Enhanced Application Deployment: Part 2

Yesterday I posted about a project I was working on to enhance the application deployment for administrators using ConfigMgr in conjunction with MDT. I want to use this post to provide some additional details and features of the service.


I want to touch on the features first. This is the bit everyone is interested in so I’ll put it at the top (I know this because I’m the same!). The hardest part of developing this web service is the complexity. On the face it doesn’t seem that hard but already I have a bunch of things I will need to consider or make into configurable variables to make it usable anywhere without having to recompile the web service.

With that said for the beta release which should be coming shortly, the features of it are:

  • Provision applications and packages in real-time during the task sequence
  • Store information within MDT using native SQL calls (fast performance)
  • Validation that the package or application actually exists inside ConfigMgr
  • Friendly status reporting using exit codes
  • Excludes security groups with no or blank information

How Does It Work?

Without going into too much detail (most of you reading are not developers), the service is pretty basic, it contains a number of configuration variables. I will try and walk through with the assistance of some screenshots exactly how this works.

The first portion is Active Directory. Consider the following domain local security group (I call them DLSG for short).


If you look at the bits with arrows you notice the group name is DLSG-AppGroup-Lync2013. This is simple enough, as is the description which is set to Lync 2013.

Also consider the following security group as well, which is basically the same except we call the group something slightly different, instead we call it DLSG-AppUser-VisualStudio2010.


The basic concept here is the have to take into account that a computer or a user may be a member of lots of security groups, and that these groups do not all equal applications or packages. So DLSG-AppGroup is for computers and DLSG-AppUser is for users. Hopefully that’s pretty simple.

Our web service then looks for security groups for each principal (computer and user) and filters that list based on the presence of either of the conditions shown above. The differences for packages is that instead of saying App in the group name we say Pkg (these are customisable in configuration options). So we perform a check to see if it’s a package or application and add it to the appropriate list, before we do that though we check a number of things.

  • Is the description field empty?
  • Does the package or application exist?

If those conditions are satisfied then we add the contents of the description field to the list and continue to the next security group in the results. The description is key because this needs to be the exact name of the application in the ConfigMgr console or the correct PackageID:Program Name combination. For now (this will change in a later version), you have to use the description field, this is an extra reason why we add validation in to make sure it exists before adding it to the list.

From here it is fairly simple, we normalise the list to remove any potential duplicates then we connect to the MDT database and insert the data into the appropriate tables.

The task sequence then continues as normal and the Gather step in MDT takes care of the rest, obtaining the applications and packages for the specified MAC address from the database. The end of the task sequence also has a step in to clean the database, this is optional, you might want to leave it but the option is here to clean it out.

Here is a bit more detail on how it works in graphical form.


So there you have it, a bit more detail to hopefully give you an insight to this little project. I will provide some follow up posts in the next few days with details on how this integrates with MDT in the task sequence, what configurations are available to you along with some configuration examples.


Tags: , , , ,

About Martyn

Martyn is one of the Senior Cloud Architects and DevOps Team Leader at one of the worlds leading Cloud Transformation Specialists Inframon. Martyn is responsible for the architecture of some of the largest Azure deployments in EMEA and is a advisor to a many businesses on their strategies. Martyn is a regular speaker at Microsoft events and community events on Azure and DevOps, giving his insight to a growing number of audiences.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: