在 Configuration Manager 中规划和配置应用程序管理Plan for and configure application management in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

使用本文中的信息可帮助实现用于在 Configuration Manager 中部署应用程序的所需依赖关系。Use the information in this article to help you implement the necessary dependencies to deploy applications in Configuration Manager.

Configuration Manager 的外部依赖关系Dependencies external to Configuration Manager

Internet Information Services (IIS)Internet Information Services (IIS)

在运行以下站点系统角色的服务器上,需要安装 IIS:IIS is required on the servers that run the following site system roles:

  • 管理点Management point
  • 分发点Distribution point

有关详细信息,请参阅站点和站点系统先决条件For more information, see Site and site system prerequisites.

备注

应用程序目录也需要 IIS。The application catalog also requires IIS. 但是,从当前分支版本 1806 开始,不支持 Silverlight 用户体验。However, its Silverlight user experience isn't supported as of current branch version 1806. 自版本 1906 起,更新后的客户端自动使用管理点进行用户可用的应用程序部署。Starting in version 1906, updated clients automatically use the management point for user-available application deployments. 仍然无法安装新的应用程序目录角色。You also can't install new application catalog roles. 版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910.

有关详细信息,请参阅下列文章:For more information, see the following articles:

移动设备的代码签名应用程序证书Certificates on code-signed applications for mobile devices

在对应用程序进行代码签名以将其部署到移动设备时,如果使用版本 3 模板(Windows Server 2008,企业版 )生成了证书,请勿使用此证书。When you code-sign applications to deploy them to mobile devices, don't use a certificate that was generated by using a Version 3 template (Windows Server 2008, Enterprise Edition). 此证书模板创建的证书与用于移动设备的 Configuration Manager 应用程序不兼容。This certificate template creates a certificate that's incompatible with Configuration Manager applications for mobile devices.

如果使用 Active Directory 证书服务对移动设备应用程序进行代码签名,请勿使用版本 3 证书模板。If you use Active Directory Certificate Services to code-sign applications for mobile device applications, don't use a Version 3 certificate template.

审核登录事件的用户设备相关性Audit sign-in events for user device affinity

如果想自动创建用户设备相关性,则需将客户端配置为审核登录事件。If you want to automatically create user device affinities, configure clients to audit sign-in events.

Configuration Manager 客户端从 Windows 的安全事件日志中读取类型为“成功” 的登录事件,以确定自动的用户设备相关性。To determine automatic user device affinities, the Configuration Manager client reads sign-in events of type Success from the Windows security event log. 通过以下两个审核策略,启用这些事件:Enable these events with the following two audit policies:

  • 审核帐户登录事件Audit account logon events
  • 审核登录事件Audit logon events

若要自动在用户和设备之间创建关系,请确保在客户端计算机上启用这两个设置。To automatically create relationships between users and devices, make sure that these two settings are enabled on client computers. 可以使用 Windows 组策略来配置这两个设置。You can use Windows Group Policy to configure these settings.

有关用户设备相关性的详细信息,请参阅将用户和设备同用户设备相关性相链接For more information on user device affinity, see Link users and devices with user device affinity.

Configuration Manager 依赖关系Configuration Manager dependencies

管理点Management point

客户端与管理点联系,下载客户端策略和查找内容。Clients contact a management point to download client policy, to locate content.

自版本 1906 起,更新后的客户端自动使用管理点进行用户可用的应用程序部署。Starting in version 1906, updated clients automatically use the management point for user-available application deployments.

在版本 1902 及更早版本中,客户端使用管理点连接到应用程序目录。In version 1902 and earlier, clients use the management point to connect to the application catalog. 如果客户端无法访问管理点,便无法使用应用程序目录。If clients can't access a management point, they can't use the application catalog.

备注

从版本 1806 开始,不再需要应用程序目录角色,即可在软件中心显示用户可用的应用程序。Starting in version 1806, application catalog roles are no longer required to display user-available applications in Software Center. 有关详细信息,请参阅配置软件中心For more information, see Configure Software Center.

