Working with Shopping
Shopping Central installer properties
Shopping Receiver installer properties
Shopping Admin Console settings
Configuring AD synchronisation
Default and recommended Configuration Manager 2007 advertisement settings
Fields and limitations
The Shopping workflow
Shopping and other ticketing systems
Windows Servicing Assistant UI Pages
Deploying Shopping Administrator Console using Configuration Manager
Considerations for Using Shopping with BigFix
- Supported Platforms
The Active Directory (AD) Server alias or IP Address is required when installing the Shopping Database. These settings let you modify the way that AD is accessed and used.
From Shopping 5.3 onwards, all LDAP over SSL calls are made using secured ports (636 and 3269). However, there is a caveat to this security implementation. A number of Shopping components use native Windows APIs and native Windows controls to query the AD.
For example, the Select User or Group dialog, used to search for users, groups or machines in the domain, in the Shopping Admin Console is one such control. It is an in-built Windows control which provides network-based security using the Kerberos authentication protocol where:
- Only valid and registered domain network users can make LDAP calls to the domain controller – the Select User or Group dialog makes a Kerberos-based authentication before sending the LDAP query.
- Communications between the Select User or Group dialog and the domain controller (DC) are Kerberos encrypted (sign and seal).
- The Kerberos protocol uses unsecured ports (389 and 3268) for LDAP related communications with the domain controller. It results in the Select User or Group dialog using unsecured ports as it relies on Kerberos protocol for any interaction with the AD/DC.
By default, all native Windows APIs and Windows controls use the Kerberos security protocol and does not provide a means to configure it for the LDAP over SSL security feature. Shopping components will continue to make LDAP over SSL calls using secured ports (636 and 3269) where there is no dependency on the Kerberos protocol. For this reason, ports 389, 636, 3268 and 3269 must not be blocked on the domain controller. If they are restricted, then all the servers hosting Shopping components must be added to the exception list so that Shopping can make the specific LDAP calls.
|AD Email Field||The AD field that holds the email address for an account.|
|AD Manager Account Field||manager|
The AD field that holds the manager account for an account.
|AD Server||Set by installer|
The Active Directory server IP Address or server name. The Active Directory Domain Controller prerequisites has recommendations on which DC to use.
Installer property: ACTIVE_DIRECTORY_SERVER
|AD Trusts||No default value set|
The trusted domain to be added to Shopping’s AD support. This may be from an external trust or a forest trust to a root domain. Supported forest, domain and trust configurations are described in Active Directory supported scenarios.
|LDAP over SSL/TLS Enabled||True|
Enables LDAPS between Shopping and the DC.
|Use Global Catalog||True||If |
This section lets you configure the settings for branch administered applications.
|Branch Admins Require Approval||False|
Determines whether branch administrators require approval when shopping for others.
|Maximum Branch Approval Hours||72|
Number of hours before a request for a branch application approval is escalated to administrators acting in their deputy roles for that branch.
This section lets you configure Central Service settings.
|ActiveEfficiency ServerName||No default value set||Sets the location of the ActiveEfficiency Server.|
|Allow Implicit Access For AD Integration||False||Determines whether the Shopping central service account needs direct read/write access to the Shopping AD Integration and Console Access security groups, or whether it can use implicit read/write access by virtue of any AD security groups it belongs to. Values are:|
|Application Retry Interval||5||Interval (in minutes, hours or days – see Application Retry Units) between successive attempts to process workflow items associated with an application request.|
|Application Retry Units||Minutes|
The units used in the application retry interval setting.
|Approval Escalation Interval||1||Approval time limit (in minutes, hours or days – see Approval Escalation Units) before an approver's deputy is promoted as the main approver and they are forwarded an application request email.|
|Approval Escalation Units||Days|
The units used in the Approval Escalation Interval setting.
