Exercise Overview:

Application Approval

Approval of a request made in Shopping is a vital part of the provisioning workflow. In some cases, approval for a user to get a certain item will be the responsibility of the user's line manager, for example a 'line of business' application or a piece of equipment needed to do their job. This form of approval is lookup approval – Shopping has to look up the user's Manager in AD to determine whom the approval request needs to be directed to. As such, it requires the Manager attribute to be populated in AD (on the Organization tab of the user properties) for all users.

In other cases, there may be a named individual or team responsible for the item, whoever requests it (for example access to the company's CRM system). Some items may require more than one level of approval, typically the case if the item is particularly expensive or involves multiple parties in the provisioning of the item. At each level, approval may be required from an individual, any individual from a group, or all members of a group. These individuals and groups must be defined as Approvers through the Shopping console before they can be linked to Applications.
In this Lab, you will introduce Approval to some of the Applications you have already created and observe each approval model in action.

Manager based approval

In this exercise, you will add Manager-based approval to the XML Notepad application and observe the approval workflow in action.

Verify that users have their manager defined in AD

Before using manager-based approval, it is important to check that users have their manager defined in AD, and that these managers each have a valid email address defined in AD.

1ETRNDC 

  1. Log on to 1ETRNDC as Administrator and open Active Directory Users and Computers
  2. Expand the Users container and double-click User to view the properties of this user
  3. Select the Organization tab and ensure the Manager Name is set to Manager1. Click OK to close the user properties
  4. Double-click the Manager1 user and on the General tab ensure the E-mail is defined as manager1@1etrn.local. Click OK to close the user properties
  5. Use the same process to confirm the SalesUser has their Manager set to Manager2 and that Manager2 has their e-mail address defined as manager2@1etrn.local
  6. Alternatively, you may query the tb_User table in the Shopping2 database to ensure that the ManagerAccount column is populated for any account in question. This method is useful if you do not have access to Active Directory Users and Computers or a similar tool.

Add Manager Approval to an Application

You will now add approval to the XML Notepad so that any requests for this application must be approved by the manager of the requesting user.

1ETRNAP

  1. On 1ETRNAP, open the Shopping Administration console and in the Search Applications control at the top right of the page, enter XML. The right-hand side of the console should now show the XML Notepad Application

  2. The Search feature in Shopping becomes very useful when dealing with a large volume of Applications.
  3. Right-click the XML Notepad Application and select Properties
  4. From the XML Notepad –ConfigMgr Application Properties dialog box select the Approvers tab
  5. Check Enable Approval
  6. Note that Computer Category Approval option is disabled as there are no Computer Categories defined yet.
  7. In the Approval Settings for XML Notepad section, note the options for Approval Method (Chain of Approvers or Any Approver). In this instance, you are configuring a single Approver so either option can be selected

  8. The One Time Approval option results in approval only being sought the first time a user requests the application from a specific computer. If the user were to later request the same item from the same computer, the approval would be 'inherited' from the first request, so if the first request was approved, subsequent requests would be approved. Incidentally, if the first request was rejected, subsequent requests would not be automatically rejected - i.e. the user is given another chance. Note that this functionality only applies to the combination of the user and computer – if a subsequent request is made from a different computer (or a different user on the original computer), approval will be sought again.
  9. Note that the only available approver is <MANAGER> (the chevrons indicate that this is a look-up value) as no other Approvers have been defined yet. Select <MANAGER> and add it to the Selected Approvers list on the right by clicking the > button
  10. Click OK

Shop for an Application with Manager Approval

In this task, you will request the XML Notepad Application, which will initiate the approval process.

1ETRNW71 

  1. Log on to 1ETRNW71 as User (you may need to log off Sales User) and launch the Shopping portal from the browser
  2. In the search box enter XML and press Enter
  3. If you don't see the application, you're logged in as the wrong user, most likely SalesUser.
  4. Observe the XML Notepad tile and note the Approval Required text below the More Info link
  5. Click Request and note that you are then asked to explain why you need the application. Enter some text and click Request. Your comments here will be seen by the approver when they go to approve the request
  6. Note that the status on the XML Notepad tile has changed to ORDER PLACED
  7. Remember that you can view the progress of any order from the My Software page. Click the button in the page header
  8. Select the All Orders tab. Although you might expect to see your order here, it will actually only appear here once the approval has been completed
  9. Note the Pending Approval tab has (1) appended to the tab name, indicating that you have one request that is pending approval. Select this tab to view the order you just placed
  10. The Pending Approval tab shows all requests made by the logged on user that are awaiting approval. Click the XML Notepad hyperlink (under Application Name) to view detailed status of the request, including who is due to approve it (you may need to scroll down to see this information)

Follow the Approval process

You will now step through the process of approving the order for XML Notepad.

