在 Configuration Manager 中批准应用程序Approve applications in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

在 Configuration Manager 中部署应用程序时,可能需要获得批准才能安装。When deploying an application in Configuration Manager, you can require approval before installation. 用户在软件中心中请求应用程序,然后在 Configuration Manager 控制台中查看请求。Users request the application in Software Center, and then you review the request in the Configuration Manager console. 可以批准或拒绝该请求。You can approve or deny the request.

批准设置Approval settings

应用程序批准行为取决于是否启用了推荐的可选应用程序批准体验The application approval behavior depends upon whether you enable the recommended optional app approval experience. 应用程序部署的“部署设置”页面上显示了以下某个批准设置 :One of the following approval settings appears on the Deployment Settings page of the application deployment:

管理员必须在设备上批准对此应用程序的请求An administrator must approve a request for this application on the device

备注

默认情况下,Configuration Manager 不启用此项功能。Configuration Manager doesn't enable this feature by default. 在使用该功能之前,启用可选功能“审批每台设备的用户的应用程序请求” 。Before using it, enable the optional feature Approve application requests for users per device. 有关详细信息,请参阅启用更新中的可选功能For more information, see Enable optional features from updates.

如果未启用此功能,将看到以前的版本If you don't enable this feature, you see the prior experience.

在用户可以在所请求的设备上安装应用程序之前,管理员会批准对该应用程序的任何用户请求。The administrator approves any user requests for the application before the user can install it on the requested device. 如果管理员批准请求,则用户只能在该设备上安装应用程序。If the administrator approves the request, the user is only able to install the application on that device. 用户必须提交另一个请求才能在另一台设备上安装应用程序。The user must submit another request to install the application on another device. 如果部署目的为“必需”或者应用程序部署到了设备集合,则此选项为灰色 。This option is grayed out when the deployment purpose is Required, or when you deploy the application to a device collection.

备注

若要利用新的 Configuration Manager 功能,请先将客户端更新到最新版本。To take advantage of new Configuration Manager features, first update clients to the latest version. 尽管在更新站点和控制台时 Configuration Manager 控制台中会显示新功能,但只有在客户端版本也是最新版本之后,完整方案才能正常运行。While new functionality appears in the Configuration Manager console when you update the site and console, the complete scenario isn't functional until the client version is also the latest.

在 Configuration Manager 控制台的“软件库” 工作区中,查看“应用程序管理” 下的“应用程序请求” 。View Application Requests under Application Management in the Software Library workspace of the Configuration Manager console. (在版本 1902 及更低版本中,此节点称为“审批请求” 。)每个请求的列表现均提供“设备”列 。(In version 1902 and earlier, this node is called Approval Requests.) There's now a Device column in the list for each request. 当针对此请求执行操作时,“应用程序请求”对话框还将包括用户从中提交请求的设备名称。When you take action on the request, the Application Request dialog also includes the device name from which the user submitted the request.

如果请求未在 30 天内获批准,则会将其删除。If a request isn't approved within 30 days, it's removed. 重新安装客户端可能会取消任何待批准的请求。Reinstalling the client might cancel any pending approval requests.

如果你要求对部署到设备集合进行审批,应用程序不会显示在软件中心内。When you require approval on a deployment to a device collection, the app isn't displayed in Software Center. 如果你要求对部署到用户集合进行审批,应用程序会显示在软件中心内。If you require approval on a deployment to a user collection, the app is displayed in Software Center. 仍可以使用客户端设置“在软件中心中隐藏未经批准的应用程序” 对用户隐藏它。You can still hide it from users with the client setting, Hide unapproved applications in Software Center. 有关详细信息,请参阅软件中心客户端设置For more information, see Software Center client settings.

批准安装应用程序后,可在 Configuration Manager 控制台中“拒绝”该请求 。After you've approved an application for installation, you can Deny the request in the Configuration Manager console. 若用户尚未安装此应用程序,此操作会阻止用户从软件中心安装此应用程序的新副本。If users haven't already installed the application, this action stops them from installing new copies of the application from Software Center. 若之前曾批准并安装过某个应用程序,现在当拒绝此应用程序的请求时,客户端将从用户的设备卸载应用程序 。If an application was previously approved and installed, when you Deny the request for the application, the client uninstalls the application from the user's device.

从版本 1906 开始,如果在控制台中批准了应用请求,然后拒绝该请求,则现在可以再次批准该请求。Starting in version 1906, if you approve an app request in the console, and then deny it, you can now approve it again. 批准后,应用将重新安装在客户端上。The app is reinstalled on the client after you approve it.