从版本 1906 开始,无法安装新的应用程序目录角色。Starting in version 1906, you can't install new application catalog roles. 版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910.

分发点Distribution point

在可以将应用程序部署到客户端之前,层次结构中需要有至少一个分发点。Before you can deploy applications to clients, you need at least one distribution point in the hierarchy. 默认情况下,站点服务器在标准安装时启用分发点站点角色。By default, the site server has a distribution point site role enabled during a standard installation. 分发点的数量和位置因环境的特定要求而异。The number and location of distribution points vary according to the specific requirements of your environment.

有关如何安装分发点和管理内容的详细信息,请参阅管理内容和内容基础结构For more information about how to install distribution points and manage content, see Manage content and content infrastructure.

Reporting Services 点Reporting services point

若要使用 Configuration Manager 中的报表进行应用程序管理,首先要安装和配置 Reporting Services 点。To use the reports in Configuration Manager for application management, first install and configure a reporting services point.

有关详细信息,请参阅报表简介For more information, see Introduction to reporting.

客户端设置Client settings

许多客户端设置都可以控制在客户端上安装应用程序的方式和用户在设备上的体验。Many client settings control how the client installs applications and the user experience on the device. 这些客户端设置包括以下组:These client settings include the following groups:

  • 计算机代理Computer agent
  • 计算机重启Computer restart
  • 软件中心Software Center
  • 软件部署Software deployment
  • 用户和设备相关性User and device affinity

有关详细信息,请参阅下列文章:For more information, see the following articles:

应用程序管理的安全权限Security permissions for application management

  • “应用程序作者” 安全角色包含创建、更改和停用应用程序所需的权限。The Application Author security role includes the required permissions to create, change, and retire applications.

  • “应用程序部署管理员” 安全角色包含部署应用程序所需的权限。The Application Deployment Manager security role includes required permissions to deploy applications.

  • “应用程序管理员” 安全角色具有“应用程序作者” 和“应用程序部署管理员” 安全角色中的所有权限。The Application Administrator security role has all the permissions from both the Application Author and the Application Deployment Manager security roles.

有关详细信息,请参阅配置基于角色的管理For more information, see Configure role-based administration.

必须安装 APP-V 4.6 SP1 或更高版本的客户端才能运行虚拟应用程序App-V 4.6 SP1 or later client to run virtual applications

为了在 Configuration Manager 中创建虚拟应用程序,请在设备上安装 App-V 4.6 SP1 或更高版本。To create virtual applications in Configuration Manager, install App-V 4.6 SP1 or later on devices.

此外,还要使用在 Microsoft 支持文章 2645225 中描述的修补程序来更新 App-V 客户端,才能部署虚拟应用程序。Before you deploy virtual applications, also update the App-V client with the hotfix described in the Microsoft Support article 2645225.

应用程序目录Application catalog

重要

版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910.. 有关详细信息,请参阅删除应用程序目录For more information, see Remove the application catalog.

应用程序目录 Web 服务点Application catalog web service point

应用程序目录 Web 服务点是站点系统角色,它向用户访问的应用程序目录网站提供软件库中可用软件的相关信息。The application catalog web service point is a site system role that provides information about available software from your software library to the application catalog website that users access.

有关如何配置此站点系统角色的详细信息,请参阅安装和配置应用程序目录For more information about how to configure this site system role, see Install and configure the Application Catalog.

应用程序目录网站点Application catalog website point

应用程序目录网站点是站点系统角色,它向用户提供可用软件列表。The application catalog website point is a site system role that provides users with a list of available software.

有关如何配置此站点系统角色的详细信息,请参阅安装和配置应用程序目录For more information about how to configure this site system role, see Install and configure the Application Catalog.

