Delegated Administration

So far, we have worked in an environment where a single Administrator affects the Shopping experience for users throughout the entire environment. In some cases, customers may want to manage parts of their environment differently, perhaps using different approvers or delegating certain operations within Shopping to regional administrators.

In this lab, you will learn how to divide an environment into different managed entities and the options for distributed and delegated administration.

Partition the environment with Computer Categories

Shopping uses Computer Categories to define groups of computers that form a logical unit or category, such as all computers in a specific geographical location, or all computers owned by a specific department. Computer Categories can be defined using AD computer groups, OUs, individual computer accounts or a combination of all three.

In this exercise, we will partition the lab client environment into two categories – Sales Computers and Development Computers. We will be building on from the User Categories we used earlier in the lab exercises.

Create Computer Categories based on the AD Groups

Groups have already been created in the Workstations OU in Active Directory as follows.

Group Name

Members

Development Computers

1ETRNW101, 1ETRNW71 and 1ETRNW73

Sales Computers

1ETRNW102 and 1ETRNW72

You will now create Computer Categories in Shopping based on these AD groups.

At this stage, you should check on the status of the request that you were waiting to be escalated to the deputy if you haven't already. Follow the approval process.


1ETRNAP



In the Shopping Administration console, right-click the Computer Categories node and select New Computer Category to open the New Computer Category wizard


On the Welcome page, click Next


On the Computer Category General Details page, enter Development Computers as the name and description. Click Next


On the Permissions page, note that both OUs and groups may be used to define Computer Categories. Click Add Group, enter Development Computers then click OK followed by Next


Click Finish to close the wizard


Repeat this process to create a Computer Category named Sales Computers, with Permissions set to the Sales Computers group


Computer Category Approval

Earlier you learned how to set up Approvers for Applications. These Approvers were 'global' approvers – all requests for the Application, regardless of where the request originated from, would need to be approved by the same people. Once you have Computer Categories defined, you can optionally delegate Approval of each Application to different Approvers, depending on which computer the request was originated on.

In this exercise, you will define different Approvers for the Development Computers and Sales Computers Computer Categories and observe the behavior when the same Application is requested from different computers.

Define Central Approvers for each Computer Category

You previously defined a number of Approvers. These defined Approvers appear in the Approvers node in the console as Central Approvers – they can be used on any centrally managed Application. When introducing Computer Category Approval, an Administrator must define which of these Central Approvers will be available for selection when defining Approval for a particular Computer Category. In effect, you are creating a subset of Central Approvers that can be selected as Approvers for a Computer Category-based Approval.

1ETRNAP



In the Shopping console expand the Computer Categories node


Right-click the Development Computers Computer Category and select Add Central Approvers


Be sure to right-click Development Computers in the expanded Computer Category node in the left-hand panel, not in the right-hand panel, or the Add Central Approvers option will not be available.


Add ApproverDev and <MANAGER> to the Selected Approvers list and click OK


Right-click the Sales Computers Computer Category and select Add Central Approvers


Add ApproverSales and <MANAGER> to the Selected Approvers list and click OK


Add Computer Category Approval to Applications

You will now configure the WinZipAdobe Reader, and Orca applications to use Computer Category Approval.

1ETRNAP



In the Shopping console open the WinZip Application Properties


Select the Computer Categories tab, check Enable Computer Category Approval and select both Development Computers and Sales Computers in the list of Computer Categories


Select the Approvers tab and note the Computer Categories approval list box now shows the two selected Computer Categories and Development Computers is currently selected


Note that the list of Available Approvers contains only the two Approvers that were added in step 623


Add ApproverDev to the Selected Approvers list


Select Sales Computers from the Computer Categories list and add ApproverSales to the Selected Approvers list


Click OK to save the updated settings


Repeat the process to enable Computer Category Approval for the Adobe Reader and Orca Applications, selecting the same Computer Categories and Approvers as for the WinZip Application


Shop for an Application with Computer Category Approval

In this task, you will observe the process when a user shops for WinZip Application from a computer included in the Development Computers Computer Category compared with a computer included in the Sales Computers category.

