Apps

Download as pdf or txt
Download as pdf or txt
You are on page 1of 133
At a glance
Powered by AI
The document discusses application management in Configuration Manager including creating, deploying, updating, and uninstalling applications.

Applications can be created for different platforms like Windows, iOS, MacOS, Android, and Linux/UNIX. Applications can also be deployed as virtual applications using App-V.

Requirements are used to specify criteria for installing deployment types. They help determine which deployment type is installed based on attributes of the target device. This allows applications to be deployed more granularly.

Table of Contents

Understand and explore


Introduction
Get started
Create and deploy an application
Plan and design
Plan for, and configure application management
Security and privacy
Deploy and use
Create applications
Create iOS applications
Create Mac computer applications
Create Windows applications
Create Windows Phone applications
Create Linux and UNIX server applications
Create Android applications
Create Windows Embedded applications
Create global conditions
Packages and programs
Deploy applications
Deploy applications
Simulate application deployments
Deploy App-V virtual applications
Monitor applications
Monitor applications from the console
Monitor app usage with software metering
Manage applications
Management tasks
User device affinity
iOS app configuration policies
iOS volume-purchased apps
Windows Store for Business volume-purchased apps
App-V virtual environments
Protect apps
Mobile application management policies
Managed browser policies
Update and retire applications
Update and retire applications
Revise and supersede applications
Uninstall applications
Introduction to application management in System
Center Configuration Manager
12/29/2016 7 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In this topic, you'll learn the basics you need to know before you start working with System Center Configuration
Manager applications.

TIP
If you are already familiar with how to manage applications in Configuration Manager, you can skip this topic and move on to
creating a sample application. See Create and deploy an application with System Center Configuration Manager.

What is an application?
Although application is a widely used term in computing, in Configuration Manager, it means something different.
Think of an application like a box. This box contains one or more sets of installation files for a software package
(known as a deployment type), plus instructions on how to deploy the software.
When the application is deployed to devices, requirements decide which deployment type is installed on the
device.
Of course, there are a lot more things you can do with an application, and you'll learn about these as you read
through this guide. The following table introduces some concepts you'll need to know before you start to dig
deeper. You won't need all of these in every application you create:

CONCEPT DESCRIPTION

Requirements In previous versions of Configuration Manager, you would


often create a collection containing the devices you wanted to
deploy an application to. Although you can still do this,
requirements reduce that need by allowing you to specify
much more granular criteria by which an application will be
installed.

For example, you can specify that an application can only


install on devices that run Windows 10. Then, you can deploy
the application to all of your devices, but it will only install on
devices that run Windows 10.

Configuration Manager evaluates requirements to determine


whether an application and any of its deployment types will be
installed. Then it determines the correct deployment type by
which to install an application. Every seven days, by default,
the requirement rules are reevaluated to ensure compliance
according to the client setting Schedule re-evaluation for
deployments.

For details, see Create and deploy an application.


CONCEPT DESCRIPTION

Global conditions While requirements are used with a specific deployment type
in a single application, you can also create global conditions.
These are a library of predefined requirements that you can
use with any application and deployment type.

Configuration Manager contains a set of built-in global


conditions, and you can also create your own.

For details, see Create global conditions.

Simulated deployment Evaluates the requirements, detection method, and


dependencies for an application. It reports the results without
actually installing the application.

For details, see Simulate application deployments.

Deployment action Specifies whether you want to install, or uninstall (when


supported), the application you are deploying.

For details, see Deploy applications.

Deployment purpose Specifies whether the deployment app will be Required, or


Available.

Required means that the application is deployed


automatically according to the schedule that has been set up.
However, a user can track the application deployment status if
it is not hidden, and can install the application before the
deadline by using the Software Center.

Available means that if the application is deployed to a user,


the user sees the published application in Software Center,
and can request it on demand.

For details, see Deploy applications.

Revisions When you make revisions to an application or to a


deployment type that is contained in an application,
Configuration Manager creates a new version of the
application. You can display the history of each application
revision, view its properties, restore a previous version of an
application, or delete an old version.

For details, see Update and retire applications.

Detection method Detection methods are used to discover whether a deployed


application is already installed. If the detection method
indicates the application is installed, Configuration Manager
does not attempt to install it again.

For details, see Create applications.

Dependencies Dependencies define one or more deployment types from


another application that must be installed before a
deployment type is installed. You can set up the dependent
deployment types to be installed automatically before a
deployment type is installed.

For details, see Create applications.


CONCEPT DESCRIPTION

Supersedence Configuration Manager lets you upgrade or replace existing


applications by using a supersedence relationship. When you
supersede an application, you can specify a new deployment
type to replace the deployment type of the superseded
application. You can also decide whether to upgrade or
uninstall the superseded application before the superseding
application is installed.

For details, see Create applications.

User-centric management Configuration Manager applications support user-centric


management, letting you associate specific users with specific
devices. Instead of having to remember the name of a users
device, you can deploy apps to the user and to the device. This
functionality can help you make sure that the most important
apps are always available on each device that a specific user
accesses. If a user acquires a new computer, you can
automatically install the users apps on the device before they
sign in.

For details, see Link users and devices with user device affinity.

What application types can you deploy?


Configuration Manager lets you deploy the following app types:
Windows Installer (*.msi file)
Windows app package (*.appx, *.appxbundle)
Windows app package (in the Windows Store)
Microsoft Application Virtualization 4
Microsoft Application Virtualization 5
Windows Mobile Cabinet
macOS
Additionally, when you manage devices through Microsoft Intune or Configuration Manager on-premises device
management, you can manage these further app types:
Windows Phone app package (*.xap file)
App Package for iOS (*.ipa file)
App Package for Android (*.apk file)
App Package for Android on Google Play
Windows Phone app package (in the Windows Phone Store)
Windows Installer through MDM
Web Application

State-based applications
Configuration Manager applications use state-based monitoring, by which you can track the last application
deployment state for users and devices. The state messages display information about individual devices. For
example, if an application is deployed to a collection of users, you can view the compliance state of the deployment
and the deployment purpose in the Configuration Manager console. You can monitor the deployment of all
software by using the Monitoring workspace in the Configuration Manager console. Software deployments
include software updates, compliance settings, applications, task sequences, and packages and programs. For more
information, see Monitor applications.
Application deployments are regularly re-evaluated by Configuration Manager. For example:
A deployed application is uninstalled by the end-user. At the next evaluation cycle, Configuration Manager
detects that the application is not present, and reinstalls it.
An application was not installed on a device because it failed to meet the requirements. Later, a change is
made to the device and it now meets the requirements. Configuration Manager detects this change, and the
application is installed.
You can set the re-evaluation interval for application deployments by using the Schedule re-evaluation for
deployments client setting. For more information, see About client settings.

Get started creating an application


If you want to jump right in and start to create an application, you'll find a walkthrough for creating a simple
application in the Create and deploy an application topic.
If you are familiar with the basics and looking for more detailed reference information about all the options
available to you, start from Create applications.

Software Center and the Application Catalog


In previous versions of Configuration Manager, Software Center was used to install and schedule software
installations, configure remote control settings, and set up power management. Users could connect to the
Application Catalog to browse for and request software, set some preferences, and remotely wipe their mobile
devices.
While these settings are still available in System Center Configuration Manager, a new version of Software Center
is now available that allows you to browse for applications. You don't have to use the Application Catalog, which
requires a Silverlight-enabled web browser. However, the Application Catalog website point and Application
Catalog web service point site system roles are still required for user-available apps to appear in Software Center.
For more information, see Plan for and configure application management.

Configuration Manager packages and programs


Configuration Manager continues to support packages and programs that were used in previous versions of the
product. A deployment that uses packages and programs might be more suitable than a deployment that uses an
application when you deploy any of the following:
Scripts that do not install an application on a computer, such as a script to defragment the computer disk
drive.
One-off scripts that do not need to be continually monitored.
Scripts that run on a recurring schedule and cannot use global evaluation.
For more information, see Packages and programs.
Create and deploy an application with System Center
Configuration Manager
12/5/2016 7 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In this topic, you'll jump right in and create an application with System Center Configuration Manager. In this
example, you'll create and deploy an application that contains a line-of-business app for Windows PCs called
Contoso.msi, which must be installed on all PCs that are running Windows 10 in your company. Along the way,
you'll learn about many of the things you can do to manage applications effectively.
This procedure is designed to give you an overview of how to create and deploy Configuration Manager
applications. However, it does not cover all the configuration options, or how to create and deploy applications for
other platforms.
For specific details that are relevant to each platform, see one of the following topics:
Create Windows applications
Create iOS applications
Create Android applications
Create Windows Phone applications
Create Mac computer applications
Create Linux and UNIX server applications
Create Windows Embedded applications
If you are already familiar with Configuration Manager applications, you can skip this topic. However, you might
want to review Create applications to learn about all the options that are available when you create and deploy
applications.

Before you start


Make sure that you've reviewed the information in Introduction to application management so that you have
prepared your site to install applications and you understand the terminology that's used in this topic.
Also, make sure that the installation files for the Contoso.msi app are in an accessible location on your network.

Create the Configuration Manager application


To start the Create Application Wizard and create the application
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. On the Home tab, in the Create group, choose Create Application.
3. On the General page of the Create Application Wizard, choose Automatically detect information
about this application from installation files. This pre-populates some of the information in the wizard
with information that's extracted from the installation .msi file. Then specify the following information:
Type: Choose Windows Installer (*.msi file).
Location: Type the location (or choose Browse to select the location) of the installation file
Contoso.msi. Note that the location must be specified in the form \\Server\Share\File for
Configuration Manager to locate the installation files.
You'll end up with something that looks like the following screenshot:

4. Choose Next. On the Import Information page, you'll see some information about the app and any
associated files that were imported to Configuration Manager. Once you are done, choose Next again.
5. On the General Information page, you can supply further information about the application to help you
sort and locate it in the Configuration Manager console.
Additionally, the Installation program field lets you specify the full command line that will be used to
install the application on PCs. You can edit this to add your own properties (for example /q for an
unattended installation).

