Other uses for Applications
You have been introduced to Applications and the concept of ConfigMgr Applications and Non-ConfigMgr Applications and created an example of a non-ConfigMgr Application (the Samsung monitor). In this Lab, you will explore non-ConfigMgr Applications in more depth to see how they can be used to extend the scope of the Shopping portal for users.
Ordering hardware through Shopping
In this exercise, you will revisit the Samsung E1920 Monitor Application and explore what can be done with it in Shopping.
Remember to review the deputy approval functionality!
Add Approval to the Application
In this task, you will add Approval to the Application. It is likely that in most cases, non-ConfigMgr Applications in Shopping will require some form of approval. If the Application has no Approval defined, the order is simply completed as soon as it is placed.
Shopping includes a framework for integration with other systems throughout the request workflow. This framework is based on optionally executing pre-defined scripts at certain stages of the workflow. These scripts can be customized to do just about anything you can do with a script and have all the relevant properties of the order passed to them. It is therefore quite straightforward to have the script generate an XML file with all the required parameters that can then be consumed by the likes of Remedy or HP Service Manager. This level of integration is beyond the scope of this course, but is detailed in The Shopping API Reference available from 1E Support.
|Log on to 1ETRNAP as ShoppingAdmin and open the Shopping Administration Console|
|Enable Approval on the Samsung E1920 Monitor Application and add <MANAGER> as the only Approver. (Refer to Step 390 if you need a reminder of how to do this)|
Order hardware and process approval
You will now order a monitor as the end user and observe the approval process.
|Log on to 1ETRNW71 as user and open the Shopping portal|
|Place an order for the Samsung E1920 Monitor|
|Ensure you are logged in as Manager1. Resync the view in Mail|
|Note the Request forNon- ConfigMgr Application Approval by User email|
With no additional workflow integration, this email is the only notification that the request has been made. In this scenario, it would now be up to Manager1 to order the monitor from the supplier. Using out-of-the-box Approval, the IT Department (or whomever orders hardware from the supplier or supplies from stock) could be added as a chained approver, so they would receive notification automatically once it had been approved by Manager1. They could then 'Approve' the order indicating in the Approver Comments that an order has been placed with the supplier (or perhaps "Carl from IT will come by after lunch to set this up for you").
|Return to 1ETRNW71, logged on as user and switch to Windows Live Mail|
|Click Send/Receive and note the Application Approved email notification|
Using Shopping to grant access to secured resources
The scope of Shopping requests can be extended to allow users to request access to any resource that is secured by AD security groups (examples include file shares, SharePoint sites, web applications or internal applications or databases). If the request is approved, the user or computer (depending on the Application configuration) is automatically added to the specified AD group.
Allow Shopping Central Service to update Groups
When the AD integration feature is used, the Shopping Central Service will add the user or computer into the defined groups once the order is approved. It is therefore necessary to grant the Shopping Central Service account permission to update these groups.
When using Shopping to manage AD group membership, it is best practice to contain all these groups in a specific OU, and then grant the necessary permissions on the OU.
|Log on to 1ETRNDC as 1ETRN\Administrator and open Active Directory Users and Computers|
|Locate the Shopping OU contained in the Security_Groups OU|
|Note that this OU contains the following two security groups|
- DriveAccess – DocumentShare on 1ETRNAP (Read Access)
- DriveAccess – DocumentShare on 1ETRNAP (Write Access)
|Right-click the Shopping OU and select Properties|
|Select the Security tab and click Advanced|
|Click Add…, the click on Select a Principal|
|Enter svc_ShoppingCentral, click Check Names to resolve and then click OK|
|In the Applies to drop-down, select Descendant Group objects|
|In the list of Properties in the lower part of the screen, scroll down and check the box for Write Members|
|Click OK on each open dialog box to close them all|
By default, the Shopping Central Service account must be explicitly granted Full Control on the AD groups it will manage; otherwise, an error will be displayed when you try to close the Application Properties dialog. In order to allow implicit access (i.e. granting Full Control to a group that the Shopping Central Service is a member of) you must set Allow Implicit Access for AD Integration (in the Central Service settings in the Shopping Admin Console) to True.
|On 1ETRNAP start Services (from the Start screen) and restart the 1E Shopping Central service|
After the Shopping Central Service Account is added to a group that has permissions to manage the group, the Shopping service must be restarted so the account gets the group membership token. If this is not done, the Central Service will fail to make changes to the groups when requests are made by users.
Create an Application for access to a secured resource
In this task, you will create a non-ConfigMgr Application that will allow users to request access to a restricted file share.
|In the Shopping Administration Console, create a new standard Application|
Be sure to select New Application and not New ConfigMgr Application.
|Complete the General Details with the following properties and click Next|
Name Write Access to Document Share
Description Request write access to \\1ETRNAP\DocumentShare
Icon Choose any icon
|On the User Categories page, select the Resource Access User Category and click Next|
|On the SMS/ConfigMgr Sites page, select All Sites and Unmanaged Clients and click Next|
Note that when defining a standard Application (i.e. not a ConfigMgr Application) the All Sites option includes Unmanaged Clients. This is because standard Applications do not require the ConfigMgr client to be present as there is no automated installation to be done.
|On the Central or Branch Management page, ensure Central Administrator is selected and click Next|
|On the Approval page, ensure Application Based is selected and click Next|
|On the Application Based Approval add Manager2 as the Approver for this Application and click Next|
|On the Licensing Details page click Next|
|Click Finish to close the Wizard|
|Double-click the WriteAccess to Document Share Application to open the Application's Properties dialog box|
|Select the AD tab and select Enable AD Integration|
Note that the administrator can define both a user group (that the requesting user should be added to) and a computer group (that the computer being used by the user to access the Shopping portal at the time of the request should be added to).
