Plan for and configure application management in Configuration Manager

Applies to: System Center Configuration Manager (current branch)

Use the information in this article to help you implement the necessary dependencies to deploy applications in Configuration Manager.

Dependencies external to Configuration Manager

Internet Information Services (IIS)

IIS is required on the servers that run the following site system roles:

  • Management point
  • Distribution point

For more information, see Site and site system prerequisites.

Note

The application catalog also requires IIS. However, its Silverlight user experience isn't supported as of current branch version 1806. Starting in version 1906, updated clients automatically use the management point for user-available application deployments. You also can't install new application catalog roles. In the first current branch release after October 31, 2019, support will end for the application catalog roles.

For more information, see the following articles:

Certificates on code-signed applications for mobile devices

When you code-sign applications to deploy them to mobile devices, don't use a certificate that was generated by using a Version 3 template (Windows Server 2008, Enterprise Edition). This certificate template creates a certificate that's incompatible with Configuration Manager applications for mobile devices.

If you use Active Directory Certificate Services to code-sign applications for mobile device applications, don't use a Version 3 certificate template.

Audit sign-in events for user device affinity

If you want to automatically create user device affinities, configure clients to audit sign-in events.

To determine automatic user device affinities, the Configuration Manager client reads sign-in events of type Success from the Windows security event log. Enable these events with the following two audit policies:

  • Audit account logon events
  • Audit logon events

To automatically create relationships between users and devices, make sure that these two settings are enabled on client computers. You can use Windows Group Policy to configure these settings.

For more information on user device affinity, see Link users and devices with user device affinity.

Configuration Manager dependencies

Management point

Clients contact a management point to download client policy, to locate content.

Starting in version 1906, updated clients automatically use the management point for user-available application deployments.

In version 1902 and earlier, clients use the management point to connect to the application catalog. If clients can't access a management point, they can't use the application catalog.

Note

Starting in version 1806, application catalog roles are no longer required to display user-available applications in Software Center. For more information, see Configure Software Center.

Starting in version 1906, you can't install new application catalog roles. In the first current branch release after October 31, 2019, support will end for the application catalog roles.

Distribution point

Before you can deploy applications to clients, you need at least one distribution point in the hierarchy. By default, the site server has a distribution point site role enabled during a standard installation. The number and location of distribution points vary according to the specific requirements of your environment.

For more information about how to install distribution points and manage content, see Manage content and content infrastructure.

Reporting services point

To use the reports in Configuration Manager for application management, first install and configure a reporting services point.

For more information, see Reporting in Configuration Manager.

Client settings

Many client settings control how the client installs applications and the user experience on the device. These client settings include the following groups:

  • Computer agent
  • Computer restart
  • Software Center
  • Software deployment
  • User and device affinity

For more information, see the following articles:

Security permissions for application management

  • The Application Author security role includes the required permissions to create, change, and retire applications.

  • The Application Deployment Manager security role includes required permissions to deploy applications.

  • The Application Administrator security role has all the permissions from both the Application Author and the Application Deployment Manager security roles.

For more information, see Configure role-based administration.

App-V 4.6 SP1 or later client to run virtual applications

To create virtual applications in Configuration Manager, install App-V 4.6 SP1 or later on devices.

Before you deploy virtual applications, also update the App-V client with the hotfix described in the Microsoft Support article 2645225.

Application catalog

Important

The application catalog is deprecated. For more information, see Remove the application catalog.

Application catalog web service point

The application catalog web service point is a site system role that provides information about available software from your software library to the application catalog website that users access.

For more information about how to configure this site system role, see Install and configure the Application Catalog.

Application catalog website point

The application catalog website point is a site system role that provides users with a list of available software.

For more information about how to configure this site system role, see Install and configure the Application Catalog.

Discovered user accounts for application catalog

Configuration Manager must first discover user accounts before users can view and request applications from the application catalog. For more information, see Run discovery.

Configure Software Center

For more information on configuring and branding Software Center, see Plan for Software Center.

Remove the application catalog

The application catalog is deprecated. For more information, see Removed and deprecated features. The following list summarizes the changes:

  • Starting in version 1806, the Silverlight user experience for the application catalog website point is no longer supported. The application catalog web service point role is no longer required, but still supported.

  • Starting in version 1906, updated clients automatically use the management point for user-available application deployments. You also can't install new application catalog roles.

  • In the first current branch release after October 31, 2019, support will end for the application catalog roles.

These iterative improvements to Software Center and the management point are to simplify your infrastructure and remove the need for the application catalog for user-available deployments. Software Center can deliver all app deployments without the application catalog. Also, if you enable TLS 1.2 and use HTTP with the application catalog, users can't see user-targeted, available deployments. Update Configuration Manager to version 1906 or later to benefit from these improvements.

  1. Update all clients to version 1806 or later. Version 1906 is recommended.

  2. Set branding for Software Center, instead of in the properties of the application catalog web site role. For more information, see Software Center client settings.

  3. Review the default and any custom client settings. In the Computer Agent group, make sure the Default Application Catalog website point is (none).

    In version 1902 and earlier, the client only switches to using the management point when there are no application catalog roles in the hierarchy. Otherwise, clients continue to use one of the application catalog instances in the hierarchy. This behavior applies across separate primary sites.

  4. Remove the application catalog website and application catalog web service site system roles from all primary sites.

After you remove the application catalog roles, Software Center starts using the management point for user-targeted, available deployments. In version 1902 and earlier, it can take up to 65 minutes for this change to happen. To verify this behavior on a specific client, review the SCClient_<username>.log, and look for an entry similar to the following line:

Using endpoint Url: https://mp.contoso.com/CMUserService_WindowsAuth, Windows authentication

Install and configure the application catalog

Important

The application catalog is deprecated. For more information, see Remove the application catalog.

Step 1: Web server certificate for HTTPS

If you use HTTPS connections, deploy a web server certificate to the site system servers for the application catalog website point and the application catalog web service point.

If you want clients to use the application catalog from the internet, deploy a web server certificate to at least one management point. Configure it for client connections from the internet.

For more information about certificate requirements, see PKI certificate requirements.

Step 2: Client authentication certificate for HTTPS

If you use a client PKI certificate for connections to management points, deploy a client authentication certificate to client computers. Although clients don't use a client PKI certificate to connect to the application catalog, they must connect to a management point before they can use the application catalog.

Deploy a client authentication certificate to client computers in the following scenarios:

  • All management points on the intranet accept only HTTPS client connections.
  • Clients connect to the application catalog from the internet.

For more information about certificate requirements, see PKI certificate requirements.

Step 3: Install and configure the application catalog roles

Install both the application catalog web service point and the application catalog website roles in the same site. You don't have to install them on the same server or in the same Active Directory forest. However, the application catalog web service point must be in the same forest as the site database.

For more information about server placement, see Plan for site system servers and site system roles.

Note

Install the application catalog at a primary site. You can't install it at a secondary site or the central administration site.

Install the application catalog on a new site system server or an existing server in the site. For more information on the general procedure, see Install site system roles. In the wizard to add a site system role or create a site system server, select the following roles from the list:

  • Application catalog web service point
  • Application catalog website point

Tip

If you want client computers to use the application catalog over the internet, specify the internet fully qualified domain name (FQDN).

Verify the installation of these site system roles

  • Status messages: Use the components SMS_PORTALWEB_CONTROL_MANAGER and SMS_AWEBSVC_CONTROL_MANAGER.

    For example, status ID 1015 for SMS_PORTALWEB_CONTROL_MANAGER confirms that Site Component Manager successfully installed the application catalog website point.

  • Log files: Search for SMSAWEBSVCSetup.log and SMSPORTALWEBSetup.log.

    For more information, search for the awebsvcMSI.log and portlwebMSI.log log files.

Step 4: Configure client settings

If you want all users to have the same settings, configure the default client settings. Otherwise, configure custom client settings for specific collections.

For more information, see the following articles:

The Configuration Manager client configures devices with these settings when it next downloads client policy. To trigger policy retrieval for a single client, see How to manage clients.

Step 5: Verify that the application catalog is operational

Use the following procedures to verify that the application catalog is operational.

Note

The application catalog user experience requires Microsoft Silverlight. If you use the application catalog directly from a browser, first verify that Microsoft Silverlight is installed on the computer.

Tip

Missing prerequisites are among the most typical reasons for the application catalog to operate incorrectly after installation. Confirm the role prerequisites for the application catalog site system roles. For more information, see Site and site system prerequisites.

In a browser, enter the address of the application catalog website. Confirm that the web page shows the three tabs: Application Catalog, My Application Requests, and My Devices.

Use the appropriate address for the application catalog from the following list, where <server> is the computer name, intranet FQDN, or internet FQDN:

  • HTTPS client connections and default site system role settings: https://<server>/CMApplicationCatalog

  • HTTP client connections and default site system role settings: http://<server>/CMApplicationCatalog

  • HTTPS client connections and custom site system role settings: https://<server>:<port>/<web application name>

  • HTTP client connections and custom site system role settings: http://<server>:<port>/<web application name>

Note

If you signed in to the device with a Domain Administrator account, the Configuration Manager client doesn't display notification messages. For example, messages indicating that new software is available.