TIP
Some of the fields on this page of the wizard might have been filled in automatically when you imported the
application installation files.

You'll end up with a screen that looks similar to the following screenshot:

6. Choose Next. On the Summary page, you can confirm your application settings and then complete the
wizard.
You've finished creating the app. To find it, in the Software Library workspace, expand Application
Management, and then choose Applications. For this example, you'll see:

Examine the properties of the application and its deployment type


Now that you've created an application, you can refine the application settings if you need to. To look at the
application properties, select the app, and then, in the Home tab in the Properties group, choose Properties.
In the Application Properties dialog box, you'll see many items that you can configure to refine the behavior of
the application. For details about all the settings you can configure, see Create applications. For the purposes of
this example, you'll just be changing some properties of the application's deployment type.
Choose the Deployment Types tab > Contoso Application deployment type > Edit.
You'll see a dialog box like this one:

Add a requirement to the deployment type


Requirements specify conditions that must be met before an application is installed on a device. You can choose
from built-in requirements or you can create your own. In this example, you add a requirement that the application
will only get installed on PCs that are running Windows 10.
1. From the deployment type properties page you just opened, choose the Requirements tab.
2. Choose Add to open the Create Requirement dialog box.
3. In the Create Requirement dialog box, specify the following information:
Category: Device
Condition: Operating system
Rule type: Value
Operator: One of
From the operating systems list, select Windows 10.
You'll end up with a dialog box that looks like this:

4. Choose OK to close each property page that you opened. Then return to the Applications list in the
Configuration Manager console.

TIP
Requirements can help reduce the number of Configuration Manager collections you need. Because you just specified that
the application can only get installed on PCs that are running Windows 10, you can later deploy this to a collection that
contains PCs that run many different operating systems. But the application will only get installed on Windows 10 PCs.

Add the application content to a distribution point


Next, to deploy the application to PCs, make sure that the application content is copied to a distribution point. PCs
access the distribution point to install the application.

TIP
To find out more about distribution points and content management in Configuration Manager, see Manage content and
content infrastructure.

1. In the Configuration Manager console, choose Software Library.


2. In the Software Library workspace, expand Applications. Then, in the list of applications, select the
Contoso Application that you created.
3. On the Home tab, in the Deployment group, choose Distribute Content.
4. On the General page of the Distribute Content Wizard, check that the application name is correct, and
then choose Next.
5. On the Content page, review the information that will be copied to the distribution point, and then choose
Next.
6. On the Content Destination page, choose Add to select one or more distribution points, or distribution
point groups on which to install the application content.
7. Complete the wizard.
You can check that the application content was copied successfully to the distribution point from the Monitoring
workspace, under Distribution Status > Content Status.

Deploy the application


Next, deploy the application to a device collection in your hierarchy. In this example, you deploy the application to
the All Systems device collection.

TIP
Remember that only Windows 10 computers will install the application because of the requirements that you selected earlier.

1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. From the list of applications, select the application that you created earlier (Contoso Application), and
then, on the Home tab in the Deployment group, choose Deploy.
3. On the General page of the Deploy Software Wizard, choose Browse to select the All Systems device
collection.
4. On the Content page, check that the distribution point from which you want PCs to install the application is
selected.
5. On the Deployment Settings page, make sure that the deployment action is set to Install, and the
deployment purpose is set to Required.

TIP
By setting the deployment purpose to Required, you make sure that the application is installed on PCs that meet
the requirements that you set. If you set this value to Available, then users can install the application on demand
from Software Center.

6. On the Scheduling page, you can configure when the application will be installed. For this example, select
As soon as possible after the available time.
7. On the User Experience page, choose Next to accept the default values.
8. Complete the wizard.
Use the information in the following Monitor the application section to see the status of your application
deployment.

Monitor the application


In this section, you'll take a quick look at the deployment status of the application that you just deployed.
To review the deployment status
1. In the Configuration Manager console, choose Monitoring > Deployments.
2. From the list of deployments, select Contoso Application.
3. On the Home tab, in the Deployment group, choose View Status.
4. Select one of the following tabs to see more status updates about the application deployment:
Success: The application installed successfully on the indicated PCs.
In Progress: The application has not yet finished installing.
Error: An error occurred installing the application on the indicated PCs. Further information about
the error is also displayed.
Requirements Not Met: No installation attempt was made on the indicated devices because they
did not meet the requirements you configured (in this example, because they do not run on
Windows 10).
Unknown: Configuration Manager was unable to report the status of the deployment. Check back
again later.

TIP
There are a few ways you can monitor application deployments. For full details, see Monitor applications.