1ETRNW71 



Log on to 1ETRNW71 as user, open the Shopping portal and place an order for WinZip


From the My Software page, select the Pending Approval tab, click the WinZip Application link and note the order is pending approval with ApproverDev



1ETRNW101 



Log on to 1ETRNW101 as ApproverDev


Launch the shopping portal at http://appstore and click on the Approval tab


Email for this account has not been configured on this machine, as we have already reviewed the workflow via emails more than once. We are going directly to the Shopping website for approval here.


Click on the Pending (1) link and approve the WinZip request



1ETRNW72 



Log on to 1ETRNW72 as user and open the Shopping portal


Place an order for WinZip


From the My Software page, select the Pending Approval tab, click the WinZip Application link and note the order is pending approval with ApproverSales


Note that the requests are routed to different approvers based on the Computer Category associated with the originating computer. In this scenario, you have seen that using Computer Categories, the same user can log on to different computers resulting in different Approvers having to approve the Application order.



1ETRNW102 



The VMs in the lab environment sometimes default to the Administrator login, so be sure that you are logging in as the account specified below.


Log on to 1ETRNW102 as ApproverSales


Launch the shopping portal at http://appstore and click on the Approval tab


Click on the Pending (1) link and approve the WinZip request



1ETRNW71 & 1ETRNW72



Return to each of the originating workstations and note that the orders are completed and, depending on timing, the Application has been installed


This exercise has demonstrated that when Computer Category Approval is enabled, the approval workflow can be different for the same application, requested by the same user if the request is made from a computer in a different Computer Category.


Administration from the Shopping Portal

So far, the Shopping site has only been accessed by users and approvers. You have already seen that Approvers have the additional Approval tab in the navigation panel. When a Shopping Administrator logs on to the portal, they get an additional Administration tab that provides access to some admin tools.

A Shopping Administrator is any member of the AD group specified as the Admin account during the Shopping Central Site installation. If a single user is specified during setup, Shopping will have only one Administrator, which is why it is best practice to define a group for this purpose. In this lab, members of the Shopping_Admins group are Shopping Administrators.

In this exercise, you will explore the admin tasks that an administrator can perform from the Shopping portal without needing access to the Shopping Admin console.

Exploring the Administration page

1ETRNW71 



Log User off 1ETRNW71 and back on as ShoppingAdmin and open the Shopping portal


Note that the navigation panel includes the Administration tab, as ShoppingAdmin is a member of the Shopping_Admins group. The Shopping web page defaults to this tab for a Shopping administrator


Note that the action button on the Application Tiles is Add To Basket. On the top of the navigation panel on the left you will also see a link to the Shopping Basket


The concept of the Shopping Basket is a legacy of earlier versions of Shopping. Shopping v5.0 introduced a new user interface that did away with the Shopping Basket for regular users of the portal. However, as you will see later, Shopping Administrators have the ability to request Applications on behalf of others (to be installed on other computers). In this scenario, the Shopping Basket interface is required and is enabled when the Administration tab is selected.


Exploring the Reinstallation tool

The Reinstallation tool allows an administrator to reinstall any or all the applications that were previously installed on a computer by Shopping. This could be used when a user is migrated to a new computer and needs to have all the Applications reinstalled.

1ETRNW71



From the Administration tab, expand the Installation tools menu and select Reinstallation


In the Machine to Re-install edit box enter 1ETRNW7 and click the search icon (or press enter)


The Search Results list shows all computers in the lab that matched the search criteria. In brackets, next to each computer is the name of the Computer Category associated with the computer.


Select each of the three computers in turn and observe the Applications to Install list lower down the page. This list shows the Applications previously installed by Shopping on the selected computer


When a computer has been rebuilt with the same name, the Search Results list will show the computer once, but when it is selected the specific GUIDs of the Old Machine and New Machine will be shown below the Applications to Re-install list boxes. The Old Machine represents the details that Shopping has in its database for the computer before it was rebuilt. The New Machine is the computer with the same name (but different GUID) found in the ConfigMgr database. If the administrator chooses to reinstall any of the listed applications, the New Machine will be added to the relevant Collections in ConfigMgr.