1ETRNW72 

  1. Log on to 1ETRNW72 as Manager1 (the manager of User)
  2. Open Mail from the Start menu and note the email notification from user@1etrn.local (the user that requested the Application). The email includes the comments that were entered in the previous task when the order was placed
  3. It might take a minute for the mail application to initialize and the mail to show up in the inbox.
  4. The email includes hyperlinks towards the bottom labelled Approve / Reject for 'one-click' approval or rejection. Click the Approve link. This will open the Shopping portal at the Approved/Rejected page and automatically approve the request. The page displays the notification "The request by User for application XML Notepad on machine 1ETRNW71 has been added to the Approval Queue" in the Shopping website

1ETRNW71 

  1. Return to 1ETRNW71 and open Windows Live Mail
  2. Note that Shopping has automatically sent an email notification when the request was approved
  3. The email may appear in the Junk folder. If this occurs, you can right-click the email message and select Junk email > Add sender's domain to safe sender list so subsequent emails go straight to the Inbox.
  4. Open the Shopping portal in the browser and go to the MY SOFTWARE page. The XML Notepad application should now appear in the All Orders tab (as approval has been completed)
  5. Depending on timing, the status will be either "Installed", "Install Pending" or "Order Placed"
  6. Verify that the application has been installed
  7. The application will appear in the start menu well before the status in Shopping changes to Installed.

1ETRNAP

  1. On 1ETRNAP, browse to C:\ProgramData\1E\Shopping and open shopping.log
  2. Review the recent activity at the bottom of the log file and associate it with the request's various stages of approval

Chaining Approvers

In this exercise, you will add a chain of approvers to the Project 2010 Application. In this scenario, the user's manager must first approve it, followed by the License Manager.

Define Approvers

With the exception of the <MANAGER>, approvers need to be defined in the console before they can be applied to Approval workflow. In this task, you will add some users as Shopping Approvers for use in the subsequent exercises.

1ETRNAP

  1. Return to the Shopping Administration console on 1ETRNAP
  2. Right-click the Approvers node and select New Approver
  3. In the New Approver Properties dialog, click Set Approver
  4. The LookUp Only option will be covered in the Exercise:- Adding Deputy Approvers.
  5. In the Select User or Group dialog, type Manager2, click Check Names to resolve and click OK
  6. At this stage, if the selected user does not have an email address specified in Active Directory an error will be displayed and the user will not be added as an Approver. All Approvers must have email addresses defined in AD.
  7. Click OK to complete the New Approver wizard
  8. Repeat the above processes to add FinanceDirector, LicenseManager, ApproverDev and ApproverSales as Approvers. The Approvers node should now list the Approvers as follows:
  9. In this exercise, all the Approvers are individual users. An Approver can also be an AD security group, as long as the group has an associated email address (which will in fact be a Distribution List).

Add Approval Chain to an Application

In this task, you will build a chain of approval, starting with the requester's manager followed by LicenseManager for the Project 2010 application.

1ETRNAP

  1. In the Shopping console select the Applications node and double-click Project 2010
  2. In the Project 2010 –ConfigMgr Application Properties dialog, select the Approvers tab
  3. Check Enable Approval
  4. Check the One Time Approval box
  5. Ensure Approval Method shows Chain of Approvers
  6. Select <MANAGER> from the Available Approvers list and click > to add it to the Selected Approvers list
  7. Do the same to add 1ETRN\LicenseManager
  8. The approval chain will be defined by the order the selected approvers appear in the Selected Approvers list. Ensure that the list is defined in the proper order for your organization.
  9. Click OK to save the Approvers and close the properties dialog box

Shop for an Application with a Chain of Approvers

You will now request Project 2010 from the Shopping portal to initiate the chained approval workflow.

1ETRNW71 

  1. Log on to 1ETRNW71 as User and launch the Shopping portal
  2. In the Search Applications enter project to locate the Project 2010 Application
  3. Click Request, enter a reason when prompted and click Request
  4. Go to the My Software page and select the Click Pending Approval (1) tab
  5. Click on the Project 2010 hyperlink under Application Name to view the Pending Order Details
  6. Note that this page shows the status of the approval workflow. The request should be pending approval from Manager1 (the manager of User and the first approver in the chain). Note also that Future Approval shows that License Manager will be next in line to approve the request (unless Manager1 rejects the request)

Follow the approval process

You will now follow the approval process as the request for Project 2010 goes to each approver.

1ETRNW72 

  1. Log on to 1ETRNW72 as Manager1 (should already be logged in with this user)
  2. Open the Shopping portal (close and reopen if it is already open from the previous exercises) and select the Approval tab on the navigation panel. Note the menu in the navigation panel shows Pending (1), indicating there is one request awaiting approval. Click this to view the Pending Approval page
  3. This is an alternative method to approving or rejecting requests outside of the notification email and is useful for approvers who want to address all pending approvals at a time that is convenient to them.
  4. The Pending Approval page shows all requests that are awaiting approval by the logged-on user. Click the button to view the comments of the original requestor ("Shopper Comments"). As the Approver, you can add your own comments to the request in the free-text field below Approver Comments. Add a comment of your choice and click the Approve button

1ETRNW71

  1. Return to 1ETRNW71, where User should still be logged on
  2. Open Windows Live Mail and note the Application Approved notification email indicates that the request has been approved by Manager1 and is now assigned to License Manager for further approval
  3. Be sure you are in the inbox, as you might be in the Junk email folder.

1ETRNW102 

  1. Log onto 1ETRNW102 as LicenseManager
  2. Open Mail and review the Request for Application Approval email from user@1etrn.local
  3. Open the Shopping portal and select the Approval tab on the navigation panel, then select Pending (1) to view the pending request
  4. In this instance, you will reject the request. Click the button and add a comment (under Approver Comment) to give the poor fellow some reason for your decision and click the Reject button

1ETRNW71 
  1. Return to 1ETRNW71 (logged on as user, the original requestor), switch to Windows Live Mail and click Send/Receive to download the Application Rejected email
  2. Switch to the Shopping portal in the browser and open the My Software page
  3. Select the All Orders tab and note that Project 2010 shows a status of Rejected
  4. Click the Project 2010 hyperlink to view the full details of the approval process, including any comments added by the approvers

  5. Click on the Rejected tab and note that Project 2010 is listed there


  6. From the desktop, launch the Configuration Manager applet, and from the Actions tab, initiate a Hardware Inventory Cycle
  7. We will need to use inventory later in the labs to work with licensing, this is the quickest way to ensure a fresh inventory is run before we get to the relevant lab.

1ETRNAP

  1. On 1ETRNAP, browse to C:\ProgramData\1E\Shopping and open shopping.log
  2. Review the latest activity in the log and note the rejection by LicenseManager

Adding Deputy Approvers

The approval workflow in the previous exercise required two people to approve the Application request. If either of those people were particularly busy or on vacation at the time, the user could be waiting for some time before they can use the application they have requested.

Shopping allows an Approver to have an assigned Deputy, so if the request is not approved by the approver within a defined duration, the request will go to the Approver's deputy.

The duration before an approval request is escalated to the deputy is defined by the Maximum Approval Hours setting in the Deputy Approvers group of settings in the console. By default, this is set to 24, and the minimum period is 1 hour. If no deputy has been defined for the designated


Approver, the approval will be escalated to the Deputy Default. The Central Service installer sets the Deputy Default to the user or group that was specified as the Shopping Admin Account step 122. This can be modified in the Deputy Approver group of settings in the console. This ensures that every approval will be escalated to a deputy if it has not approved or rejected by the designated Approver, whether or not that Approver has a deputy defined.

Note that escalation is not triggered by the passing of the defined Maximum Approval Hours. Instead, the Central service polls the database (every 1 day by default, configurable with the Approval Escalation Interval and Approval EscalationUnits Central Service settings) and escalates any approvals that have been pending for the specified duration. Therefore, an escalation of a pending approval can occur anywhere between the Maximum Approval Hours and the Maximum Approval Hours + Approval EscalationInterval (i.e. using the default values, between 24 and 48 hours after the request was first submitted).

If an Approval request remains pending with any deputy (including the default deputy who is effectively the last resort for all approval requests) for more than 10 days (configurable through the Auto Reject Timeout setting in the Deputy Approvers group of settings), the request will be automatically rejected.

In this exercise, you will add Manager2 as the deputy for both Manager1 and LicenseManager.

