows IT departments to designate individuals responsible for application approvals and use the CoreTech tool to provide notification to those individuals.
  • Manager approval – another common scenario which distributes the approvals throughout the organization to the person most qualified to determine what a user requires and also responsible for the cost of licenses used by their group – the user’s direct manager (as defined in Active Directory).
  • Purchasing agent approval – in many organizations, the only required approval is that of the purchasing group who must ensure that copies of software in use are licensed and licenses are managed as mandated by each vendor.

The solution supports additional granular control including individuals who are automatically approved for all software (useful for IT or QA staff tasked with testing and deploying the applications), a fallback address in case the user’s manager is not defined in Active Directory, as well as combinations of the above scenarios – a common one being manager based approval with purchasing/license manager based notification.

Approvals, or rejections, and request tracking are provided using a separate IIS web site that is deployed as part of the solution and the solution leverages native SCCM functionality to provide auditing of approvals as well as maintain all other SCCM security controls. In addition, the tool provides customizable email templates for notification emails sent to the approvers as well as the requesting user once the application has been approved or denied.

While it is not rare to find specific components within Microsoft products that are missing key functionality needed by most clients, it is extremely rare to find an elegant and low-cost solution to address the problem. This is one of those rare solutions.

This post was created in collaboration with Greg Rhodes and Rand Morimoto.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s