Exploring the Copy Configuration tool

The Copy Configuration tool uses a very similar interface to that of the Reinstallation tool. However, the Copy Configuration tool is used to select Applications installed on one computer and install these on one or more other computers. This tool is useful for provisioning a computer for a new member of staff, as the administrator can copy the applications another member of the team installed on their computer through Shopping. It can also be used to install applications onto a computer that has been rebuilt with a different name.

1ETRNW71



From the Administration tab with the Installation tools expanded in the left-hand menu panel, select Copy Configuration


In the Machine to copy configuration from edit box, enter 1ETRNW and press Enter to return a list of the computers in the lab


Select each computer and note the applications installed on each machine via Shopping


Select 1ETRNW71 from the Search Results list


Remove Project 2010 from the list of Applications to Install by selecting it and clicking the < button to move it to the Applications to Ignore


Scroll down to the Machines to copy configuration to search box, enter 1ETRNW and press Enter


From the Search Results list, CTRL select 1ETRNW72 and 1ETRNW101


Scroll to the bottom of the page and click Install. The Copy Configuration page will now show the orders that have been created because of your action. An order for Sales Application is placed for both computers, but the order for WinZip is only placed for 1ETRNW101 as it has already been installed on 1ETRNW72


From the My Software page, select the All Orders tab and observe the Applications that were 'requested' for 1ETRNW101 and 1ETRNW72


Click on the WinZip 16.0 hyperlink to see details of this order


Note that WinZip, which requires approval, shows No approvals required for this order. When Applications are installed using the admin tools, approval workflow is bypassed.



1ETRNW101 



Confirm you're logged in with ApproverDev


Validate that WinZip and Sales App are installed via icons on the desktop


Note that it doesn't matter which user is logged in when applications are deployed via the administrative tools. It will take a couple of minutes for the policy to run and installation to take place.


Creating and Deploying Application Sets

Application sets are a group of applications bundled together that makes it easier for administrators when they shop for others. Application sets are created in the Shopping Admin Console and only available to administrators from the Administration tab. In this task, we will create an Application Set (App Set) and learn how it can be deployed to machine or group of machines by an administrator.

1ETRNAP



Open the Shopping Administrator console as 1ETRN\ShoppingAdmin


Right-click on the Applications node and select New App Set


Click Next on the Welcome page


On the General Details page, enter 1ETRN Test App Set as the name and optionally, enter a description. Leave the Enabled box checked and click Next to continue


Leave Machine selected as the AppSet for: option, enter % in the Search for applications field and click Search


Select the following applications from the Available field and click the > button to add them to the Use field


Paint.NET – x86
Pro Photo Tools


Click Next


On the Completion page, click Finish to close the New App Set Wizard


Note that in the Applications node of the Shopping Administrator console, there is a new category named App Set and the 1ETRN Test App Set will appear there.


Launch the Shopping portal and select the Self Service tab (it will default to Administration)


If the App Set does not appear in the Featured list, select the Latest list.


Locate the 1ETRN Test App Set tile and note that rather than a Request button, there is a status that says NOT AVAILABLE


Click on the Administration tab and you will see that the 1ETRN Test App Set tile has an Add To Basket button. Click on Add To Basket and note that the Shopping Basket now contains 1 item. Click on the Shopping Basket


You will see the 1ETRN Test App Set listed under Order Items at the bottom of the page. Type 1ETRNW7 in the Search for machines field and hit Enter


The three Windows 7 workstations will be listed in the Machines To Ignore field. Add all three machines to the Machines To Target field by clicking the >> button


Click the Place Order button at the lower right corner of the page


When the banner is displayed stating that the order was placed successfully, go to the My Software page


Click on the App Set Orders tab and note that the 1ETRN Test App Set shows a status of either Order Placed or AppSet in Progress


Click the icon on any order to view the details. You can see that both applications included in the Application Set are being processed


Wait a few minutes and refresh the page. The status will change to AppSet CompletedSuccessfully and when you look at the details, you will see that both applications were successfully installed


You might see an AppSet in Progress status before it shows completed. These are the different status messages returning from the endpoints.