|Data Grooming Interval||1||Interval (in minutes, hours or days – see Data Grooming Units) between data grooming operations. These clear any un-purchased items in a user's baskets that are older than the Maximum Days In Basket setting.|
|Data Grooming Time||00:00||Time of day (in minutes, hours or days expressed as hours:minutes in 24-hour notation – see Data Grooming Units) in which the grooming takes place and only valid when the Data Grooming Units setting is set to Days. The setting control in the console lets you change these values independently using spinner buttons.|
|Data Grooming Units||Days|
The units used in the Data Grooming Interval setting.
|Email Retry Interval||5||Interval (in minutes, hours or days – see Email Retry Units) between retries for failed email deliveries.|
|Email Retry Units||Minutes|
The units used in the Email Retry Interval setting.
|Maximum Email Retries||3||Maximum number of times to retry sending failed email deliveries.|
|OSD Completed Machine Discovery Interval||2||Frequency (in minutes, hours or days – see OSD Completed Machine Discovery Units) in which the Shopping central service checks with Configuration Manager to see if the machine has been discovered post-OS deployment.|
|OSD Completed Machine Discovery Units||Minutes|
The units used in the OSD Completed Machine Discovery Interval setting.
|Overdue Pending Orders Time Out||72|
Overdue pending orders will automatically be failed after this timeout period in hours. (this setting is always in hours).
Note: setting this value to high can have a negative effect on shoppers experience as well as the total number of items the Shopping Receivers are actively checking status for in Configuration Manager.
|Overdue Pending Orders Interval||1|
This setting is designed to control the frequency that the Shopping Central Service will check for Overdue and pending orders. Orders that have exceeded the configurable value in (Overdue Pending Orders Time Out) are automatically failed so that if the Shopping Application is configured for re-shopping the item can be re-requested by the same user.
The Interval is in minutes, hours or days based on Fail Overdue Pending Orders Units below for failing overdue pending orders.
|Overdue Pending Orders Units||Hours|
Controls the Fail Overdue Pending Orders Interval setting above.
Pending Requests Interval Seconds
Interval (in seconds) between checking for pending workflow integration requests. You can modify this interval with by running the command line:
|Retry Path||The full path to the retry folder.|
|SCCM Old Connection String||The SQL connection string to the Configuration Manager 2007 system. Used during the upgrade process from Configuration Manager 2007 to Configuration Manager 2012 while both systems are running in parallel to enable new machines in Configuration Manager 2007 to be imported into Shopping. This should be used in conjunction with the Sync Machines From Old Sccm setting.|
|Scheduled Uninstall Interval||Frequency (in minutes, hours or days – see Schedule Uninstall Units) the Shopping database is polled to see if scheduled uninstalls or uninstall reminders are due.|
|Scheduled Uninstall Units||Days|
The units used in the Scheduled Uninstall Interval setting.
Script Temp Path
The full path to the temporary folder used for workflow integration scripts. You can modify the location by running the command line:
Script Timeout Seconds
Maximum duration (in seconds) to wait for Workflow Integration Scripts to return a value. You can modify the duration by running the command line:
Send OS Deployment Confirmation Email
Sends an email informing the user that their OS deployment has been scheduled.
Send OS Deployment Imminent Email
Send OS Deployment Reminder Email
Sends an email informing the user that their OS deployment will begin in the specified number of hours. Set to 0 for no email.
Sends an email informing the user Your OS deployment for Machine NAME is scheduled to begin at TIME.
The following settings determine the polling interval for checking if an email must be sent:
Sends an email informing the user that their OS deployment will begin in the specified number of days. Set to 0 for no email.
Sends an email informing the user This is an early reminder. Your operating system upgrade for computer NAME is scheduled to begin at TIME on DATE.
The following settings determine the polling interval for checking if an email must be sent:
|Send OS Migration Cancelled Email Interval||5|
Polling interval to check if cancelled OS Migration emails must be sent. The polling interval units are set in Send OS Migration Cancelled Email Units below.
The cancellation may occur through the administrator cancelling or rescheduling the migration, or because items in the Shopping OSD application may have had permission changes applied or been deleted.
|Send OS Migration Cancelled Email Units||Minutes|
The units used in the Send OS Migration Cancelled Email Interval setting.
|Send OS Migration Imminent Email Interval||1|
Polling interval to check if pending OS Migration Imminent emails must be sent. The polling interval units are set in Send OS Migration Imminent Email Units below.