Add a Deputy for a <MANAGER> Approver

1ETRN\Manager1 is not currently defined as an Approver (he does not need to be explicitly named to be able to approve requests for his subordinates where the Approval is manager-based). However, in order for an Approver to have a deputy they must be explicitly defined as an Approver. In a large organization, with lots of Managers, the list of Approvers would become increasingly difficult to work with. 
To allow a deputy to be assigned to every manager without that manager actually appearing in the list of available approvers, the LookUp Only option is used.

1ETRNAP

  1. In the Shopping Administration console, right-click the Approvers node and select New Approver
  2. In the Shopping Admin – New Approver Properties page, Click Set Approver…
  3. In the Select User or Group dialog, type Manager1, click Check Names to resolve and click OK
  4. Check the Lookup Only option
  5. Check the Deputy Approver Details option and click Set Deputy…
  6. In the Select User or Group dialog, enter Manager2, click Check Names to resolve and click OK
  7. In the Shopping Admin – New Approver Properties dialog click OK
  8. Note that in the Console, Manager1 is listed separately under <MANAGER> Look Up Approvers

Add a Deputy for a specific Approver

In this task, you will add Manager2 as a deputy approver for LicenseManager, who is already defined as an Approver.

1ETRNAP

  1. From the Approvers node, right-click LicenseManager and select Properties
  2. Do not select LookUp Only (LicenseManager is a defined Approver that we want to be available for selection when adding Approval to Applications)
  3. Check the Deputy Approver Details option and click Set Deputy…
  4. In the Select User or Group dialog, enter Manager2, click Check Names to resolve and click OK
  5. In the Shopping Admin – New Approver Properties dialog click OK
  6. Note that in the console, the Deputy Set column indicates that Manager1 and LicenseManager both have a deputy set

Modify the Approval Escalation Interval

In this task, you will reduce the Maximum Approval Hours to one (the minimum possible value) and increase the frequency with which the Central Service checks requests that need to be escalated. Later in the course, you will return to this exercise to see the escalation occur.

1ETRNAP

  1. In the Shopping Administration console, select the Settings node and locate the Deputy Approver group of settings on the right-hand side of the console
  2. Reduce the Maximum Approval Hours to 1
  3. Locate the Central Service group of settings
  4. Change Approval EscalationInterval to 5
  5. Change Approval Escalation Units to Minutes
  6. Click Save at the top of the list
  7. Restart the 1E ShoppingCentral service

Shop for the Application with deputy approval

In this task, User will request Project again

1ETRNW71 

  1. Log on to 1ETRNW71 as User and launch the Shopping portal
  2. Search for and request the Project 2010 Application
  3. Go to My Software and click on the Pending Approval tab. Click the MicrosoftProject 2010 hyperlink (under Application Name) to view the order details including the Approval workflow

Follow the approval process

In this task, the first approver in the chain (manager1) will already show as approved with a time stamp from the previous approval. The second approver (LicenseManager) will ignore the approval request. After an hour of the request being approved by manager1, the request will be escalated to LicenseManager's deputy (Manager2).

You will now need to wait an hour for the request to be escalated to the deputy. Continue on with the Efficient use of Application Licences section and we will revisit this soon.

1ETRNW72
  1. Log on to 1ETRNW72 as Manager1 and approve the Project 2010 request using one of the methods described above

1ETRNW73 

  1. After at least one hour has passed since Manager1 approved the request, log on to 1ETRNW73 as Manager2
  2. Start Windows Live Mail and note the Request for Application Approval by User. Note the verbiage in the email, stating that This request has been forwarded to you as the primary approver for this application has not responded to this request in the required time interval
  3. Approve the request via the link in the email

Lab Summary

In this lab, you have learned how to apply Approval workflow to Applications. Requests for approval can be dynamic, directed to whomever is defined as the Manager of the user requesting the Application, or specific to the Application itself. Multiple levels of approval can also be defined, with the request only progressing to the next Approver if the current Approver approves the request.

You have also, or will soon, seen that if a request is pending approval for longer than the configured Maximum Approval Hours, the request will be escalated to the defined deputy, or to the Default Deputy if no deputy has been defined for the Approver. In either case, if a request is left pending approval of one approver for more than 10 days (configurable through the Auto Reject Timeout setting), the request will be automatically rejected.

Next Page
Ex 6 - Shopping 5.5 - Efficient use of Application Licenses