应用程序目录的已发现用户帐户Discovered user accounts for application catalog

Configuration Manager 必须先发现用户帐户,然后用户才能查看和请求获取应用程序目录中的应用程序。Configuration Manager must first discover user accounts before users can view and request applications from the application catalog. 有关详细信息,请参阅运行发现For more information, see Run discovery.

配置软件中心Configure Software Center

有关配置软件中心和打造软件中心品牌的详细信息,请参阅规划软件中心For more information on configuring and branding Software Center, see Plan for Software Center.

删除应用程序目录Remove the application catalog

版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 有关详细信息,请参阅已删除和已弃用的功能For more information, see Removed and deprecated features. 下面列出并汇总了更改:The following list summarizes the changes:

  • 从版本 1806 开始,应用程序目录网站点的 Silverlight 用户体验 不再受支持。Starting in version 1806, the Silverlight user experience for the application catalog website point is no longer supported. 应用程序目录 Web 服务点角色不再必需 ,但仍受支持 。The application catalog web service point role is no longer required, but still supported.

  • 自版本 1906 起,更新后的客户端自动使用管理点进行用户可用的应用程序部署。Starting in version 1906, updated clients automatically use the management point for user-available application deployments. 仍然无法安装新的应用程序目录角色。You also can't install new application catalog roles.

  • 版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910.

对软件中心和管理点的迭代改进是为了简化基础结构,并消除使用应用程序目录进行用户可用部署的需求。These iterative improvements to Software Center and the management point are to simplify your infrastructure and remove the need for the application catalog for user-available deployments. 软件中心可以提供所有应用部署,而无需使用应用程序目录。Software Center can deliver all app deployments without the application catalog. 此外,如果你启用 TLS 1.2,并对应用程序目录使用 HTTP,那么用户便看不到面向用户的可用部署。Also, if you enable TLS 1.2 and use HTTP with the application catalog, users can't see user-targeted, available deployments. 将 Configuration Manager 更新到版本 1906 或更高版本,以便从这些改进中获益。Update Configuration Manager to version 1906 or later to benefit from these improvements.

  1. 将所有客户端更新为版本 1806 或更高版本。Update all clients to version 1806 or later. 建议使用版本 1906。Version 1906 is recommended.

  2. 设置软件中心的品牌,而不是在应用程序目录网站角色的属性中。Set branding for Software Center, instead of in the properties of the application catalog web site role. 有关详细信息,请参阅软件中心客户端设置For more information, see Software Center client settings.

  3. 查看默认和任何自定义的客户端设置。Review the default and any custom client settings. 在“计算机代理” 组中,确保“默认应用程序目录网站点” 是“(none)”。In the Computer Agent group, make sure the Default Application Catalog website point is (none).

    在版本 1902 及更早版本中,仅在层次结构中没有应用程序目录角色时,客户端才切换为使用管理点。In version 1902 and earlier, the client only switches to using the management point when there are no application catalog roles in the hierarchy. 否则,客户端继续使用层次结构中的应用程序目录实例之一。Otherwise, clients continue to use one of the application catalog instances in the hierarchy. 此行为应用于各个主站点。This behavior applies across separate primary sites.

  4. 从所有主站点中删除“应用程序目录网站” 和“应用程序目录 Web 服务” 站点系统角色。Remove the application catalog website and application catalog web service site system roles from all primary sites.

在你删除应用程序目录角色后,软件中心开始使用管理点进行面向用户的可用部署。After you remove the application catalog roles, Software Center starts using the management point for user-targeted, available deployments. 在版本 1902 及更早版本中,最多可能需要 65 分钟才会发生此更改。In version 1902 and earlier, it can take up to 65 minutes for this change to happen. 若要在特定客户端上验证此行为,请查看 SCClient_<username>.log,并查找如下所示的条目:To verify this behavior on a specific client, review the SCClient_<username>.log, and look for an entry similar to the following line:

Using endpoint Url: https://mp.contoso.com/CMUserService_WindowsAuth, Windows authentication

安装和配置应用程序目录Install and configure the application catalog

重要

版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 有关详细信息,请参阅删除应用程序目录For more information, see Remove the application catalog.