Emails are sent according to the value of Send OS Deployment Imminent Email above.
|Send OS Migration Imminent Email Units||Hours|
The units used in the Send OS Migration Imminent Email Interval setting.
Send OS Migration Reminder Email Interval
Polling interval to check if pending OS Migration Reminder emails must be sent prior to an OS Migration taking place. The polling interval units are set in Send OS Migration Reminder Email Units below.
Emails are sent according to the value of Send OS Deployment Reminder Email above.
Send OS Migration Reminder Email Units
The units used in the Send OS Migration Reminder Email Interval setting.
|Sync Machines and Users from Active Efficiency|
|Sync Machines From Old Sccm||False|
Determines whether the synchronization of new Configuration Manager 2007 machines into Shopping is enabled.
|Users and Machines, AD Sync Interval||1||Interval (in minutes, hours or days – see Users and Machines, AD Sync Units) for synchronizing the values held in the Shopping database for the user's and approver's manager and email details with their values set in Active Directory.|
|Users and Machines, AD Sync Units||Days|
Value the Users and Machines, AD Sync Interval setting.
Computer Category administrators
This section lets you configure how the Computer Category administrator details are set.
Determines whether Computer Category administrators can shop for applications on machines outside their computer category.
|Show Admin Tab||True|
Determines the visibility of the Admin tab in the Shopping Web.
The Shopping Web application queries the Configuration Manager central server via WMI, which requires the storage of WMI credentials in the database. The following settings must be correctly setup and verified using the diagnostics page.
|ConfigMgr Database Access Group||Set by installer||Information only setting that shows the AD security group associated with read-only access to Configuration Manager database. Console users are required to be in this group to perform actions in |
|Query SCCM Data From Server||True||Determines whether Shopping retrieves information about machines directly from the Configuration Manager server. Values are:|
|SCCM Version||Set by installer||Information only setting that shows the version number of the current Configuration Manager installation.|
This section lets you configure Console behaviour.
|Admin Console Manages Groups||True|
Determines whether the Admin Console adds or removes AD group members based on the Node Security settings.
|Apple app store home URL||https://itunes.apple.com/in/genre/ios/id36?mt=8||Home page for the Apple device application store, as used on the Mobile Details screen in the New Mobile Application wizard and the Mobile tab on the mobile application Properties dialog.|
|Full Database Access Group||Set by installer||Information only setting that shows the AD security group associated with full Shopping database access. Console users are required to be in this group to be able to perform privileged actions in |
|Google app store home URL||https://play.google.com/store/apps||Home page for the Android device store, as used on the Mobile Details screen in the New Mobile Application wizard and the Mobile tab on the mobile application Properties dialog.|
|Limited Database Access Group||Set by installer||Information only setting that shows the AD security group associated with limited Shopping database access. Console users are required to be in this group to perform actions in Approvers\Users Categories\Computer Categories\Event Log nodes. In earlier releases this setting was called Console User Account. |
|Number of Events To Display||500||Number of most recent events events to display in the Events section of the Shopping Admin console.|
|Windows app store home URL||http://www.windowsphone.com/en-in/store/||Home page for the Windows device application store, as used on the Mobile Details screen in the New Mobile Application wizard and the Mobile tab on the mobile application Properties dialog.|
This section lets you configure how the Deputy Approver details are set.
|Auto Reject Timeout||10||Time (in days) before a request is rejected automatically by the system while waiting for an approver to approve or reject.|
|Deputy Default||Set by installer|
The account to be used as a default deputy for any approver is absent.
|Maximum Approval Hours||24||Interval (in hours) before a request email is escalated to a Deputy Approver via email notification. Must be the same or greater than the value of Approval Escalation Interval. Minimum is 1 hour.|
This section displays some internally used settings.
|All Approval Applications||False||This flag is used internally. Values are:|
|Approval Applications With Cost||False||This flag is used internally. Values are:|
This section lets you configure the different integration modes.
