Enhanced Application Deployment: Part 1
Over the next few posts I will be working you all through a project I have been working on with a customer recently. The output of this work comes from a requirement to deploy applications based on Active Directory group membership during operating system deployment.
MDT is really good at managing deployments based on information we have about the computer, but not so great about managing and compiling deployments based on user information. ConfigMgr 2012 addressed some of these issues with user device affinity (UDA) and we can pre-deploy applications in a task sequences based on applications deployed to user collections. It is also common to find organisations which deploy applications to users and computers based on Active Directory security group membership. This is something which ConfigMgr and MDT are not good at.
This becomes a problem if we want to install software which is assigned to security groups (which eventually ends up as collection membership) at build time so that by the time we get to Ctrl+Alt+Del we have a fully built machine with computer and user targeted applications without the need to wait for policy to refresh and applications to download. Applications cannot install in this manner in the task sequence as the client runs in provisioning mode which prevents non-OSD content such as applications from getting downloaded and executed. Meaning we have to wait until the user logs on until the applications finish off.
I have created a small web service, which is evolving quickly at the minute during the life of my current engagement so the main reason for splitting this up into numerous posts is to give you better more upto date information as I have tested parts of it.
At a very high level we do the following steps:
- After providing the username of the machine for device affinity, that along with the machine name (using the AssetTag variable) and MAC address of the active network card are passed to the web service.
- The web service then connects to Active Directory, sets up a principal for the computer and user account then enumerates all the group membership that contains DLSG-AppGroup as this is present in all application security groups.
- This list is then added to an array by obtaining the description field which contains the name of the application as shown in the ConfigMgr console and used later on.
- After this has completed, a connection is made to the MDT database and a new computer record is created.
- The web service then takes the array of applications, removes any duplicates (which are potential from user and machine membership) and adds them to the MDT database.
For those of you more interested in graphics, here is a quick diagram of how this fits together (click for a larger version).