End-user experience
Users who have PCs that are managed by Configuration Manager and running Windows 10 see a message telling
them that they must install the Contoso application. Once they accept the installation, the application gets installed.
Plan for and configure application management in
System Center Configuration Manager
2/9/2017 13 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


Use the information in this article to help you implement the necessary dependencies to deploy applications in
System Center Configuration Manager.

Dependencies external to Configuration Manager


DEPENDENCY MORE INFORMATION

Internet Information Services (IIS) is required on the site For more about this requirement, see Supported
system servers that run the Application Catalog website point, configurations.
the Application Catalog web service point, the management
point, and distribution point.

Mobile devices that are enrolled by Configuration Manager When you code-sign applications to deploy them to mobile
devices, do not use a certificate that was generated by using a
Version 3 template (Windows Server 2008, Enterprise
Edition). This certificate template creates a certificate that is
not compatible with Configuration Manager applications for
mobile devices.

If you use Active Directory Certificate Services to code-sign


applications for mobile device applications, do not use a
Version 3 certificate template.

Clients must be configured to audit sign-in events if you want The Configuration Manager client reads logon events of type
to automatically create user device affinities. Success from the PCs security event log to determine
automatic user device affinities. These events are enabled by
the following two audit policies:"
Audit account logon events
Audit logon events
To automatically create relationships between users and
devices, make sure that these two settings are enabled on
client computers. You can use Windows Group Policy to
configure these settings.

Configuration Manager dependencies


DEPENDENCY MORE INFORMATION

Management point Clients contact a management point to download client policy,


to locate content, and to connect to the Application Catalog.

If clients cannot access a management point, they cannot use


the Application Catalog.
DEPENDENCY MORE INFORMATION

Distribution point Before applications can be deployed to clients, you must have
at least one distribution point in the hierarchy. By default, the
site server has a distribution point site role enabled during a
standard installation. The number and location of distribution
points will vary according to the specific requirements of your
enterprise.

For more about how to install distribution points and manage


content, see Manage content and content infrastructure.

Client settings Many client settings control how applications are installed on
the client and the user experience on the client. These client
settings include the following:

Computer Agent
Computer Restart
Software Deployment
User and Device Affinity
For more about these client settings, see About client settings.

For about how to configure client settings, see How to


configure client settings.

For the Application Catalog: Configuration Manager must first discover users before they
can view and request applications from the Application
Discovered user accounts Catalog. For more information, see Run discovery.

App-V 4.6 SP1 or later client to run virtual applications To be able to create virtual applications in Configuration
Manager, client computers must have the App-V 4.6 SP1 or
later client installed.

You must also update the App-V client with the hotfix
described in the Knowledge Base article 2645225 before you
can deploy virtual applications.

Application Catalog web service point The Application Catalog web service point is a site system role
that provides information about available software from the
Software Library to the Application Catalog website.

For more about how to configure this site system role, see
Configure Software Center and the Application Catalog
(Windows PCs only) in this article.

Application Catalog website point The Application Catalog website point is a site system role
that provides users with a list of available software.

For more about how to configure this site system role, see
Configure Software Center and the Application Catalog
(Windows PCs only) in this article.

Reporting services point To be able to use the reports in Configuration Manager for
application management, you must first install and configure a
reporting services point.

For more information, see Reporting in System Center


Configuration Manager.
DEPENDENCY MORE INFORMATION

Security permissions for application management You must have the following security permissions to manage
applications.

The Application Author security role includes the preceding


listed permissions that are required to create, change, and
retire applications in Configuration Manager.

To deploy applications:

The Application Deployment Manager security role


includes the preceding listed permissions that are required to
deploy applications in Configuration Manager.

The Application Administrator security role has all the


permissions from both the Application Author and the
Application Deployment Manager security roles.

For more information, see Configure role-based


administration.

Configure Software Center and the Application Catalog (Windows PCs


only)
In System Center Configuration Manager, you now have two options for users to change settings, browse for
applications, and install applications:
The new Software Center - The new Software Center has a modern look. Apps that would have appeared
only in the Silverlight-dependent Application Catalog (user-available apps) now appear in Software Center
under the Applications tab. The Application Catalog can still be accessed by using the link under the
Installation Status tab of Software Center.
You can configure clients to use the new Software Center by enabling the client setting Computer Agent >
Use new Software Center.

IMPORTANT
Although you no longer need to connect to the Application Catalog, you must still configure the Application Catalog
website point and the Application Catalog web service point as detailed in the next section.

The previous Software Center and the Application Catalog - By default, users continue to connect to
the previous version of Software Center and connect to the Application Catalog (Silverlight-enabled web
browser required) to browse available applications.
Whatever version you choose to use, Software Center is installed automatically when you install the
Configuration Manager client on Windows PCs.

TIP
The version of Software Center that users see is based on Configuration Manager client settings. This gives you the
flexibility to control the version that's used based on custom client settings that you deploy to a collection.
IMPORTANT
In the coming months, we will be removing the previous version of Software Center, and it will no longer be available
for you to use. You can configure clients to use the new Software Center by enabling the client setting Computer
Agent > Use new Software Center.