|Click the Set button next to the User Group and enter driveaccess in the Select Group dialog and click Check Names|
|Note that both groups seen previously in the Shopping OU are returned. Select the '…(Write Access)' group and click OK twice to return to the Application Properties|
|Check the Enable AD group removal option. This will cause an Uninstall button to appear in the Completed Orders page of the Shopping portal, so the user can remove themselves from the group at a later stage|
|Click OK to close the Application Properties dialog|
Shop for access to a secured resource
In this task, you will request access to the Internal Library through the Shopping portal.
|Log on to 1ETRNW71 as user|
|Open Windows Explorer and browse to \\1ETRNAP\DocumentShare. Note that User already has read access on this share|
|Attempt to create a new document in the DocumentShare folder. Note that you get an Access Denied error|
|Open the Shopping portal and place an order for the Write Access to Document Share Application from the Resource Access category|
If the Resource Access category does not appear in the portal, log the user off and back on, then re-launch the Shopping portal.
|Log LicenseManager off and log on to 1ETRNW102 as Manager2|
|Open the shopping website and approve the request via the Approval tab|
|Return to 1ETRNW71 and in the Shopping portal go to My Software page and select the All Orders tab|
|Depending on timing, the Status for the Write Access to Document Share order may appear as Addition Pending or Succeeded|
The Shopping Central service runs the Active Directory Integration Action every 10 minutes (defined by Active Directory Integration Interval and Active Directory Integration Units in tb_Preference), which processes any pending changes to AD group memberships. Time for a tea/coffee break!
|Once the order shows a status of Succeeded (refresh if necessary), log off and log back on as user|
|On 1ETRNDC open Active Directory Users and Computers and review the membership of the DriveAccess – DocumentShare on 1ETRNAP (Write Access) group. Note that User has been added|
|Return to 1ETRNW71 and open \\1ETRNAP\DocumentShare in Windows Explorer|
|Attempt to create a new document in the DocumentShare folder. This time around, you should be able to create a document successfully, as user is now a member of the group that has write access|
|Go to the My Software page in the Shopping portal and select the All Orders tab|
|Note that the user is able to 'Uninstall' this Application, which will result in the user being removed from the DriveAccess – DocumentShare on 1ETRNAP (Write Access) group|
|Click uninstall, and validate that the user has been removed from the AD group after a few minutes(wait for the status in All Orders to change from Removal Pending to Removed)|
Application Ratings and Reviews
Shopping now has the ability for users to submit Application Rating and Reviews via the Shopping website. In this exercise, you will submit a rating, write a brief review of an application, and observe where this information is stored in the Shopping database.
Submit and Look at Reviews
|Log on to 1ETRNW71 as 1ETRN\User, open the Shopping website and select the Miscellaneous category|
Ratings and Reviews behave the same regardless of the type of application (ConfigMgr or non-ConfigMgr), so this may be performed on any available application.
|Select More Info on the Samsung E1920 Monitor tile|
|Click on Be the first to leave a review to open the review editor|
|Select a rating (1-5 stars), enter a title for your review and write a short review (keep it clean)|
|When finished, click Submit|
|Notice the Average Rating and the review submitted by 1ETRN\User|
Submit a Product Review as a Different User
|Click on the Self Service tab in the Shopping website and select the Miscellaneous category|
|Notice that the average rating is now displayed on the tile|
|Select More Info on the Samsung E1920 Monitor tile|
|Click on the 1 Reviews link to see the rating and review written by 1ETRN\User|
|Click on Write Review and submit a review with a different rating (+1 or -1) than the one you entered for 1ETRN\User|
|Enter a title and brief review and then click Submit|
|Notice that the average rating has been updated and both reviews are now visible|
|Click the Yes link on both reviews for Was this review helpful?|
|Switch back to 1ETRNW71, refresh the page and click the Yes link on both reviews for the Samsung E1920 Monitor|
Observe the data created as a result of submitting the reviews
Now that you have submitted a couple of reviews, you will observe the data created in the Shopping database.
|Open SQL Server Management Studio|
|Execute the following queries against the Shopping2 database:|
SELECT * FROM tb_ApplicationAvgRating
SELECT * FROM tb_ReviewHelpful
SELECT * FROM tb_UserApplicationRating
|Observe the values returned in the three tables and see where the ratings are logged, the average rating is calculated and whether the review was helpful or not in the tb_ApplicationAvgRating and tb_ReviewHelpful tables|
|Observe the results in the tb_UserApplicationRating table. This is where the Rating, Review Title and actual review (ReviewBody) are stored|
It is important to note that in the case of an inappropriate review, you either need to edit the comments in the ReviewTitle or ReviewBody columns in the tb_UserApplicationRating table or have the user edit the review themselves to remove the inappropriate content.
|Close SQL Server Management Studio|
In this lab, we have seen how standard Applications can be used to provide request and approval workflow for just about any item a user may need to request. Further, we have only seen the Approval notification emails that Shopping generates out-of-the-box. Much more is possible when the Workflow Integration is enabled as this causes Shopping to execute predefined scripts at different stages of the process. Workflow integration is covered in detail in The Shopping API Reference available on the 1E Support Portal.
The second exercise demonstrated how users can request access to just about any resource that is secured by AD groups. The example in the exercise simply added a user to a group. However, the AD integration can be added to any Application, including ConfigMgr Applications. This is particularly useful when an application requires both installed software on the client and access to a database or other central resource.
Lastly, we demonstrated the Rating and Reviews functionality and reviewed where this is stored in the database, in case something needs to be deleted.
Ex 8 - Shopping 5.5 - Delegated Administration