Other uses for Applications

You have been introduced to Applications and the concept of ConfigMgr Applications and Non-ConfigMgr Applications and created an example of a non-ConfigMgr Application (the Samsung monitor). In this Lab, you will explore non-ConfigMgr Applications in more depth to see how they can be used to extend the scope of the Shopping portal for users.

Ordering hardware through Shopping

In this exercise, you will revisit the Samsung E1920 Monitor Application and explore what can be done with it in Shopping.

Remember to review the deputy approval functionality!

Add Approval to the Application

In this task, you will add Approval to the Application. It is likely that in most cases, non-ConfigMgr Applications in Shopping will require some form of approval. If the Application has no Approval defined, the order is simply completed as soon as it is placed.

Shopping includes a framework for integration with other systems throughout the request workflow. This framework is based on optionally executing pre-defined scripts at certain stages of the workflow. These scripts can be customized to do just about anything you can do with a script and have all the relevant properties of the order passed to them. It is therefore quite straightforward to have the script generate an XML file with all the required parameters that can then be consumed by the likes of Remedy or HP Service Manager. This level of integration is beyond the scope of this course, but is detailed in The Shopping API Reference available from 1E Support.


1ETRNAP 



Log on to 1ETRNAP as ShoppingAdmin and open the Shopping Administration Console


Enable Approval on the Samsung E1920 Monitor Application and add <MANAGER> as the only Approver. (Refer to Step 390 if you need a reminder of how to do this)


Order hardware and process approval

You will now order a monitor as the end user and observe the approval process.

1ETRNW71 



Log on to 1ETRNW71 as user and open the Shopping portal


Place an order for the Samsung E1920 Monitor



1ETRNW101



Ensure you are logged in as Manager1. Resync the view in Mail


Note the Request forNon- ConfigMgr Application Approval by User email


With no additional workflow integration, this email is the only notification that the request has been made. In this scenario, it would now be up to Manager1 to order the monitor from the supplier. Using out-of-the-box Approval, the IT Department (or whomever orders hardware from the supplier or supplies from stock) could be added as a chained approver, so they would receive notification automatically once it had been approved by Manager1. They could then 'Approve' the order indicating in the Approver Comments that an order has been placed with the supplier (or perhaps "Carl from IT will come by after lunch to set this up for you").


Approve the request



1ETRNW71



Return to 1ETRNW71, logged on as user and switch to Windows Live Mail


Click Send/Receive and note the Application Approved email notification


Using Shopping to grant access to secured resources

The scope of Shopping requests can be extended to allow users to request access to any resource that is secured by AD security groups (examples include file shares, SharePoint sites, web applications or internal applications or databases). If the request is approved, the user or computer (depending on the Application configuration) is automatically added to the specified AD group.

Allow Shopping Central Service to update Groups

When the AD integration feature is used, the Shopping Central Service will add the user or computer into the defined groups once the order is approved. It is therefore necessary to grant the Shopping Central Service account permission to update these groups.

When using Shopping to manage AD group membership, it is best practice to contain all these groups in a specific OU, and then grant the necessary permissions on the OU.


1ETRNDC 



Log on to 1ETRNDC as 1ETRN\Administrator and open Active Directory Users and Computers


Locate the Shopping OU contained in the Security_Groups OU


Note that this OU contains the following two security groups
  1. DriveAccess – DocumentShare on 1ETRNAP (Read Access)
  2. DriveAccess – DocumentShare on 1ETRNAP (Write Access)

Right-click the Shopping OU and select Properties


Select the Security tab and click Advanced


Click Add…, the click on Select a Principal


Enter svc_ShoppingCentral, click Check Names to resolve and then click OK


In the Applies to drop-down, select Descendant Group objects


In the list of Properties in the lower part of the screen, scroll down and check the box for Write Members


Click OK on each open dialog box to close them all


By default, the Shopping Central Service account must be explicitly granted Full Control on the AD groups it will manage; otherwise, an error will be displayed when you try to close the Application Properties dialog. In order to allow implicit access (i.e. granting Full Control to a group that the Shopping Central Service is a member of) you must set Allow Implicit Access for AD Integration (in the Central Service settings in the Shopping Admin Console) to True.



1ETRNAP



On 1ETRNAP start Services (from the Start screen) and restart the 1E Shopping Central service


After the Shopping Central Service Account is added to a group that has permissions to manage the group, the Shopping service must be restarted so the account gets the group membership token. If this is not done, the Central Service will fail to make changes to the groups when requests are made by users.


Create an Application for access to a secured resource

In this task, you will create a non-ConfigMgr Application that will allow users to request access to a restricted file share.

1ETRNAP



In the Shopping Administration Console, create a new standard Application


Be sure to select New Application and not New ConfigMgr Application.


Complete the General Details with the following properties and click Next


Name           Write Access to Document Share
Description  Request write access to \\1ETRNAP\DocumentShare
Cost             0.00
Icon Choose any icon


On the User Categories page, select the Resource Access User Category and click Next


On the SMS/ConfigMgr Sites page, select All Sites and Unmanaged Clients and click Next


Note that when defining a standard Application (i.e. not a ConfigMgr Application) the All Sites option includes Unmanaged Clients. This is because standard Applications do not require the ConfigMgr client to be present as there is no automated installation to be done.


On the Central or Branch Management page, ensure Central Administrator is selected and click Next


On the Approval page, ensure Application Based is selected and click Next


On the Application Based Approval add Manager2 as the Approver for this Application and click Next


On the Licensing Details page click Next


Click Finish to close the Wizard


Double-click the WriteAccess to Document Share Application to open the Application's Properties dialog box


Select the AD tab and select Enable AD Integration


Note that the administrator can define both a user group (that the requesting user should be added to) and a computer group (that the computer being used by the user to access the Shopping portal at the time of the request should be added to).


Click the Set button next to the User Group and enter driveaccess in the Select Group dialog and click Check Names


Note that both groups seen previously in the Shopping OU are returned. Select the '…(Write Access)' group and click OK twice to return to the Application Properties


Check the Enable AD group removal option. This will cause an Uninstall button to appear in the Completed Orders page of the Shopping portal, so the user can remove themselves from the group at a later stage


Click OK to close the Application Properties dialog


Shop for access to a secured resource

In this task, you will request access to the Internal Library through the Shopping portal.

1ETRNW71 



Log on to 1ETRNW71 as user


Open Windows Explorer and browse to \\1ETRNAP\DocumentShare. Note that User already has read access on this share


Attempt to create a new document in the DocumentShare folder. Note that you get an Access Denied error


Open the Shopping portal and place an order for the Write Access to Document Share Application from the Resource Access category


If the Resource Access category does not appear in the portal, log the user off and back on, then re-launch the Shopping portal.



1ETRNW102 



Log LicenseManager off and log on to 1ETRNW102 as Manager2


Open the shopping website and approve the request via the Approval tab



1ETRNW71 



Return to 1ETRNW71 and in the Shopping portal go to My Software page and select the All Orders tab


Depending on timing, the Status for the Write Access to Document Share order may appear as Addition Pending or Succeeded


The Shopping Central service runs the Active Directory Integration Action every 10 minutes (defined by Active Directory Integration Interval and Active Directory Integration Units in tb_Preference), which processes any pending changes to AD group memberships. Time for a tea/coffee break!


Once the order shows a status of Succeeded (refresh if necessary), log off and log back on as user



1ETRNDC 



On 1ETRNDC open Active Directory Users and Computers and review the membership of the DriveAccess – DocumentShare on 1ETRNAP (Write Access) group. Note that User has been added



1ETRNW71



Return to 1ETRNW71 and open \\1ETRNAP\DocumentShare in Windows Explorer


Attempt to create a new document in the DocumentShare folder. This time around, you should be able to create a document successfully, as user is now a member of the group that has write access


Go to the My Software page in the Shopping portal and select the All Orders tab


Note that the user is able to 'Uninstall' this Application, which will result in the user being removed from the DriveAccess – DocumentShare on 1ETRNAP (Write Access) group


Click uninstall, and validate that the user has been removed from the AD group after a few minutes(wait for the status in All Orders to change from Removal Pending to Removed)


Application Ratings and Reviews

Shopping now has the ability for users to submit Application Rating and Reviews via the Shopping website. In this exercise, you will submit a rating, write a brief review of an application, and observe where this information is stored in the Shopping database.

Submit and Look at Reviews

1ETRNW71



Log on to 1ETRNW71 as 1ETRN\User, open the Shopping website and select the Miscellaneous category


Ratings and Reviews behave the same regardless of the type of application (ConfigMgr or non-ConfigMgr), so this may be performed on any available application.


Select More Info on the Samsung E1920 Monitor tile


Click on Be the first to leave a review to open the review editor


Select a rating (1-5 stars), enter a title for your review and write a short review (keep it clean)


When finished, click Submit


Notice the Average Rating and the review submitted by 1ETRN\User


Submit a Product Review as a Different User

1ETRNW101



Click on the Self Service tab in the Shopping website and select the Miscellaneous category


Notice that the average rating is now displayed on the tile


Select More Info on the Samsung E1920 Monitor tile


Click on the 1 Reviews link to see the rating and review written by 1ETRN\User


Click on Write Review and submit a review with a different rating (+1 or -1) than the one you entered for 1ETRN\User


Enter a title and brief review and then click Submit


Notice that the average rating has been updated and both reviews are now visible


Click the Yes link on both reviews for Was this review helpful?



1ETRNW71



Switch back to 1ETRNW71, refresh the page and click the Yes link on both reviews for the Samsung E1920 Monitor


Observe the data created as a result of submitting the reviews

Now that you have submitted a couple of reviews, you will observe the data created in the Shopping database.

1ETRNAP



Open SQL Server Management Studio


Execute the following queries against the Shopping2 database:


SELECT * FROM tb_ApplicationAvgRating
SELECT * FROM tb_ReviewHelpful
SELECT * FROM tb_UserApplicationRating


Observe the values returned in the three tables and see where the ratings are logged, the average rating is calculated and whether the review was helpful or not in the tb_ApplicationAvgRating and tb_ReviewHelpful tables


Observe the results in the tb_UserApplicationRating table. This is where the Rating, Review Title and actual review (ReviewBody) are stored


It is important to note that in the case of an inappropriate review, you either need to edit the comments in the ReviewTitle or ReviewBody columns in the tb_UserApplicationRating table or have the user edit the review themselves to remove the inappropriate content.


Close SQL Server Management Studio


Lab Summary

In this lab, we have seen how standard Applications can be used to provide request and approval workflow for just about any item a user may need to request. Further, we have only seen the Approval notification emails that Shopping generates out-of-the-box. Much more is possible when the Workflow Integration is enabled as this causes Shopping to execute predefined scripts at different stages of the process. Workflow integration is covered in detail in The Shopping API Reference available on the 1E Support Portal.

The second exercise demonstrated how users can request access to just about any resource that is secured by AD groups. The example in the exercise simply added a user to a group. However, the AD integration can be added to any Application, including ConfigMgr Applications. This is particularly useful when an application requires both installed software on the client and access to a database or other central resource.
Lastly, we demonstrated the Rating and Reviews functionality and reviewed where this is stored in the database, in case something needs to be deleted.

Next Page
Ex 8 - Shopping 5.5 - Delegated Administration