Steps to install and configure the Application Catalog and Software


Center
IMPORTANT
Before you do these steps, make sure that you have met all of the prerequisites listed previously.

STEPS DETAILS MORE INFORMATION

Step 1: If you will use HTTPS Deploy a web server certificate to the For more about certificate requirements,
connections, make sure that you have site system servers that will run the see PKI certificate requirements.
deployed a web server certificate to site Application Catalog website point and
system servers. the Application Catalog web service
point.

Additionally, if you want clients to use


the Application Catalog from the
Internet, deploy a web server certificate
to at least one management point site
system server, and configure it for client
connections from the Internet.

Step 2: If you will use a client PKI Although clients do not use a client PKI For more about certificate requirements,
certificate for connections to certificate to connect to the Application see PKI certificate requirements.
management points, deploy a client Catalog, they must connect to a
authentication certificate to client management point before they can use
computers. the Application Catalog. You must
deploy a client authentication certificate
to client computers in the following
scenarios:

All management points on the


intranet accept only HTTPS client
connections.
Clients will connect to the
Application Catalog from the
Internet.

Step 3: Install and configure the You must install both site system roles For more about site system role
Application Catalog web service point in the same site. You do not have to placement, see Plan for site system
and the Application Catalog website. install them on the same site system servers and site system roles.
server or in the same Active Directory
forest. However, the Application To configure the Application Catalog
Catalog web service point must be in web service point and the Application
the same forest as the site database. Catalog website point, see Step 3:
Install and configure the Application
Catalog site system roles.
STEPS DETAILS MORE INFORMATION

Step 4: Configure client settings for the Configure the default client settings if For more about client settings, see
Application Catalog and Software you want all users to have the same About client settings.
Center. setting. Otherwise, configure custom
client settings for specific collections. For more about how to configure these
client settings, see Step 4: Configure
the client settings for the Application
Catalog and Software Center.

Step 5: Verify that the Application You can use the Application Catalog See Step 5: Verify that the
Catalog is operational. directly from a browser or from Application Catalog is operational.
Software Center.

Supplemental procedures to install and configure the Application


Catalog and Software Center
Use the following information when the steps in the preceding table require supplemental procedures.
Step 3: Install and configure the Application Catalog site system roles
These procedures configure the site system roles for the Application Catalog. Choose one of the two following
procedures depending on whether you will install a new site system server or use an existing site system server:

NOTE
The Application Catalog cannot be installed on a secondary site or on a central administration site.

To install and configure the Application Catalog site systems: New site system server
1. In the Configuration Manager console, choose Administration > Site Configuration > Servers and Site
System Roles.
2. On the Home tab, in the Create group, choose Create Site System Server.
3. On the General page, specify the general settings for the site system, and then choose Next.

TIP
If you want client computers to use the Application Catalog over the Internet, specify the Internet fully qualified
domain name (FQDN).

4. On the System Role Selection page, select Application Catalog web service point and Application
Catalog website point from the list of available roles, and then choose Next.
5. Finish the wizard.
To install and configure the Application Catalog site systems: Existing site system server
1. In the Configuration Manager console, choose Administration > Site Configuration > Servers and Site
System Roles, and then select the server to use for the Application Catalog.
2. On the Home tab, in the Server group, choose Add Site System Roles.
3. On the General page, specify the general settings for the site system, and then choose Next.
TIP
If you want client computers to use the Application Catalog over the Internet, specify the Internet fully qualified
domain name (FQDN).

4. On the System Role Selection page, select Application Catalog web service point and Application
Catalog website point from the list of available roles, and then choose Next.
5. Finish the wizard.
6. Verify the installation of these site system roles by using status messages and by reviewing the log files:
Status messages: Use the components SMS_PORTALWEB_CONTROL_MANAGER and
SMS_AWEBSVC_CONTROL_MANAGER.
For example, status ID 1015 for SMS_PORTALWEB_CONTROL_MANAGER confirms that Site Component
Manager successfully installed the Application Catalog website point.
Log files: Search for SMSAWEBSVCSetup.log and SMSPORTALWEBSetup.log.
For more information, search for the awebsvcMSI.log and portlwebMSI.log log files.
Step 4: Configure the client settings for the Application Catalog and Software Center
This procedure configures the default client settings for the Application Catalog and Software Center that will apply
to all devices in the hierarchy. If you want these settings to apply to only some devices, you can create a custom
client setting and deploy it to a collection that has the devices that will have the specific settings. For more about
how to create a custom device setting, see the How to Create and Deploy Custom Client Settings section in the
How to configure client settings in System Center Configuration Manager article.
1. In the Configuration Manager console, choose Administration > Client Settings > Default Client
Settings.
2. On the Home tab, in the Properties group, choose Properties.
3. Review and configure settings that relate to user notifications, the Application Catalog, and Software Center.
For example:
a. Computer Agent group:
Default Application Catalog website point
Add default Application Catalog website to Internet Explorer trusted sites zone
Organization name displayed in Software Center

TIP
To specify the organization name that's displayed in the Application Catalog and configure the
website theme, use the Customization tab on the Application Catalog website properties.