使用 Approve-CMApprovalRequest PowerShell cmdlet 自动执行批准过程。Automate the approval process with the Approve-CMApprovalRequest PowerShell cmdlet. 从版本 1902 开始,此 cmdlet 包含 InstallActionBehavior 参数 。Starting in version 1902, this cmdlet includes the InstallActionBehavior parameter. 使用此参数指定立即安装应用程序还是在非工作时间安装应用程序。Use this parameter to specify whether to install the application right away or during non-business hours.

自版本 1906 起,可以看到哪些部署需要审批。Starting in 1906, you can see which deployments require approval. 在“应用程序” 节点中,选择应用程序。Select an app in the Applications node. 在详细信息窗格中,切换到“部署”选项卡 。有一个新列会默认显示,即“是否需要审批” 。In the details pane, switch to the Deployments tab. There's a new column displayed by default, Requires Approval.

重新安装预先批准的应用程序Retry the install of pre-approved applications

从版本 1906 开始,可以重试安装之前为用户或设备批准的应用。Starting in version 1906, you can retry the installation of an app that you previously approved for a user or device. 批准选项仅适用于可用部署。The approval option is only for available deployments. 如果用户卸载应用,或者初始安装过程失败,Configuration Manager 将不会重新评估其状态并重新安装。If the user uninstalls the app, or if the initial install process fails, Configuration Manager doesn't reevaluate its state and reinstall it. 此功能允许技术支持人员为需要帮助的用户快速重试应用安装。This feature allows a support technician to quickly retry the app install for a user that calls for help.

  1. 以对应用程序对象拥有“批准” 权限的用户身份打开 Configuration Manager 控制台。Open the Configuration Manager console as a user that has the Approve permission on the Application object. 例如,“应用程序管理员”或“应用程序作者”内置角色具有此权限 。For example, the Application Administrator or Application Author built-in roles have this permission.

  2. 部署需要批准的应用并批准该应用。Deploy an app that requires approval, and approve it.

    提示

    或者,为设备安装应用程序Alternatively, Install an application for a device. 它会为设备上的应用创建已批准的请求。It creates an approved request for the app on the device.

如果应用程序未成功安装,或用户卸载了应用程序,请按照以下过程来重试:If the application doesn't install successfully, or the user uninstalls the app, use the following process to retry:

  1. 在 Configuration Manager 控制台中,转到“软件库”工作区,展开“应用程序管理”,然后选择“应用程序请求”节点 。In the Configuration Manager console, go to the Software Library workspace, expand Application Management, and select the Application Requests node. (在版本 1902 及更低版本中,此节点称为“审批请求” 。)(In version 1902 and earlier, this node is called Approval Requests.)

  2. 选择以前已批准的应用。Select the previously approved app. 在功能区的“批准请求”组中,选择“重试安装” 。In the Approval Request group of the ribbon, select Retry install.

其他应用批准资源Other app approval resources

如果用户请求此应用程序,则需要管理员批准Require administrator approval if users request this application

备注

如果未启用推荐的可选应用程序批准体验,则此体验适用。This experience applies if you don't enable the recommended optional app approval experience.

管理员在用户可以安装之前批准对该应用程序的任何用户请求。The administrator approves any user requests for the application before the user can install it. 如果部署目的为“必需”或者应用程序部署到了设备集合,则此选项为灰色 。This option is grayed out when the deployment purpose is Required, or when you deploy the application to a device collection.

应用程序批准请求显示在“软件库”工作区中“应用程序管理”下的“应用程序请求”节点中 。Application approval requests are displayed in the Application Requests node, under Application Management in the Software Library workspace. (在版本 1902 及更低版本中,此节点称为“审批请求” 。)如果请求未在 30 天内获批准,则会将其删除。(In version 1902 and earlier, this node is called Approval Requests.) If a request isn't approved within 30 days, it's removed. 重新安装客户端可能会取消任何待批准的请求。Reinstalling the client might cancel any pending approval requests.

批准安装应用程序后,可在 Configuration Manager 控制台中“拒绝”该请求 。After you've approved an application for installation, you can Deny the request in the Configuration Manager console. 执行此操作不会使客户端从任何设备卸载应用程序。This action doesn't cause the client to uninstall the application from any devices. 它会阻止用户从软件中心安装应用程序的新副本。It stops users from installing new copies of the application from Software Center.

