What are Role-based application sets?

A Role-based Application Set defines a set of applications that should be installed on a computer for a user performing a particular role, or perhaps working in a particular location. For example, everyone in the Project Management Office requires Microsoft Project. Role-based Application Sets are primarily designed to be used when building a new computer, where there are no applications to be migrated but there is a base set of applications that the new user will need. They can also optionally be applied when rebuilding, upgrading or replacing a computer, so the user gets the applications defined for their role plus any applications migrated as a result of migration rules.

On this page:

Related topics:

Role-based Application Sets are associated with one or more Management Groups. Before you define Role-based Application Sets, you will need to create Management Groups in the SLA Platform that correspond to the roles or locations that your Application Sets will apply to. Management Groups can be defined using AD Site, OU or Computer Name. You can use partial matching of computer name in a Management Group definition, so if your computer naming convention includes identifiers for location or department - for example, 1E UKMK L1234 identifies a computer in the UK and in the Marketing (MK) team - then you can use this to define your Management Groups.

Role-based Application Sets are built by defining the name of the set and the Management Groups that the set is associated with. You then add applications to the set. The expected results of defined Role-based Application Sets on a given computer can be previewed from the Preview Machine page in the Application Migration admin interface. At deployment time, the Application Migration step in the Task Sequence will return the list of applications that need to be installed based on matching of the computer name, OU and AD site of the computer being deployed.

If a computer meets the criteria of multiple Management Groups, the union of all applicable application sets will apply. If two or more applicable application sets include different versions or editions of the same application (vendor and title), Application Migration will attempt to install all versions / editions. The end result on the machine will depend on the behavior of the vendor's installers - for example, if they support side-by-side installation of multiple versions - and may be affected by Application Supersedence rules in Configuration Manager.

Note that migration rules will be applied to a Role-based Application Set before the results are returned. For example, if your application set includes Visio 2013 but there is a rule applicable to the computer being deployed that upgrades Visio 2013 to Visio 2016, Application Migration will return Visio 2016 in the list of applications to be installed.

Working with Role-based Application Sets

Below are some worked examples that demonstrate the behavior of Role-based Application Sets. For these examples, the following Management Groups have been created.

Management Group NameMembership criteriaMembers
All WorkstationsWorkstations OUPC0001, PC0002, PC0003, PC0004, PC0005
PMOWorkstations\PMO OU

PC0001, PC0003

EngineeringWorkstations\Engineering OUPC0002, PC0004
Portland, ORPortland AD SitePC0001, PC0002 (and 4 servers)
Seattle, WASeattle AD SitePC0003
Oakland, CAOakland AD SitePC0004, PC0005

Simple implementation of a Role-based Application Set

In the following example, a Role-based Application Set named Common Apps has been created for the All Workstations Management Group. Refer to Managing Role-based Application Sets to learn how to create and manage Role-based Application Sets.


Creating a role-based application set

The set includes Office 365 and 7-Zip. As the All Workstations Management Group includes all computers in the Workstations OU, any new computer that is added to the Workstations OU in the Task Sequence will have Office 365 and 7-Zip installed.


Adding applications to the role-based application set

You can use the Preview Machine view to determine what applications will be installed when a new computer is built, based on attributes that the machine will have when it is built. The machine does not need to exist in the SLA Platform inventory, but Application Migration can determine which Management Groups it will belong to based on how it will be configured during the OS deployment.

On the Preview page, the administrator selects New Machine then selects By Device Attributes. The admin knows the new computer will be added to the Workstations OU, so enters that in the OU field. The results show the Management Groups that the computer will belong to based on the attributes entered, and therefore the applications that will be installed on that computer (in this case Office 365 and 7-Zip from the Common Apps set).

It is possible to associate a Role-based Application Set with multiple Management Groups (for example we could have used the PMO and Engineering Management Groups instead of All Workstations).

Note that there are rules applicable to these applications. As it happens, in this environment there is a Global migration rule to upgrade any version of Office 365 to v16.0.8309.1000, which has been applied to the application in Role-based Application set (although in this example the rule does not actually change the version that is included in the application set). Similarly you can see there is an applicable migration rule to retain 7-Zip (again, in this example the rule does not change the version that is included in the application set).


Previewing rules by device attributes

Applying multiple Role-based Application Sets

It is possible for a computer to exist in multiple Management Groups. It can therefore have multiple Role-based Application Sets applied to it. Consider the example below. Remember that the PMO Management Group includes computers in the PMO OU and the All Workstations Management Group includes computers in the Workstations OU. As the PMO OU is a child of the Workstations OU, a computer in the PMO OU will also be in the Workstations OU, so a computer built in the PMO OU will be included in both All Workstations and PMO Management Groups and therefore have the Common Apps and PMO Applications installed.

Applying multiple role-based application sets

The PMO Applications set includes just Microsoft Project 2016

Applications to be installed for the PMO Management Group

Note that the Preview page does not allow multiple OUs to be specified when viewing results by device attributes. In this scenario, you can view by management groups and select multiple management groups, as illustrated below. From this view, you can see that a computer built in the Workstations\PMO OU will get Office 365, 7-Zip and Project Professional 2016.


Previewing applications to be installed by Management Groups

How Migration Rules can modify applications installed using Role-based Application Sets

The following example demonstrates how migration rules can change applications defined in a Role-based Application Set. In this example, we'll add a Role-based Application Set for the Portland, OR Management Group.


Adding an RBA to a management group

The Portland office application set includes just SmartFTP Client.

Applications for the Portland group

As the Portland, OR Management Group is based on the Portland AD site, we can use device attributes to preview what applications would be installed on a computer that was built in Portland in the Workstations OU.


Note that in this instance, although the Portland Office application set included Smart FTP client, a migration rule has been defined to replace SmartFTP Client with FileZilla Client, so a computer build in Portland in the Workstations OU (All workstations Management Group) will have Office 365, 7-Zip and FileZilla installed. Role-based Application Sets are likely to be defined in the early stages of implementation of Application Migration and may not be updated frequently, whereas migration rules are likely to be updated more frequently as new application versions are released. The behavior of Role-based Applications illustrated above ensures that the latest rules are applied to Role-based Application Sets, so you can be sure you new computers are built with the current set of applications even if the Role-based Application Set has not been reviewed for some time.

Previewing applications for the Portland group