3

We have been playing around with SCCM's Application Catalog and have come across an interesting quirk. My manager has directed me to implement the catalog so that software that falls somewhere between the "one-off install" and "needed by the entire workgroup" points on the spectrum of how many people need it should be published to the Application Catalog. Our help desk technicians can use the App Catalog to deploy these kinds of software to select users that need it as the situation warrants.

We practice account separation, for example, our help desk rockstar Emmet Brickowski has two Active Directory user accounts. His regular unprivileged account, CONTOSO\ebrickowski he should be using for all his regular work and when a UAC prompt rears its ugly head he has an privileged account (CONTOSO\ebrickowski-adm) that is a member of BUILTIN\Administrators on all our workstations.

When Joe User calls the help desk, Emmet remotes in or physically goes to help the user (our culture is big on face-to-face customer time), logs into the App Catalog with his privileged CONTOSO\ebrickowski-adm and sees a plethora of software that he can install in a standardized method for our user.

Except when Emmet presses the Install button he gets this:

App Catalog Error


Now I cannot find anything in the client-side logs for what happened. Nothing in the AppIntentEval.log, AppDiscovery.log, AppEnforce.log logs and the ConfigMgrSoftwareCatalog.log which is supposed to record the Application Catalog action does not exist.

If we deploy an application to a User Collection containing our regular users and they use the same account they are logged in to Windows as to log into the Application Catalog the same application that previously failed installs. This leads me to believe that you cannot use a separate account for the App Catalog as the current Windows session. Which is kind of a bummer.

  • Can anyone verify that you are required to use the same account to access the Application Catalog as you are currently using in your Windows session?
  • What logs if any should I look into to investigate further?
  • Is there another or better way to accomplish our desired goal of using the Application Catalog as a technician accessed software store?
  • You don't need administrative rights to install software via the application catalog. The regular privilege account should just login to windows open the catalog and install. System center will use the account it's configured to use to install the software. – Bad Dos Aug 20 '15 at 18:28
  • @BadDos - It's not that we need rights, it's that management does not want the software to be visible/installable by normal users. I suggested using the App Catalog Approval mechanism but that was deemed to be too much process overhead. –  Aug 20 '15 at 18:54
  • You want to use the user initiated install process without approvals and without the actual users installing it? I guess you would just deploy it to your IT technician ad group and have them logout the user and login with it. – Bad Dos Aug 20 '15 at 20:46
  • @BadDos Yeah. I know. It sounds crazy but that's what leadership wants. If you write that up as answer and I don't find something better, you get the green check mark. –  Aug 20 '15 at 22:24

2 Answers2

1

Since there is a technician involved anyway why don't you just have the technician deploy the desired application to that user from the SCCM console?

If you wanted to make it more interactive for the end-user the technician could temporarily add the end-user to an "all applications available" user collection while they access the catalog and figure out what they want to install. Then, once the end-user has the applications installed, you can take them back out of that collection, and maybe deploy the applications they just installed to their user via some other collection.

alx9r
  • 1,643
  • 3
  • 16
  • 37
  • Hmm. Interesting idea about the Collection but I wonder if the Machine Policy Pull time would work with the pace of a help desk ticket. –  Aug 21 '15 at 16:58
  • You'd be relying on the application catalog automation to take care of that. I haven't confirmed it, but IIRC when a user selects install of a brand new app from the app catalog it kicks off the appropriate user and/or machine policy updates. Basically, if its installation is initiated from the app catalog I'm pretty sure it'll install without delay. – alx9r Aug 21 '15 at 19:47
1

This is by design, only users logged into the computer can install apps via the app catalog. Trying to "fake out" the app catalog by logging into it with a different Id won't work.

The proper way to go about this is to either advertise the programs to all users, or, since that could get messy, have your Rockstar techs log into the computer with their admin account, either in person or remotely with the new SCCM RC. The new one let's techs access the login screen whereas the old one didn't.

Note: you're slightly going against the grain of what MS is trying to accomplish with the app catalog, it's intended for users to install the apps they need, to minimize helpdesk work in a way, so with a little permission finesse you should be able to avoid disasters, but I completely get why you wanna do it this way, I just wanted to mention this so you're aware of why this is a pain.

MDMoore313
  • 5,531
  • 6
  • 34
  • 73
  • 1
    ... "going against the grain of what MS is trying to accomplish" ... leadership wants what leadership wants. I pass both options back to them and see what they choose. I'm just trying to make life easier for my techs. –  Aug 21 '15 at 16:57
  • Heh, sounds familiar. Rock on @AlaskanHomie. – MDMoore313 Aug 21 '15 at 18:03