Preparation
What you will need to prepare in advance of implementing a 1E server in your network. Typically, these are tasks that may take some time to organize, depending on how your organization works.
Implementation Overview
Please review all tasks to decide how you wish to proceed, and record all configuration details.
Implementation of 1E can be extremely quick if all necessary preparations have taken place, and is typically performed in this order:
Obtain the 1E License file - ensure it includes entries for the consumer applications you have purchased.
Provision the 1E Web and SQL server hardware refer to Server Provisioning.
Install the Windows Server OS
Configure Network interfaces
Create the server's DNS Names (see note) and Service Principal Names
Obtain and install the server's Web Server Certificate, for which you will need to know the server's DNS Name
Install IIS roles, role services and features, refer to Windows Server roles and features.
Provision applications in the IdP
Azure Active Directory (AAD) AAD Applications
Okta Okta Applications
Identify and create AD Accounts and Groups, refer to Active Directory.
Review each of the requirements pages under Planning for 1E.
Manually install clients on a few test devices, refer to Deploying 1E Client.
Use the 1E Verification Instruction to verify the installation, refer to Verifying.
Install other Instruction Definitions refer to Instruction sets page - from the 1E platform zip, and from https://exchange.1e.com/
Add the Instruction Definitions to Instruction Sets to determine their permissions, refer to the Instruction sets page.
Install 1E Consumers (documentation not provided here).
Package the 1E client as required by your software deployment tool (see note).
Deploy the client to more pilot devices.
Pilot testing.
Start rollout of clients.
Use the SDK to begin developing your own instructions and testing your use-cases.
Note
If your organization requires the client to be packaged, then you can do this once you know the DNS Name(s). Then you can prepare for deploying the client in parallel to preparing and installing the server.
Microsoft Endpoint Configuration Manager preparation
1E platform requires permission to access various features of Configuration Manager when you implement any of the following optional features:
Content Distribution
Configuring SQL rights in the Configuration Manager database
The Network Service account of the 1E Master Stack server requires a SQL Login, with all the following rights in the Configuration Manager site database.
db_datareader database role
Explicit Execute permissions to the scalar value function fn_GetAppState
Explicit Execute permissions to the scalar value function fnGetSiteNumber.
If the connector is using Windows Authentication, then you can use one of the following:
Create a SQL Login for the 1E server's computer$ account, and explicitly grant it the above rights.
Add the 1E server's computer$ account to the ConfigMgr_DViewAccess localgroup on the Configuration Manager database server - this is the preferred method.
Note
You may already be familiar with configuring ConfigMgr_DViewAccess if you have previously set up Configuration Manager access for older versions of Content Distribution Dashboard which used ActiveEfficiency Server, or the ActiveEfficiency Scout, as used for AppClarity 5.x or Shopping 5.x and 6.0
The existence of the ConfigMgr_DViewAccess localgroup depends on the version of Configuration Manager. It should exist for a Primary Site, but may not exist for a CAS. If it does not already exist, it is safe for you to manually create the localgroup on the SQL Server used by the Configuration Manager database. If it already exists, you will need to confirm it has a SQL Login and all the necessary rights, as the Configuration Manager setup does not always configure this group correctly.
The following SQL script can be used to create a SQL Login for ConfigMgr_DViewAccess and grant it permissions on the Configuration Manager database. Before you run the SQL script, you must first:
Manually create the localgroup on the SQL Server
Add the Tachyon server's computer$ account to the localgroup.
Click here to download - ConfigMgr_DViewAccess_permissions.SQL
When you run 1E Server Setup, the Content Distribution screen will attempt to validate the existence of the ConfigMgr_DViewAccess localgroup and membership of the Content Distribution server's computer$ account. The validation test will fail if the installation account does not have sysadmin rights on the SQL Server instance used by Configuration Manager. This is not a fatal error as long as you are sure the computer$ account is a member of the ConfigMgr_DViewAccess localgroup.
If you opt to use a specific SQL Login:
If the connector is using a SQL Login, then create the login on the Configuration Manager database and grant it the above rights.
To install Content Distribution features, 1E Server Setup requires your server installation account to have the following rights. Please refer to 1E Server Setup.
Read-only Analyst rights in Configuration Manager Console - so that Setup can query the Site Server for details of the Configuration Manager database.
SQL Login (with public role) on the SQL database instance that hosts the Configuration Manager database - so that Setup can run a SQL query to validate that the machine account is a member of the ConfigMgr_DViewAccess localgroup on the SQL Server.
Note
If either of the above rights are not provided then Setup will issue a warning to say it was not possible to verify the machine account is a member of the ConfigMgr_DViewAccess localgroup.
Configuring Site Settings in Configuration Manager
You must enable certain Configuration Manager site settings if you plan to use the System Center Configuration Manager connector to populate Inventory.