|AppClarity Database||No default value set||Name of the AppClarity database to connect to.|
|AppClarity Database Server Instance||No default value set||Name of database server instance hosting the AppClarity database.|
|AppClarity Endpoint||No default value set|
The AppClarity integration services URL. For example,
|AppClarity Integration||False||Values are:|
|AppMigration Endpoint||No default value set|
The SLA Platform service endpoint URL that is used to query it for reinstall applications during as OS deployment. Used when the AppMigration mode is
|AppMigration Mode||Shopping||Where information about applications to be reinstalled during an OS deployment is derived from:|
|Catalog Endpoint||No default value set|
Location where the 1E Catalog is installed. Examples:
Indicates how Shopping applications and application migration rules are mapped to applications:
If you are running AppClarity 5.1 or later, use the upgrade tool to update existing application mapping and application migration rules to use the Catalog and update Integration Mode to Catalog.
|SLA Platform Password||No default value set||The password for the SLA Platform account used to query the platform for reinstall applications during and OS deployment. This setting sis required when AppMigration Mode is AppMigration.|
|SLA Platform Username||No default value set|
The name of the SLA Platform account (in the format:
This section lets you define the Global License Manager.
|Global License Manager Account||Set by installer||Account name for the global license manager who will receive all the license alert emails. |
|Global License Manager Email||Set by installer||Email address to be notified when license exceptions occur. Derived from the AD email set for the account provided in the installer.|
This section controls the localization of the language used in the Shopping emails and Website.
|Default Language For Emails||en (English)||Default language used for the emails. This determines which set of email templates are used.|
|Use Login Language||False||Determines whether to use default templates for emails or use email templates that correspond to the user's login language, i.e. their Internet Explorer language preference.|
This section controls the OS deployment feature on the Shopping Website. There are several OS deployment and migration settings under the Central Service category.
|Enable Reinstall and License Management||True||Determines whether Shopping reinstalls applications and manages their licenses part of the OS deployment process. Values are:|
|Make OSD Confirm Box Visible||True||Display the confirm checkbox on the final page of the OS deployment wizard in the Shopping portal. The displayed text is configurable in the |
|OS Deployment Workflow |
Determines the Shopping workflow integration for the OS deployment wizard.
|Use Extended Table For OSD |
This section controls the filtering of applications on the Shopping Website according to whether the it is compatible with the user's OS. For more information see OS Filtering.
|OS Filtering Enabled||False|
Determines if Shopping hides applications from the Shopping website whose specified client platform is not compatible with the user's OS.
|OS Filtering Sync Period||720||Duration (in minutes) for re-syncing Shopping with Configuration Manager to retrieve any specified client platforms set for a particular Application's install program.|
This section lets you control the defaults for the Rental settings.
|Final Reminder Days||1|
Number of days before rental application uninstall that the final reminder email is sent to a user reminding them that the application is about to be uninstalled.
Number of days before rental application uninstall that a reminder email is sent to a user reminding them that the application is about to be uninstalled.
|Rental Extension Default Days||90||Default value for the Rental Extension days setting when first enabling Rental for an application.|
|Rental Extension Maximum Days||120||Maximum value (in days) that the Rental Extension days setting can be set to when configuring Rental for an application.|
|Rental Extension Minimum Days||60||Minimum value (in days) that the Rental Extension days setting can be set to when configuring Rental for an application.|
This section lets you control the accounts used by Shopping for administration and viewing reports.
|Admin Account||Set by installer||Information only setting that shows the AD account or group permitted to view the Shopping Admin pages. Installer property: |
|Admin Email||Set by installer|
Determines if Shopping forwards alerts to the administrator email account. Derived from the AD email for the account provided in the
|Admin Name||Administrator||Information only setting that shows the name associated with the Administrator account with privileges to the Shopping database.|
|API Url||Sets the location of the ShoppingAPI.|
When integrating with Configuration Manager 2012, for Shopping to work in centralized mode all Primary Receiver Services must be stopped.
|Check Pending Order Status After||3||Check Configuration Manager for the status of pending orders older than this number of hours. This is used when Configuration Manager receives status messages in the wrong order.|
|Full Admin For RBAC||Set to a list of Configuration Manager administrators with rights on all configurable items in Configuration Manager. Each entry on the list should be separated by a semi-colon (;). Each administrator should be defined in the format Domain\UserName.|
|Mail Format||HTML||Information only setting that shows the format that will be used for user emails.|
RBAC Support Enabled
Determines if role-based access control (RBAC) is enabled or not. To enable RBAC you should also set WQL Support Enabled to True.
|Receiver Account||Set by installer||Sets the account that must be used by all the Shopping Receivers. If a Shopping Receiver is configured to use a different account to the one set here it will get errors when attempting to connect.|
|Reports Account||Set by installer||Sets the AD account or group permitted to view the Shopping reports pages. Initially set during installation.|
|Service Account||Set by installer||Information only setting that shows the Shopping service account. Defined during installation|
|SMTP Server||Set by installer||The Mail Server alias or IP Address|
|Web URL||Set by installer||Sets the web URL for the Shopping Web Portal. This is used when linking approval emails to the Shopping website.|
WQL Support Enabled
Determines how calls to the Configuration Manager servers are made – using Windows Management Instrumentation Query Language (WQL) or structured query language (SQL).
This section contains various settings for configuring Shopping.
|1E Tachyon Agent loopback URL||http://localhost:8000/ |
Name and port for the Tachyon Agent web service used by the Shopping web application to retrieve machine information.
Sets the name given to the Shopping application as seen in the top left of the Shopping Portal.
|Bypass Approval Accounts||No default value set|
User groups or accounts that will bypass the approval process for any of the applications that are visible to them. Each entry must be separated by a comma.
|Comments Always Expanded||False|
Determines whether the comments for applications are expanded by default or not in the Shopping web portal.
|Cookie Timeout||7||Timeout (in days) for user-side cookies in the Shopping web-console.|
|Currency||English (United States) [en-US]||The locale that determines the currency and number formatting used in the Shopping display for application costs.|
|Default View Mode||Grid|
Default view for each user. May be a grid or list view.
|Enable Full Text Search|
|Enable Mandatory Approval Comments||False|
Determines if comments are mandatory for approvers when approving applications.
|Force Comment For Approval||True|
Determines if comments are mandatory for users when shopping for applications that require approval.
|Force Comment For Non-Approval||False|
Determines if comments are mandatory for users when shopping for applications that do not require approval.
|Help Desk Cost||40||Typical cost for a help desk request in your organization – used to calculate the help desk cost savings to date, displayed on the Shopping home page.|
|Help Desk Time||30||Typical time taken (in minutes) to respond to a help desk request in your organization – used to calculate the help desk time savings to date, displayed on the Shopping home page.|
|License Dependency||True||Controls whether licensing is enforced or not. Values are:|
|Maximum Machines Count||100||Maximum number of machines to be returned in machine searches on the web applications admin basket page.|
|Send Email When Application Deployed||True||Determines whether the user receives an email for application deployment success and failures.|
|Show Savings To Date||True|
Determines if the Savings to date is displayed in the Shopping Web home page.
|Use Splash Message||Never Appear|
Determines if a Welcome screen and message is displayed on the Shopping Web portal.
This section lets you configure the way that Shopping manages its workflow integration. More details on integrating with 3rd party applications can be found in The Shopping workflow documentation.
|Application Request Cancelled||Name and location for the Application Request Cancelled Workflow script.|
|Application Request Deployed||Name and location for the Application Request Deployed Workflow script.|
|Application Requested||Name and location for the Application Requested Workflow script.|
|Approval Process Completed||Name and location for the Application Process Completed Workflow script.|
|Approval Update||Name and location for the Approval Update Workflow script.|
|Installation Process Completed||Name and location for the Installation Process Completed Workflow script.|
|Maximum Workflow Retries||3||Maximum number of times to retry executing a Workflow Integration script.|
|Workflow Integration Mode||Off||Determines which callbacks are made to the workflow interface when shopping for an application. A callback is made for:|