Enhanced Application Deployment: Part 1

Over the next few posts I will be working you all through a project I have been working on with a customer recently. The output of this work comes from a requirement to deploy applications based on Active Directory group membership during operating system deployment.

The Problem

MDT is really good at managing deployments based on information we have about the computer, but not so great about managing and compiling deployments based on user information. ConfigMgr 2012 addressed some of these issues with user device affinity (UDA) and we can pre-deploy applications in a task sequences based on applications deployed to user collections. It is also common to find organisations which deploy applications to users and computers based on Active Directory security group membership. This is something which ConfigMgr and MDT are not good at.

This becomes a problem if we want to install software which is assigned to security groups (which eventually ends up as collection membership) at build time so that by the time we get to Ctrl+Alt+Del we have a fully built machine with computer and user targeted applications without the need to wait for policy to refresh and applications to download. Applications cannot install in this manner in the task sequence as the client runs in provisioning mode which prevents non-OSD content such as applications from getting downloaded and executed. Meaning we have to wait until the user logs on until the applications finish off.

The Solution

I have created a small web service, which is evolving quickly at the minute during the life of my current engagement so the main reason for splitting this up into numerous posts is to give you better more upto date information as I have tested parts of it.

At a very high level we do the following steps:

  1. After providing the username of the machine for device affinity, that along with the machine name (using the AssetTag variable) and MAC address of the active network card are passed to the web service.
  2. The web service then connects to Active Directory, sets up a principal for the computer and user account then enumerates all the group membership that contains DLSG-AppGroup as this is present in all application security groups.
  3. This list is then added to an array by obtaining the description field which contains the name of the application as shown in the ConfigMgr console and used later on.
  4. After this has completed, a connection is made to the MDT database and a new computer record is created.
  5. The web service then takes the array of applications, removes any duplicates (which are potential from user and machine membership) and adds them to the MDT database.

For those of you more interested in graphics, here is a quick diagram of how this fits together (click for a larger version).

Inframon-TaskSeq-WebService-v1.0

Advertisements

Tags: , , , ,

About Martyn

Martyn is one of the Senior Cloud Architects and DevOps Team Leader at one of the worlds leading Cloud Transformation Specialists Inframon. Martyn is responsible for the architecture of some of the largest Azure deployments in EMEA and is a advisor to a many businesses on their strategies. Martyn is a regular speaker at Microsoft events and community events on Azure and DevOps, giving his insight to a growing number of audiences.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: