Plan for and configure application management in System Center Configuration Manager

Applies to: System Center Configuration Manager (current branch)

Use the information in this article to help you implement the necessary dependencies to deploy applications in System Center Configuration Manager.

Dependencies external to Configuration Manager

Dependency More information
Internet Information Services (IIS) is required on the site system servers that run the Application Catalog website point, the Application Catalog web service point, the management point, and the distribution point. For more information about this requirement, see Supported configurations.
Mobile devices that are enrolled by Configuration Manager When you code-sign applications to deploy them to mobile devices, don't use a certificate that was generated by using a Version 3 template (Windows Server 2008, Enterprise Edition). This certificate template creates a certificate that's incompatible with Configuration Manager applications for mobile devices.

If you use Active Directory Certificate Services to code-sign applications for mobile device applications, don't use a Version 3 certificate template.
Clients must be configured to audit sign-in events if you want to automatically create user device affinities. The Configuration Manager client reads logon events of type Success from the PC's security event log to determine automatic user device affinities. These events are enabled by the following two audit policies:
Audit account logon events
Audit logon events
To automatically create relationships between users and devices, make sure that these two settings are enabled on client computers. You can use Windows Group Policy to configure these settings.

Configuration Manager dependencies

Dependency More information
Management point Clients contact a management point to download client policy, to locate content, and to connect to the Application Catalog.

If clients can't access a management point, they can't use the Application Catalog.
Distribution point Before applications can be deployed to clients, you must have at least one distribution point in the hierarchy. By default, the site server has a distribution point site role enabled during a standard installation. The number and location of distribution points vary according to the specific requirements of your enterprise.

For more information about how to install distribution points and manage content, see Manage content and content infrastructure.
Client settings Many client settings control how applications are installed on the client and the user experience on the client. These client settings include the following:

  • Computer agent
  • Computer restart
  • Software deployment
  • User and device affinity
For more information about these client settings, see About client settings.

For more information about how to configure client settings, see How to configure client settings.
Discovered user accounts for Application Catalog Configuration Manager must first discover user accounts before users can view and request applications from the Application Catalog. For more information, see Run discovery.
App-V 4.6 SP1 or later client to run virtual applications To create virtual applications in Configuration Manager, client computers must have the App-V 4.6 SP1 or later client installed.

You must also update the App-V client with the hotfix described in the Knowledge Base article 2645225 before you can deploy virtual applications.
Application Catalog web service point The Application Catalog web service point is a site system role that provides information about available software from the Software Library to the Application Catalog website.

For more information about how to configure this site system role, see Configure Software Center and the Application Catalog (Windows PCs only) in this article.
Application Catalog website point The Application Catalog website point is a site system role that provides users with a list of available software.

For more information about how to configure this site system role, see Configure Software Center and the Application Catalog (Windows PCs only) in this article.
Reporting services point To use the reports in Configuration Manager for application management, you must first install and configure a reporting services point.

For more information, see Reporting in System Center Configuration Manager.
Security permissions for application management You must have the following security permissions to manage applications:

The Application Author security role includes the preceding listed permissions that are required to create, change, and retire applications in Configuration Manager.

To deploy applications:

The Application Deployment Manager security role includes the preceding listed permissions that are required to deploy applications in Configuration Manager.

The Application Administrator security role has all the permissions from both the Application Author and the Application Deployment Manager security roles.

For more information, see Configure role-based administration.

Configure Software Center and the Application Catalog (Windows PCs only)

In System Center Configuration Manager, you now have two options for users to change settings, browse for applications, and install applications:

  • The new Software Center: The new Software Center has a modern look. Apps that would have appeared only in the Silverlight-dependent Application Catalog (user-available apps) now appear in Software Center under the Applications tab. The Application Catalog can still be accessed by using the link under the Installation Status tab of Software Center.

    You can configure clients to use the new Software Center by enabling the client setting Computer Agent > Use new Software Center.

    Important

    Although you no longer need to connect to the Application Catalog, you must still configure the Application Catalog website point and the Application Catalog web service point as detailed in the next section.

  • The previous Software Center and the Application Catalog: By default, users continue to connect to the previous version of Software Center and connect to the Application Catalog (Silverlight-enabled web browser required) to browse available applications.

    Whatever version you choose to use, Software Center is installed automatically when you install the Configuration Manager client on Windows PCs.

    Tip

    The version of Software Center that users see is based on Configuration Manager client settings. This gives you the flexibility to control the version that's used based on custom client settings that you deploy to a collection.

    Important

    In the coming months, we will be removing the previous version of Software Center, and it will no longer be available. You can configure clients to use the new Software Center by enabling the client setting Computer Agent > Use new Software Center.

Steps to install and configure the Application Catalog and Software Center

Important

Before you do these steps, make sure that you have met all of the prerequisites listed previously.

Steps Details More information
Step 1: If you use HTTPS connections, make sure that you have deployed a web server certificate to site system servers. Deploy a web server certificate to the site system servers that will run the Application Catalog website point and the Application Catalog web service point.

Additionally, if you want clients to use the Application Catalog from the internet, deploy a web server certificate to at least one management point site system server, and configure it for client connections from the internet.
For more information about certificate requirements, see PKI certificate requirements.
Step 2: If you use a client PKI certificate for connections to management points, deploy a client authentication certificate to client computers. Although clients do not use a client PKI certificate to connect to the Application Catalog, they must connect to a management point before they can use the Application Catalog. You must deploy a client authentication certificate to client computers in the following scenarios:

  • All management points on the intranet accept only HTTPS client connections.
  • Clients connect to the Application Catalog from the internet.
For more information about certificate requirements, see PKI certificate requirements.
Step 3: Install and configure the Application Catalog web service point and the Application Catalog website. You must install both site system roles in the same site. You don't have to install them on the same site system server or in the same Active Directory forest. However, the Application Catalog web service point must be in the same forest as the site database. For more information about site system role placement, see Plan for site system servers and site system roles.

To configure the Application Catalog web service point and the Application Catalog website point, see Step 3: Install and configure the Application Catalog site system roles.
Step 4: Configure client settings for the Application Catalog and Software Center. Configure the default client settings if you want all users to have the same setting. Otherwise, configure custom client settings for specific collections. For more information about client settings, see About client settings.

For more information about how to configure these client settings, see Step 4: Configure the client settings for the Application Catalog and Software Center.
Step 5: Verify that the Application Catalog is operational. You can use the Application Catalog directly from a browser or from Software Center. See Step 5: Verify that the Application Catalog is operational.

Supplemental procedures to install and configure the Application Catalog and Software Center

Use the following information when the steps in the preceding table require supplemental procedures.

Step 3: Install and configure the Application Catalog site system roles

These procedures configure the site system roles for the Application Catalog. Choose one of the two following procedures depending on whether you will install a new site system server or use an existing site system server:

Note

The Application Catalog cannot be installed on a secondary site or on a central administration site.

To install and configure the Application Catalog site systems: New site system server

  1. In the Configuration Manager console, choose Administration > Site Configuration > Servers and Site System Roles.

  2. On the Home tab, in the Create group, choose Create Site System Server.

  3. On the General page, specify the general settings for the site system, and then choose Next.

    Tip

    If you want client computers to use the Application Catalog over the internet, specify the internet fully qualified domain name (FQDN).

  4. On the System Role Selection page, select Application Catalog web service point and Application Catalog website point from the list of available roles, and then choose Next.

  5. Complete the remaining steps.

To install and configure the Application Catalog site systems: Existing site system server

  1. In the Configuration Manager console, choose Administration > Site Configuration > Servers and Site System Roles, and then select the server to use for the Application Catalog.

  2. On the Home tab, in the Server group, choose Add Site System Roles.

  3. On the General page, specify the general settings for the site system, and then choose Next.

    Tip

    If you want client computers to use the Application Catalog over the internet, specify the internet fully qualified domain name (FQDN).

  4. On the System Role Selection page, select Application Catalog web service point and Application Catalog website point from the list of available roles, and then choose Next.

  5. Complete the remaining steps.

  6. Verify the installation of these site system roles by using status messages and by reviewing the log files:

    Status messages: Use the components SMS_PORTALWEB_CONTROL_MANAGER and SMS_AWEBSVC_CONTROL_MANAGER.

    For example, status ID 1015 for SMS_PORTALWEB_CONTROL_MANAGER confirms that Site Component Manager successfully installed the Application Catalog website point.

    Log files: Search for SMSAWEBSVCSetup.log and SMSPORTALWEBSetup.log.

    For more information, search for the awebsvcMSI.log and portlwebMSI.log log files.

Step 4: Configure the client settings for the Application Catalog and Software Center

This procedure configures the default client settings for the Application Catalog and Software Center that apply to all devices in the hierarchy. If you want these settings to apply to only some devices, you can create a custom client setting and deploy it to a collection that has the devices with the specific settings. For more information about how to create a custom device setting, see the How to Create and Deploy Custom Client Settings section in How to configure client settings in System Center Configuration Manager.

  1. In the Configuration Manager console, choose Administration > Client Settings > Default Client Settings.

  2. On the Home tab, in the Properties group, choose Properties.

  3. Review and configure settings that relate to user notifications, the Application Catalog, and Software Center. For example:

    1. Computer Agent group:

      • Default Application Catalog website point.

      • Add default Application Catalog website to Internet Explorer trusted sites zone.

      • Organization name displayed in Software Center.

        Tip

        To specify the organization name that's displayed in the Application Catalog and configure the website theme, use the Customization tab on the Application Catalog website properties.

      • Use new Software Center. Set to Yes if you want to use the new Software Center, which lets users browse for and install available apps without the need to access the Application Catalog (which requires a Silverlight-enabled web browser).

      • Install permissions.

      • Show notifications for new deployments.

    2. Power Management group:

      • Allow users to exclude their device from power management.
    3. Remote Tools group:

      • Users can change policy or notification settings in Software Center.
    4. User and Device Affinity group:

      • Allow users to define their primary devices.

    Note

    For more information about the client settings, see About client settings in System Center Configuration Manager.

  4. Choose OK to close the Default Client Settings dialog box.

Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see How to manage clients.

To customize Software Center branding

Custom branding for the Software Center is applied according to the following rules:

  1. If the Application Catalog website point site server role is not installed, then Software Center will display the organization name specified in the Computer Agent client setting Organization name displayed in Software Center. For instructions, see How to configure client settings.
  2. If the Application Catalog website point site server role is installed, then Software Center will display the organization name and color specified in the Application Catalog website point site server role properties. For more information, see Configuration options for Application Catalog website point.
  3. If a Microsoft Intune subscription is configured and connected to Configuration Manager, then Software Center will display the organization name, color, and company logo specified in the Intune subscription properties. For more information, see Configuring the Microsoft Intune subscription.

To manually set Software Center branding

With the 1710 release, you can manually add enterprise branding elements and specify the visibility of tabs on Software Center. You can add your Software Center specific company name, set a Software Center configuration color theme, set a company logo, and set the visible tabs for client devices.

  1. In the Configuration Manager console, choose Administration > Client Settings. Click on your desired client setting instance.
  2. On the Home tab, in the Properties group, choose Properties.
  3. In the Default Settings dialog box, choose Software Center.
  4. Select Yes to Select new settings to specify company information to enable your Software Center customization settings.
  5. Type your Company name.
  6. Select your Color Scheme for Software Center.
  7. Click Browse to navigate to your logo for Software Center. The logo must be a JPEG or PNG of 400 x 100 pixels with a maximum size of 750 KB.
  8. Select YES to make tabs visible in the Software Center for client devices. At least one tab must be visible:

    • Enable Applications tab
    • Enable Updates tab
    • Enable Operating Systems tab
    • Enable Installation Status tab
    • Enable Device compliance tab
    • Enable Options tab
    • Specify a custom tab for Software Center (starting in version 1806)
      • Tab name
      • Content URL

Important

  • Some website features may not work when using it as a custom tab in Software Center. Make sure to test the results before deploying this to clients.
  • Software Center branding is synchronized with the Intune service every 14 days. Therefore, there might be a delay before changes you make in Intune are displayed in Configuration Manager.

Step 5: Verify that the Application Catalog is operational

Use the following procedures to verify that the Application Catalog is operational. You can use the Application Catalog directly from a browser or from Software Center.

Note

The Application Catalog requires Microsoft Silverlight, which is automatically installed as a Configuration Manager client prerequisite. If you use the Application Catalog directly from a browser by using a computer that does not have the Configuration Manager client installed, first verify that Microsoft Silverlight is installed on the computer.

Tip

Missing prerequisites are among the most typical reasons for the Application Catalog to operate incorrectly after installation. Confirm the site system role prerequisites for the Application Catalog site system roles. You can do this by using the Supported configurations article.

Note

If you signed in by using a Domain Administrator account, notification messages from the Configuration Manager client (for example, messages indicating that new software is available) will not be displayed.

To use the Application Catalog directly from a browser

  • In a browser, enter the address of the Application Catalog website, and confirm that the webpage shows the three tabs: Application Catalog, My Application Requests, and My Devices.

    Select and use the appropriate address in the following list for the Application Catalog, where <server> is the computer name, intranet FQDN, or internet FQDN:

    • HTTPS client connections and default site system role settings: https://<server>/CMApplicationCatalog

    • HTTP client connections and default site system role settings: http://<server>/CMApplicationCatalog

    • HTTPS client connections and custom site system role settings: https://<server>:<port>/<web application name>

    • HTTP client connections and custom site system role settings: http://<server>:<port>/<web application name>

To use the Application Catalog from Software Center (does not apply to the new version of Software Center)

  1. On a client computer, choose Start > All Programs > Microsoft System Center 2012 > Configuration Manager > Software Center.

  2. If you previously configured an organizational name for Software Center as a client setting, confirm that this displays as specified.

  3. Choose Find additional applications from the Application Catalog and confirm that the page shows the three tabs: Application Catalog, My Application Requests, and My Devices.

Warning

After you have installed the Application Catalog site system roles, you will not immediately see the Application Catalog when you choose the Find additional applications from the Application Catalog link from Software Center. The Application Catalog becomes available from Software Center after the client next downloads its client policy or up to 25 hours after the Application Catalog site system roles are installed.