步骤 1:HTTPS 的 Web 服务器证书Step 1: Web server certificate for HTTPS

如果使用 HTTPS 连接,请将 Web 服务器证书部署到应用程序目录网站点和应用程序目录 Web 服务点的站点系统服务器。If you use HTTPS connections, deploy a web server certificate to the site system servers for the application catalog website point and the application catalog web service point.

如果希望客户端通过 Internet 使用应用程序目录,请将 Web 服务器证书部署到至少一个管理点。If you want clients to use the application catalog from the internet, deploy a web server certificate to at least one management point. 将其配置为来自 Internet 的客户端连接。Configure it for client connections from the internet.

有关证书要求的详细信息,请参阅 PKI 证书要求For more information about certificate requirements, see PKI certificate requirements.

步骤 2:HTTPS 的客户端身份验证证书Step 2: Client authentication certificate for HTTPS

如果使用客户端 PKI 证书连接到管理点,请将客户端身份验证证书部署到客户端计算机。If you use a client PKI certificate for connections to management points, deploy a client authentication certificate to client computers. 尽管客户端不使用客户端 PKI 证书来连接到应用程序目录,但它们必须先连接到管理点,然后才能使用应用程序目录。Although clients don't use a client PKI certificate to connect to the application catalog, they must connect to a management point before they can use the application catalog.

在以下情况下,将客户端身份验证证书部署到客户端计算机:Deploy a client authentication certificate to client computers in the following scenarios:

  • Intranet 中的所有管理点只接受 HTTPS 客户端连接。All management points on the intranet accept only HTTPS client connections.
  • 客户端从 Internet 连接到应用程序目录。Clients connect to the application catalog from the internet.

有关证书要求的详细信息,请参阅 PKI 证书要求For more information about certificate requirements, see PKI certificate requirements.

步骤 3:安装和配置应用程序目录角色Step 3: Install and configure the application catalog roles

在同一个站点中,同时安装应用程序目录 Web 服务点和应用程序目录网站角色。Install both the application catalog web service point and the application catalog website roles in the same site. 你不必将它们安装在同一服务器上或安装在同一 Active Directory 林中。You don't have to install them on the same server or in the same Active Directory forest. 不过,应用程序目录 Web 服务点必须位于站点数据库所在的同一林中。However, the application catalog web service point must be in the same forest as the site database.

有关服务器布局的详细信息,请参阅规划站点系统服务器和站点系统角色For more information about server placement, see Plan for site system servers and site system roles.

备注

在主站点上安装应用程序目录。Install the application catalog at a primary site. 无法在辅助站点或管理中心站点进行安装。You can't install it at a secondary site or the central administration site.

在新的站点系统服务器或站点中的现有服务器上安装应用程序目录。Install the application catalog on a new site system server or an existing server in the site. 有关一般过程的详细信息,请参阅安装站点系统角色For more information on the general procedure, see Install site system roles. 在向导中添加站点系统角色或创建站点系统服务器,从列表中选择以下角色:In the wizard to add a site system role or create a site system server, select the following roles from the list:

  • 应用程序目录 Web 服务点Application catalog web service point
  • 应用程序目录网站点Application catalog website point

提示

如果希望客户端计算机通过 Internet 使用应用程序目录,请指定 Internet 完全限定的域名 (FQDN)。If you want client computers to use the application catalog over the internet, specify the internet fully qualified domain name (FQDN).

验证这些站点系统角色的安装Verify the installation of these site system roles

  • 状态消息:使用组件“SMS_PORTALWEB_CONTROL_MANAGER”和“SMS_AWEBSVC_CONTROL_MANAGER” 。Status messages: Use the components SMS_PORTALWEB_CONTROL_MANAGER and SMS_AWEBSVC_CONTROL_MANAGER.