电子邮件通知Email notifications

可以配置用于应用程序批准请求的电子邮件通知。You can configure email notifications for application approval requests. 当用户请求应用程序时,你会收到一封电子邮件。When a user requests an application, you receive an email. 单击电子邮件中的链接以批准或拒绝该请求,而无需使用 Configuration Manager 控制台。Click links in the email to approve or deny the request, without requiring the Configuration Manager console.

在为应用程序创建新部署时,可以定义能够批准或拒绝请求的用户的电子邮件地址。You can define the email addresses of the users who can approve or deny the request while creating a new deployment for the application. 如果以后需要更改电子邮件地址列表,请转到“监视”工作区中,展开“警报”,然后选择“订阅”节点 。If you need to change the list of email addresses afterwards, go to the Monitoring workspace, expand Alerts, and select the Subscriptions node. 从某个与应用程序部署相关的“通过电子邮件批准应用程序”订阅中选择“属性” 。Select Properties from one of the Approve application via email subscriptions that's related to your application deployment.

如果有多个警报,则可以确定警报与部署的对应关系。If there is more than one alert, you can determine which alert goes with which deployment. 打开警报属性,然后在“常规”选项卡上查看“所选警报”列表 。部署已作为此订阅的警报启用。Open the alert properties, and view the list of Selected alerts on the General tab. The deployment is enabled as the alert for this subscription.

用户可以从软件中心向请求添加注释。Users can add a comment to the request from Software Center. 此注释显示在 Configuration Manager 控制台中的应用程序请求中。This comment shows on the application request in the Configuration Manager console. 从版本 1902 开始,此注释还显示在电子邮件中。Starting in version 1902, that comment also shows in the email. 在电子邮件中包含此注释有助于审批者做出更好的决定来批准或拒绝请求。Including this comment in the email helps the approvers make a better decision to approve or deny the request.

必备条件Prerequisites

发送电子邮件通知并在内部网络上执行操作To send email notifications and take action on internal network

根据这些先决条件,收件人会收到包含请求通知的电子邮件。With these prerequisites, recipients receive an email with notification of the request. 如果收件人位于内部网络,他们也可以批准或拒绝来自电子邮件的请求。If they are on the internal network, they can also approve or deny the request from the email.

  • 启用可选功能“审批每台设备的用户的应用程序请求” 。Enable the optional feature Approve application requests for users per device.

  • 配置警报的电子邮件通知Configure email notification for alerts.

    备注

    部署此应用程序的管理用户需要获得创建警报和订阅的权限。The administrative user that deploys the application needs permission to create an alert and subscription. 若此用户没有这些权限, 他们会在“部署软件向导”结束时看到以下错误: “你没有执行此操作的安全权限。”If this user doesn't have these permissions, they'll see an error at the end of the Deploy Software Wizard: "You do not have security rights to perform this operation."

  • 在主站点启用 SMS 提供程序以使用证书。Enable the SMS Provider on the primary site to use a certificate. 使用以下选项之一:Use one of the following options:

    • (建议)为主站点启用增强的 HTTP(Recommended) Enable Enhanced HTTP for the primary site.

      备注

      当主站点为 SMS 提供程序创建一个证书时,客户端上的 Web 浏览器将不会信任它。When the primary site creates a certificate for the SMS Provider, it won't be trusted by the web browser on the client. 根据安全设置,响应应用程序请求时可能会看到一条安全警告。Based on your security settings, when responding to an application request, you may see a security warning.

    • 将基于 PKI 的证书手动绑定到承载主站点中 SMS 提供程序角色的服务器上的 IIS 端口 443。Manually bind a PKI-based certificate to port 443 in IIS on the server that hosts the SMS Provider role on the primary site.

备注

若层次结构中有多个子主站点,则为想要为其启用此功能的各个主站点配置这些先决条件。If you have multiple child primary sites in a hierarchy, configure these prerequisites for each primary site where you want to enable this feature. 电子邮件通知中的链接用于主站点中的管理服务。The links in the email notification are for the administration service at the primary site.

在 Internet 上执行操作To take action from internet

根据这些附加的可选先决条件,收件人可以从具有 Internet 访问权限的任何位置批准或拒绝该请求。With these additional optional prerequisites, recipients can approve or deny the request from anywhere they have internet access.

  • 通过云管理网关启用 SMS 提供程序管理服务。Enable the SMS Provider administration service through the cloud management gateway. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“站点配置”,然后选择“服务器和站点系统角色”节点 。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Servers and Site System Roles node. 选择具有 SMS 提供程序角色的服务器。Select the server with the SMS Provider role. 在细节窗格中,选择“SMS 提供程序”角色,然后在“站点角色”选项卡的功能区中选择“属性” 。选择“允许管理服务的 Configuration Manager 云管理网关通信”选项 。In the details pane, select the SMS Provider role, and select Properties in the ribbon on the Site Role tab. Select the option to Allow Configuration Manager cloud management gateway traffic for administration service.

  • SMS 提供程序需要 .NET 4.5.2 或更高版本 。The SMS Provider requires .NET 4.5.2 or later.

  • 设置云管理网关Set up a cloud management gateway.

  • 将站点载入到 Azure 服务以进行云管理 。Onboard the site to Azure services for Cloud Management.

  • 启用 Azure AD 用户发现Enable Azure AD User Discovery.

  • 在 Azure AD 中手动配置设置:Manually configure settings in Azure AD:

    1. 以拥有全局管理员 权限的用户身份转到 Azure 门户Go to the Azure portal as a user with Global Admin permissions. 转到“Azure Active Directory” 并选择“应用注册” 。Go to Azure Active Directory, and select App registrations.

    2. 选择为 Configuration Manager“云管理”集成创建的应用程序 。Select the application that you created for Configuration Manager Cloud Management integration.

    3. 在“管理” 菜单中,选择“身份验证” 。In the Manage menu, select Authentication.

      1. 在“重定向 URI” 部分中,粘贴以下路径:https://<CMG FQDN>/CCM_Proxy_ServerAuth/ImplicitAuthIn the Redirect URIs section, paste in the following path: https://<CMG FQDN>/CCM_Proxy_ServerAuth/ImplicitAuth

      2. 用云管理网关 (CMG) 服务的完全限定的域名 (FQDN) 替换 <CMG FQDN>Replace <CMG FQDN> with the fully qualified domain name (FQDN) of your cloud management gateway (CMG) service. 例如,GraniteFalls.Contoso.com。For example, GraniteFalls.Contoso.com.

      3. 选择“保存” 。Then select Save.

    4. 在“管理” 菜单中,选择“清单” 。In the Manage menu, select Manifest.

      1. 在“编辑清单”窗格中,找到“oauth2AllowImplicitFlow”属性 。In the Edit manifest pane, find the oauth2AllowImplicitFlow property.

      2. 将其值更改为“true” 。Change its value to true. 例如,整行应如以下行所示:"oauth2AllowImplicitFlow": true,For example, the entire line should look like the following line: "oauth2AllowImplicitFlow": true,

      3. 选择“保存” 。Select Save.

配置电子邮件审批Configure email approval

  1. 在 Configuration Manager 控制台中,将应用程序以可用的方式部署到用户集合。In the Configuration Manager console, deploy an application as available to a user collection. 在“部署设置” 页上,启用该设置以进行审批。On the Deployment Settings page, enable it for approval. 然后,输入单个或多个电子邮件地址以接收通知。Then enter one or more email addresses to receive notification. 请用分号 (;) 隔开电子邮件地址。Separate email addresses with a semi-colon (;).

    备注

    Azure AD 组织中收到此电子邮件的任何人都可以批准该请求。Anyone in your Azure AD organization who receives the email can approve the request. 请勿将此电子邮件转发给其他人,除非你希望他们进行审批。Don't forward the email to others unless you want them to take action.

  2. 作为用户,请在软件中心中请求该应用程序。As a user, request the application in Software Center.

  3. 你会在五分钟内收到电子邮件通知。You receive an email notification within five minutes. 电子邮件的内容类似于以下示例:The content of the email is similar to the following example:

用于应用程序批准的示例电子邮件通知

备注

用于批准或拒绝的链接是一次性的。The link to approve or deny is for one-time use. 例如,可以配置组别名以接收通知。For example, you configure a group alias to receive notifications. Meg 批准该请求。Meg approves the request. 现在 Bruce 无法拒绝该请求。Now Bruce can't deny the request.

查看站点服务器上的“NotiCtrl.log”文件以进行故障排除 。Review the NotiCtrl.log file on the site server for troubleshooting.

维护Maintenance

Configuration Manager 将有关应用程序批准请求的信息存储在站点数据库中。Configuration Manager stores the information about the application approval request in the site database. 对于已取消或拒绝的请求,网站会在 30 天后删除请求历史记录。For requests that are canceled or denied, the site deletes the request history after 30 days. 可以使用“删除过期的应用程序请求数据”站点维护任务来配置此删除行为 。You can configure this deletion behavior with the Delete Aged Application Request Data site maintenance task. 该站点从不删除任何已批准或待处理的应用程序请求。The site never deletes any approved or pending application requests.