Approve applications in Configuration Manager

Applies to: System Center Configuration Manager (Current Branch)

When deploying an application in Configuration Manager, you can require approval before installation. Users request the application in Software Center, and then you review the request in the Configuration Manager console. You can approve or deny the request.

Approval settings

The application approval behavior depends upon your version of Configuration Manager. One of the following approval settings appears on the Deployment Settings page of the application deployment:

Require administrator approval if users request this application

Applies to versions 1710 and earlier

The administrator approves any user requests for the application before the user can install it. This option is grayed out when the deployment purpose is Required, or when you deploy the application to a device collection.

Application approval requests are displayed in the Approval Requests node, under Application Management in the Software Library workspace. If a request isn't approved within 30 days, it's removed. Reinstalling the client might cancel any pending approval requests.

After you've approved an application for installation, you can Deny the request in the Configuration Manager console. This action doesn't cause the client to uninstall the application from any devices. It stops users from installing new copies of the application from Software Center.

An administrator must approve a request for this application on the device

Applies to versions 1802 and later Note 1

Note

Note 1: Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.

If you don't enable this feature, you see the prior experience.

The administrator approves any user requests for the application before the user can install it on the requested device. If the administrator approves the request, the user is only able to install the application on that device. The user must submit another request to install the application on another device. This option is grayed out when the deployment purpose is Required, or when you deploy the application to a device collection.

Note

To take advantage of new Configuration Manager features, first update clients to the latest version. While new functionality appears in the Configuration Manager console when you update the site and console, the complete scenario isn't functional until the client version is also the latest.

View Approval Requests under Application Management in the Software Library workspace of the Configuration Manager console. There's now a Device column in the list for each request. When you take action on the request, the Application Request dialog also includes the device name from which the user submitted the request.

If a request isn't approved within 30 days, it's removed. Reinstalling the client might cancel any pending approval requests.

After you've approved an application for installation, you can Deny the request in the Configuration Manager console. This action doesn't cause the client to uninstall the application from any devices. It stops users from installing new copies of the application from Software Center.

Important

Starting in version 1806, the behavior has changed when you revoke approval for an application that was previously approved and installed. Now when you Deny the request for the application, the client uninstalls the application from the user's device.

Automate the approval process with the Approve-CMApprovalRequest PowerShell cmdlet. Starting in version 1902, this cmdlet includes the InstallActionBehavior parameter. Use this parameter to specify whether to install the application right away or during non-business hours.

Email notifications

Starting in version 1810, configure email notifications for application approval requests. When a user requests an application, you receive an email. Click links in the email to approve or deny the request, without requiring the Configuration Manager console.

You can define the email addresses of the users who can approve or deny the request while creating a new deployment for the application. If you need to change the list of email addresses afterwards, go to the Monitoring workspace, expand Alerts, and select the Subscriptions node. Select Properties from one of the Approve application via email subscriptions that's related to your application deployment.

If there is more than one alert, you can determine which alert goes with which deployment. Open the alert properties, and view the list of Selected alerts on the General tab. The deployment is enabled as the alert for this subscription.

Users can add a comment to the request from Software Center. This comment shows on the application request in the Configuration Manager console. Starting in version 1902, that comment also shows in the email. Including this comment in the email helps the approvers make a better decision to approve or deny the request.

Prerequisites

To send email notifications and take action on internal network

With these prerequisites, recipients receive an email with notification of the request. If they are on the internal network, they can also approve or deny the request from the email.

  • Enable the optional feature Approve application requests for users per device.

  • Configure email notification for alerts.

  • Enable the SMS Provider to use a certificate. Use one of the following options:

    • Enable Enhanced HTTP (recommended)

      Note

      When the site creates a certificate for the SMS Provider, it won't be trusted by the web browser on the client. Based on your security settings, when responding to an application request, you may see a security warning.

    • Manually bind a PKI-based certificate to port 443 in IIS on the server that hosts the SMS Provider role

To take action from internet

With these additional optional prerequisites, recipients can approve or deny the request from anywhere they have internet access.

  • Enable the SMS Provider administration service through the cloud management gateway. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Servers and Site System Roles node. Select the server with the SMS Provider role. In the details pane, select the SMS Provider role, and select Properties in the ribbon on the Site Role tab. Select the option to Allow Configuration Manager cloud management gateway traffic for administration service.

    • The SMS Provider requires .NET 4.5.2 or later.
  • Cloud management gateway

  • Onboard the site to Azure services for Cloud Management

    • Enable Azure AD User Discovery

    • Manually configure settings in Azure AD:

      1. Go to the Azure portal, select Azure Active Directory, and then select App registrations.

      2. Select the application of type Native that you created for Configuration Manager Cloud Management integration.

      3. In the app properties, select Settings, then select Redirect URIs.

        1. In the Redirect URIs pane, paste in the following path: https://<CMG FQDN>/CCM_Proxy_ServerAuth/ImplicitAuth

        2. Replace <CMG FQDN> with the fully qualified domain name (FQDN) of your cloud management gateway (CMG) service. For example, GraniteFalls.Contoso.com.

        3. Then select Save. Close the Settings pane.

      4. In the app properties, select Manifest.

        1. In the Edit manifest pane, find the oauth2AllowImplicitFlow property.

        2. Change its value to true. For example, the entire line should look like the following line: "oauth2AllowImplicitFlow": true,

        3. Select Save.

Configure email approval

  1. In the Configuration Manager console, deploy an application as available to a user collection. On the Deployment Settings page, enable it for approval. Then enter one or more email addresses to receive notification. Separate email addresses with a semi-colon (;).

    Note

    Anyone in your Azure AD organization who receives the email can approve the request. Don't forward the email to others unless you want them to take action.

  2. As a user, request the application in Software Center.

  3. You receive an email notification within five minutes. The content of the email is similar to the following example:

Example email notification for application approval

Note

The link to approve or deny is for one-time use. For example, you configure a group alias to receive notifications. Meg approves the request. Now Bruce can't deny the request.

Review the NotiCtrl.log file on the site server for troubleshooting.

Maintenance

Configuration Manager stores the information about the application approval request in the site database. For requests that are cancelled or denied, the site deletes the request history after 30 days. You can configure this deletion behavior with the Delete Aged Application Request Data site maintenance task. The site never deletes any approved or pending application requests.