    例如,“SMS_PORTALWEB_CONTROL_MANAGER” 的状态 ID“1015” 确认,站点组件管理器已成功安装应用程序目录网站点。For example, status ID 1015 for SMS_PORTALWEB_CONTROL_MANAGER confirms that Site Component Manager successfully installed the application catalog website point.

  • 日志文件:搜索“SMSAWEBSVCSetup.log”和“SMSPORTALWEBSetup.log” 。Log files: Search for SMSAWEBSVCSetup.log and SMSPORTALWEBSetup.log.

    有关详细信息,请搜索 awebsvcMSI.logportlwebMSI.log 日志文件。For more information, search for the awebsvcMSI.log and portlwebMSI.log log files.

步骤 4:配置客户端设置Step 4: Configure client settings

如果希望所有用户具有相同设置,请配置默认客户端设置。If you want all users to have the same settings, configure the default client settings. 否则,请为特定集合配置自定义客户端设置。Otherwise, configure custom client settings for specific collections.

有关详细信息,请参阅下列文章:For more information, see the following articles:

Configuration Manager 客户端在下次下载客户端策略时将为设备配置这些设置。The Configuration Manager client configures devices with these settings when it next downloads client policy. 若要为单个客户端触发策略检索,请参阅如何管理客户端To trigger policy retrieval for a single client, see How to manage clients.

步骤 5:验证应用程序目录是否可正常运行Step 5: Verify that the application catalog is operational

使用以下过程来验证应用程序目录能否正常运行。Use the following procedures to verify that the application catalog is operational.

备注

必须安装 Microsoft Silverlight,才能获得应用程序目录用户体验。The application catalog user experience requires Microsoft Silverlight. 如果直接在浏览器中使用应用程序目录,请先验证计算机上是否已安装 Microsoft Silverlight。If you use the application catalog directly from a browser, first verify that Microsoft Silverlight is installed on the computer.

提示

不满足先决条件是应用程序目录在安装后无法正常运行的最典型原因之一。Missing prerequisites are among the most typical reasons for the application catalog to operate incorrectly after installation. 请确认是否满足应用程序目录站点系统角色的角色先决条件。Confirm the role prerequisites for the application catalog site system roles. 有关详细信息,请参阅站点和站点系统先决条件For more information, see Site and site system prerequisites.

在浏览器中,输入应用程序目录网站的地址。In a browser, enter the address of the application catalog website. 确认网页显示三个选项卡:“应用程序目录”、“我的应用程序请求”和“我的设备” 。Confirm that the web page shows the three tabs: Application Catalog, My Application Requests, and My Devices.

对应用程序目录使用以下列表中的相应地址,其中 <server> 是计算机名、Intranet FQDN 或 Internet FQDN:Use the appropriate address for the application catalog from the following list, where <server> is the computer name, intranet FQDN, or internet FQDN:

  • HTTPS 客户端连接和默认站点系统角色设置:https://<server>/CMApplicationCatalogHTTPS client connections and default site system role settings: https://<server>/CMApplicationCatalog

  • HTTP 客户端连接和默认站点系统角色设置:http://<server>/CMApplicationCatalogHTTP client connections and default site system role settings: http://<server>/CMApplicationCatalog

  • HTTPS 客户端连接和自定义站点系统角色设置:https://<server>:<port>/<web application name>HTTPS client connections and custom site system role settings: https://<server>:<port>/<web application name>

  • HTTP 客户端连接和自定义站点系统角色设置:http://<server>:<port>/<web application name>HTTP client connections and custom site system role settings: http://<server>:<port>/<web application name>

备注

如果你登录到具有域管理员帐户的设备,Configuration Manager 客户端不会显示通知消息。If you signed in to the device with a Domain Administrator account, the Configuration Manager client doesn't display notification messages. 例如,消息指示新软件可用。For example, messages indicating that new software is available.