1ERNW73



Log in as user


Click on the Start button and click All Programs


Note that Microsoft Pro Photo Tools and Paint.NET are installed


Branch Administration

The administration tasks covered in the previous exercise were performed by a central administrator who can manage all computers in the environment. We have shown that administrative tasks may be delegated throughout the environment. We have defined Computer Categories to distinguish groups of computers for delegated administration.

In this exercise, we will introduce Branch Administrators. These administrators will each have control over computers in their own Computer Category but not any other computers.

Assign Branch Administrators to Computer Categories

In this task, you will add ApproverDev and ApproverSales as a Branch Administrator for all computers in the Development Computers and Sales Computers Computer Categories respectively.

1ETRNAP



In the Shopping Admin Console, expand the Computer Categories node


Right-click the Development Computers node and select Add Branch Administrators


In the Add Branch Administrators dialog box, add 1ETRN\ApproverDev to the Selected Administrators list and click OK


Repeat the process to add ApproverSales as a Branch Administrator to the Sales Computers Computer Category


Requesting Applications for other Computers

A Branch Administrator is able to request Applications for any computers within their 'branch' (Computer Category) through the Shopping portal. In this task, you will use this feature to install Orca on two Development Computers PCs while logged on as the Branch Administrator (ApproverDev)

1ETRNW101



Log on to 1ETRNW101 as ApproverDev (should be the user already logged on)


Navigate to the shopping portal


If the Shopping portal is already open you will have to close it and reopen it before you will see the Administration tab in the next step.


Select the Administration tab, locate the Orca application and click Add To Basket


Note the banner in the page header indicates Orca has been added to your basket and the Shopping Basket now shows 1 item



Click the Shopping Basket in the Navigation panel to open the Basket page. From this page, you select the computers that you want Orca to be installed on


In the Search Machines box, enter 1ETRN and click the search icon (or press Enter)


Note that search only returns computers in the Development Computers Computer Category, as ApproverDev is a branch administrator only for that Computer Category.


Click the >> button to add all three computers to the Machines to Target list


Click on the button in the Order Items section to show the details for Orca. Click Place Order


Note that a banner pops up to indicate that comments are mandatory. Expand the order again and nput a comment and click Place Order


The approval process is bypassed when applications are shopped by an administrator, but a comment may still be required to place the order. By default, comments are required for applications that require approval. This may be configured in the Settings node of the Shopping Admin Console, in the Web Application section. The setting is Force Comment For Approval.


A message will display indicating the order was placed successfully. Go to the My Software page and select the All Orders tab. Note that the status on the orders for Orca are all Order Placed


Recall that the Application was configured to require Approval. By default, when a Branch Administrator places an order for other computers, the Approval workflow is bypassed. If the Approval process must be adhered to at all times, the Branch Admins Require Approval setting can be set to True in the Shopping Administration console.


Within a few minutes the Orca Application should be installed on all three Development computers



1ETRNW73



Click on the Start button and note Orca displayed under the Recently added category


Using Administration Tools as a Branch Administrator

In this task, you will review the Administration tools in the Shopping portal that you worked with in the last exercise, but this time from the perspective of a Branch Administrator rather than a Central Administrator.

1ETRNW101



On 1ETRNW101, logged in as ApproverDev select the Administration tab in the navigation panel in the Shopping portal


In the navigation panel, expand the Installation tools and select Copy Configuration


Enter 1ETRN into the search box and click the search icon


Note that only computers in the Development Computers Computer Category are returned as this is the only Computer Category that ApproverDev has been defined as a Branch Administrator.


Select 1ETRNW71 from the Search Results and observe the applications installed on 1ETRNW71 that appear in the Applications to Install list


In the Machines to copy configuration to section of the page, search for 1ETRN and note that only computers in the Development Computers Computer Category are returned. Select 1ETRNW73, and then click the INSTALL button at the bottom of the page


The Copy Configuration page displays the orders that have been placed because of this action. Note that only the applications that haven't already been installed on 1ETRNW73 appear


Verify these orders on the All Orders tab on the My Software page


Enabling an Application for Branch Administration

All the Applications created in Shopping so far have been Central Applications, i.e. configured for Central administration. Central Applications have their Categories and Approvers defined by a central administrator through the Shopping Administration Console.

In this task, you will configure the Sales Application and Phonebook Applications to use Branch Administration in preparation for the subsequent tasks in this exercise.

1ETRNAP



In the Shopping Admin Console locate the Sales Application Application and open the Application's properties


On the General tab, change the Categories & Approval configured by: option to Branch Administrator


The console will pop up a warning indicating that this change will remove any existing Computer Category and Approver associations. Note also that this change cannot be undone.


Click Yes on the warning dialog box to proceed


The console will display another warning indicating that the Application is associated with one or more User Categories. Users will not be able to request the Application unless they are associated with not only the Application's User Category but also that the computer is associated to a Computer Category to which the Branch Administrator has published the application.


Click OK on the warning dialog box to proceed


Select the Computer Categories tab and note that the controls are all disabled


Select the Approvers tab and note the controls are all disabled here also


Once you enable an Application for Branch Administration, you can no longer centrally manage Approval for that Application.


Click OK to save the Branch Administration change


Repeat for the Phonebook application



1ETRNW102



Log out on 1ETRNW102 and log in as 1ETRN\SalesUser and open the Shopping portal


Search for the Sales Application andPhonebook applications


Even though 1ETRN\SalesUser is a member of the Sales Team User Category and 1ETRNW102 is a member of the Sales Computers Computer Group, the applications are not visible in the Shopping portal. Once the applications were modified to be managed at the branch level, they must now be published by a Branch Administrator before they are available.


Publishing Applications as a Branch Administrator

In this task, you will publish the Sales Application and Phonebook applications to make them available to computers in the Sales Computers Computer Category.

1ETRNW72 



Log onto 1ETRNW72 as 1ETRN\ApproverSales and open the Shopping portal


We have configured ApproverSales as a branch admin for the Sales Computer Category.


Select the Administration tab of the navigation panel, expand Branch Management and select Publish Applications


Note that Sales Application and Phonebook appear in the list of Applications that can be published. Note also that the Approval column shows Undefined and the PUBLISH button is disabled


A Branch Application cannot be published until the Branch Administrator has configured Approval for the Application. This does not mean that the Application requires Approval (the Branch Administrator can select None, as we will in this task), but the Branch Administrator does have to make a conscious decision for each Branch Application before it can be published.


Click the Setup Approval for this Application link below the Approval column for the Sales Application application


On the Configure Branch Application Approvers page, select None from the Approval Type dropdown and click Submit


A confirmation message is displayed along with a link to return to the Publish Applications page. Click this link


Note the Approval column now indicates No Approval is required for this Application in this particular branch (Computer Category), and the Publish button is enabled


Repeat steps 721-723 for the Phonebook application


Click the PUBLISH button for both applications


Refresh the web page and note that the PUBLISH button has become the UNPUBLISH button (a refresh may be required to see the UNPUBLISH button)



1ETRNW102 



Return to 1ETRNW102 (logged on as SalesUser)


Close the browser and reopen to the Shopping portal


Search again for Sales Application and Phonebook


This time the Applications are available as the Shopping portal is being accessed from a computer in the Sales Computers Computer Category and the Branch Administrator has published this Application to that Computer Category. Do not request the application at this time


Defining Branch Approvers

Just as approval for Central Applications requires Central Approvers to be defined by a Central administrator, approval for Branch Applications requires Branch Approvers to be defined by a Branch Administrator. In this task, as the Branch Administrator you will define the Approvers that are responsible for approving Application request in your 'branch' (Computer Category).