Use new Software Center - Set to Yes if you want to use the new Software Center, which lets
users browse for and install available apps without the need to access the Application Catalog
(which requires a Silverlight-enabled web browser).
Install permissions
Show notifications for new deployments
b. Power Management group:
Allow users to exclude their device from power management
c. Remote Tools group:
Users can change policy or notification settings in Software Center
d. User and Device Affinity group:
Allow users to define their primary devices

NOTE
For more about the client settings, see About client settings in System Center Configuration Manager.

4. Choose OK to close the Default Client Settings dialog box.


Client computers will be configured with these settings when they next download client policy. To initiate
policy retrieval for a single client, see How to manage clients.
How to customize Software Center branding
Custom branding for the Software Center is applied according to the following rules:
1. If the Application Catalog website point site server role is not installed, then Software Center will display the
organization name specified in the Computer Agent client setting Organization name displayed in Software
Center. For instructions, see How to configure client settings.
2. If the Application Catalog website point site server role is installed, then Software Center will display the
organization name and color specified in the Application Catalog website point site server role properties. For
more information, see Configuration options for Application Catalog website point.
3. If a Microsoft Intune subscription is configured and connected to Configuration Manager, then Software Center
will display the organization name, color and company logo specified in the Intune subscription properties. For
more information, see Configuring the Microsoft Intune subscription.

IMPORTANT
Software Center branding is synchronized with the Intune service every 14 days therefore there might be a delay before
changes you make in Intune are displayed in Configuration Manager.

Step 5: Verify that the Application Catalog is operational


Use the following procedures to verify that the Application Catalog is operational. You can use the Application
Catalog directly from a browser or from Software Center.

NOTE
The Application Catalog requires Microsoft Silverlight, which is automatically installed as a Configuration Manager client
prerequisite. If you use the Application Catalog directly from a browser by using a computer that does not have the
Configuration Manager client installed, first verify that Microsoft Silverlight is installed on the computer.

TIP
Missing prerequisites are among the most typical reasons for the Application Catalog to operate incorrectly after installation.
Confirm the site system role prerequisites for the Application Catalog site system roles. You can do this by using the
Supported configurations article.
NOTE
If you signed in by using a Domain Administrator account, notification messages from the Configuration Manager client (for
example, messages indicating that new software is available) will not be displayed.

To use the Application Catalog directly from a browser


In a browser, enter the address of the Application Catalog website, and confirm that the web page shows the
three tabs: Application Catalog, My Application Requests, and My Devices.
Select and use the appropriate address in the following list for the Application Catalog, where <server> is
the computer name, intranet FQDN, or Internet FQDN:
HTTPS client connections and default site system role settings:
https://<server>/CMApplicationCatalog
HTTP client connections and default site system role settings:
http://<server>/CMApplicationCatalog
HTTPS client connections and custom site system role settings: https://<server>:<port>/<web
application name>
HTTP client connections and custom site system role settings: http://<server>:<port>/<web
application name>
To use the Application Catalog from Software Center (does not apply to the new version of Software Center)
1. On a client computer, choose Start > All Programs > Microsoft System Center 2012 > Configuration
Manager > Software Center.
2. If you previously configured an organizational name for Software Center as a client setting, confirm that this
displays as specified.
3. Choose Find additional applications from the Application Catalog, and confirm that the page shows
the three tabs: Application Catalog, My Application Requests, and My Devices.

WARNING
After you have installed the Application Catalog site system roles, you will not immediately see the Application Catalog when
you choose the Find additional applications from the Application Catalog link from Software Center. The Application
Catalog becomes available from Software Center after the client next downloads its client policy or up to 25 hours after the
Application Catalog site system roles are installed.
Security and privacy for application management in
System Center Configuration Manager
12/7/2016 12 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)

Security best practices for application management


SECURITY BEST PRACTICE MORE INFORMATION

Configure the Application Catalog points to use HTTPS Configure the Application Catalog website point and the
connections and educate users about the dangers of malicious Application Catalog web service point to accept HTTPS
websites. connections so that the server is authenticated to users and
the data that is transmitted is protected from tampering and
viewing. Help to prevent social engineering attacks by
educating users to connect to trusted websites only.

Do not use the branding configuration options that show the


name of your organization in the Application Catalog as proof
of identity when you do not use HTTPS.

Use role separation, and install the Application Catalog If the Application Catalog website point is compromised, install
website point and the Application Catalog service point on it on a separate server from the Application Catalog web
separate servers. service point. This will help to protect the Configuration
Manager clients and the Configuration Manager
infrastructure. This is particularly important if the Application
Catalog website point accepts client connections from the
Internet because this configuration makes the server
vulnerable to attack.

Educate users to close the browser window when they finish If users browse to an external website in the same browser
using the Application Catalog. window that they used for the Application Catalog, the
browser continues to use the security settings that are
suitable for trusted sites in the intranet.

Manually specify the user device affinity instead of letting Do not consider information that is collected from users or
users identify their primary device. Do not enable usage-based from the device to be authoritative. If you deploy software by
configuration. using user device affinity that is not specified by a trusted
administrative user, the software might be installed on
computers and to users who are not authorized to receive
that software.
SECURITY BEST PRACTICE MORE INFORMATION

Always configure deployments to download content from When you configure deployments to download content from a
distribution points rather than run from distribution points. distribution point and run locally, the Configuration Manager
client verifies the package hash after it downloads the content.
The client discards the package if the hash does not match the
hash in the policy. In comparison, if you configure the
deployment to run directly from a distribution point, the
Configuration Manager client does not verify the package
hash, which means that the Configuration Manager client can
install software that has been tampered with.

If you must run deployments directly from distribution points,


use NTFS least permissions on the packages on the
distribution points, and use Internet protocol security (IPsec)
to secure the channel between the client and the distribution
points and between the distribution points and the site server.

Do not let users interact with programs if the Run with When you configure a program, you can set the Allow users
administrative rights option is required. to interact with this program option so that users can
respond to any required prompts in the user interface. If the
program is also configured to Run with administrative
rights, an attacker at the computer that runs the program
could use the user interface to escalate privileges on the client
computer.

Use programs that use Windows Installer for setup and per-
user elevated privileges for software deployments that require
administrative credentials. Setup must be run in the context of
a user who does not have administrative credentials. Windows
Installer per-user elevated privileges provide the most secure
way to deploy applications that have this requirement.

Restrict whether users can install software interactively by Configure the Computer Agent client device Install
using the Installation permissions client setting. permissions setting to restrict the types of users who can
install software by using the Application Catalog or Software
Center. For example, create a custom client setting with Install
permissions set to Only administrators. Then, apply this
client setting to a collection of servers to prevent users
without administrative permissions from installing software on
those computers.

For mobile devices, deploy only applications that are signed. Deploy mobile device applications only if they are code-signed
by a certification authority (CA) that is trusted by the mobile
device. For example:

An application from a vendor, which is signed by a


well-known CA, like VeriSign.
An internal application that you sign independent from
Configuration Manager by using your internal CA.
An internal application that you sign by using
Configuration Manager when you create the
application type and use a signing certificate.
SECURITY BEST PRACTICE MORE INFORMATION

If you sign mobile device applications by using the Create To help protect against elevation of privileges and against
Application Wizard in Configuration Manager, secure the man-in-the-middle attacks, store the signing certificate file in a
location of the signing certificate file, and secure the secured folder and use IPsec or Server Message Block (SMB)
communication channel. between the following computers:

The computer that runs the Configuration Manager


console
The computer that stores the certificate signing file
The computer that stores the application source files
Alternatively, sign the application independent of
Configuration Manager and before you run the Create
Application Wizard.

Implement access controls to protect reference computers. When an administrative user configures the detection method
in a deployment type by browsing to a reference computer,
make sure that the computer has not been compromised.

Restrict and monitor the administrative users who are granted Even when you configure role-based administration,
the role-based security roles that are related to application administrative users who create and deploy applications might
management: have more permissions than you realize. For example,
administrative users who create or change an application can
Application Administrator select dependent applications that are not in their security
Application Author scope.
Application Deployment Manager

When you configure Microsoft Application Virtualization (App- Because applications in an App-V virtual environment can
V) virtual environments, select applications that have the same share resources, like the clipboard, configure the virtual
trust level in the virtual environment. environment so that the selected applications have the same
trust level.

For more information, see Create App-V virtual environments.

If you deploy applications for Mac computers, make sure that The CMAppUtil tool does not validate the signature of the
the source files are from a trustworthy source. source package, so make sure that it comes from a source that
you trust. The CMAppUtil tool cannot detect whether the files
have been tampered with.

If you deploy applications for Mac computers, secure the The .cmmac file that the CMAppUtil tool generates and that
location of the .cmmac file and secure the communication you import to Configuration Manager is not signed or
channel when you import this file to Configuration Manager. validated. To help prevent tampering with this file, store it in a
secured folder, and use IPsec or SMB between the following
computers:

The computer that runs the Configuration Manager


console
The computer that stores the .cmmac file
.

If you configure a web application deployment type, use If you deploy a web application by using an HTTP link rather
HTTPS rather than HTTP to secure the connection. than an HTTPS link, the device could be redirected to a rogue
server and data that's transferred between the device and
server could be tampered with.