1ETRNW72 



On 1ETRNW72 as ApproverSales, select the Administration tab in the navigation panel, expand Branch Management and select Manage Approvers


On the Manage Branch Approvers page, click the Add Approver button


In the search box enter Approver and click Search


Click the Add button to the right of the ApproverSales entry in the list to add ApproverSales as a Branch Approver


Add LicenseManager as a Branch Approver in the same manner (search for License)


Click the Manage Approvers under Branch Management in the navigation panel to review the two Branch Approvers that have been added


Defining Application Approval as a Branch Administrator

Now that Branch Approvers have been defined, you can use them in the Application Approval definition.

1ETRNW72 



From the Administration tab in the Shopping portal, click on the Publish Applications link under Branch Management in the navigation page


Note that the Sales Application and Phonebook Applications are listed and the Approval is No Approval (recalling that we defined it as no approval earlier)


Click the Configure Approval for this Application link below the Approval column for the Phonebook application


Select Chain from the Approval Type drop-down. A list of available (unassigned) Approvers is displayed towards the bottom of the page, which includes the two Approvers defined in the previous task and the standard look-up approver <Manager>


Assign LicenseManager and <Manager> as Approvers by clicking the Assign button to the right of each


Note that the order of the Approvers in the chain can be changed by simply dragging and dropping them.


Drag <Manager> above LicenseManager and click Submit


Repeat for the Sales Application application


Shopping for the Branch Application with Branch Approval

In this task, you will place an order for the Sales Application from a workstation in the Sales Computers Computer Category.

1ETRNW102



Close the browser and reopen the Shopping portal


Search for and place an order for Phonebook. Input text into the Request Item box and click Request



1ETRNW72 



Log off ApproverSales and log on to 1ETRNW72 as Manager2 (SalesUser's manager who is the first Approver in the chain)


Approve the order from the Shopping portal


Log Manager2 off and log LicenseManager on (the next Approver in the chain) and approve the order



1ETRNW102 



Return to 1ETRNW102 and go to the All Orders tab on the My Software page in the Shopping portal


Review the status of the Phonebook application order and note the time it was requested



1ETRNAP



On 1ETRNAP, open the Shopping log file (C:\ProgramData\1E\Shopping\Shopping.log) and trace the process from the time the Sales Application application was requested on 1ETRNW102


Monitoring Branch Activity

A Branch Administrator can view activity for each Branch Application within their branch and view all pending requests from the Branch Admin Tools as follows.

1ETRNW72



Log on to 1ETRNW72 as ApproverSales, open the Shopping portal and select the Administration tab of the navigation panel


Expand Branch Management and select View Branch Application Activity


Note the Branch Administrator can see which Branch Applications have been published and how many requests for that Application have been completed, approved, rejected or are pending approval


Click on the Phonebook link to view the specific details of each order on the View Application Orders page


Change the date in the Requests Ending field to tomorrow's date and click GENERATE REPORT


Note that there are two rows returned for the same order. This is because the query returns a row for each approval (<MANAGER> and LicenseManager), although this is not indicated in the results.


From the menu on the left, expand Branch Management and select View Pending Requests. This allows Branch Administrators to view details of all orders in their branch that are pending approval


Since nothing is pending, you will simply see No records found listed here.



Lab Summary

In this lab, you were introduced to Computer Categories, which are used to partition up the environment to allow delegated Approval and Administration. Computer Categories comprise AD groups, OUs, individual computers or a combination of these and define the scope of delegated administration. As such, they are typically defined around the geographical organization of the environment.

In the simplest form of delegation, Computer Categories can be used simply to define different Approvers for requests originating from different countries or regions. However, in this lab you have also seen the Administration tasks that can be performed through the Shopping Portal, such as copying an 'application profile' from one computer to others, and how to create and deploy Application Sets (App Sets). You then learned how these tasks can be delegated to Branch Administrators. 
Branch Administrators are also able to control which Applications (made available by the Central Administrator as Branch Applications) are available to computers in their 'branch' (Computer Category). You have also seen that Branch Administrators can define Application Approval according to their own requirements, allowing for the same application to require different approval workflows based on which computer category the request is originating from.

Next Page
Ex 9 - Shopping 5.5 - Self-service Windows Migration