Security issues for application management


Low-rights users can copy files from the client cache on the client computer.
Users can read the client cache but cannot write to it. With read permissions, a user can copy application
installation files from one computer to another.
Low-rights users can change files that record software deployment history on the client computer.
Because the application history information is not protected, a user can change files that report whether an
application is installed.
App-V packages are not signed.
App-V packages in Configuration Manager do not support signing to verify that the content is from a trusted
source and that it has not been altered in transit. There is no mitigation for this security issue. Make sure that
you follow the security best practice to download the content from a trusted source and from a secure
location.
Published App-V applications can be installed by all users on the computer.
When an App-V application is published on a computer, all users who sign in to that computer can install the
application. This means that you cannot restrict the users who can install the application after it is published.
You cannot restrict install permissions for the company portal.
Although you can configure a client setting to restrict install permissions, for example, to primary users of a
device or to local administrators only, this setting does not work for the company portal. This could result in
an elevation of privileges because users could install an app that they should not be allowed to install.

Certificates for Microsoft Silverlight 5 and elevated trust mode required


for the application catalog
Configuration Manager clients require Microsoft Silverlight 5, which must run in elevated trust mode for users to
install software from the Application Catalog. By default, Silverlight applications run in partial trust mode to prevent
applications from accessing user data. Configuration Manager automatically installs Microsoft Silverlight 5 on
clients if it is not already installed. By default, Configuration Manager sets the Computer Agent Allow Silverlight
applications to run in elevated trust mode client setting to Yes. This setting lets signed and trusted Silverlight
applications request elevated trust mode.
When you install the Application Catalog website point site system role, the client also installs a Microsoft signing
certificate in the Trusted Publishers computer certificate store on each Configuration Manager client computer. This
certificate lets Silverlight applications that are signed by this certificate run in the elevated trust mode that
computers require to install software from the Application Catalog. Configuration Manager automatically manages
this signing certificate. To ensure service continuity, do not manually delete or move this Microsoft signing
certificate.

WARNING
When enabled, the Allow Silverlight applications to run in elevated trust mode client setting lets all Silverlight
applications that are signed by certificates in the Trusted Publishers certificate store in either the computer store or the user
store run in elevated trust mode. The client setting cannot enable elevated trust mode specifically for the Configuration
Manager Application Catalog or for the Trusted Publishers certificate store in the computer store. If malware adds a rogue
certificate in the Trusted Publishers store, for example, in the user store, malware that uses its own Silverlight application can
now also run in elevated trust mode.

If you set the Allow Silverlight applications to run in elevated trust mode client setting to No, this does not
remove the Microsoft signing certificate from clients.
For more about trusted applications in Silverlight, see Trusted Applications.

Privacy information for application management


Application management lets you to run any application, program, or script on any client computer or client mobile
device in the hierarchy. Configuration Manager has no control over the types of applications, programs, or scripts
that you run or the type of information that they transmit. During the application deployment process,
Configuration Manager might transmit information that identifies the device and sign-in accounts between clients
and servers.
Configuration Manager maintains status information about the software deployment process. Software
deployment status information is not encrypted during transmission unless the client communicates by using
HTTPS. The status information is not stored in encrypted form in the database.
The use of Configuration Manager application installation to remotely, interactively, or silently install software on
clients might be subject to software license terms for that software. This use is separate from the Software License
Terms for System Center Configuration Manager. Always review and agree to the Software Licensing Terms before
you deploy software by using Configuration Manager.
Application deployment does not happen by default and requires several configuration steps.
Two optional features that help efficient software deployment are user device affinity and the Application Catalog:
User device affinity maps a user to devices so that a Configuration Manager admin can deploy software to a
user, and the software is automatically installed on one or more computers that the user uses most often.
The Application Catalog is a website that lets users request software to install.
View the following sections for privacy information about user device affinity and the Application Catalog.
Before you configure application management, consider your privacy requirements.

User device affinity


Configuration Manager might transmit information between clients and management point site systems. The
information might identify the computer and sign-in account and the summarized usage for sign-in accounts.
The information that is transmitted between the client and server is not encrypted unless the management point
is configured to require clients to communicate by using HTTPS.
The computer and sign-in account usage information that is used to map a user to a device is stored on client
computers, sent to management points, and then stored in the Configuration Manager database. The old
information is deleted from the database by default after 90 days. The deletion behavior is configurable by
setting the Delete Aged User Device Affinity Data site maintenance task.
Configuration Manager maintains status information about user device affinity. Status information is not
encrypted during transmission unless clients are configured to communicate with management points by using
HTTPS. Status information is not stored in encrypted form in the database.
Computer, sign-in account usage information, and status information are not sent to Microsoft.
Computer and sign-in usage information that is used to establish user and device affinity is always enabled. In
addition, users and administrative users can supply user device affinity information.

Application Catalog
The Application Catalog lets the Configuration Manager admin publish any application or program or script for
users to run. Configuration Manager has no control over the types of programs or scripts that are published in
the catalog or the type of information that they transmit.
Configuration Manager might transmit information between clients and the Application Catalog site system
roles. The information might identify the computer and sign-in accounts. The information that is transmitted
between the client and servers is not encrypted unless these site system roles are configured to require that
clients connect by using HTTPS.
The information about the application approval request is stored in the Configuration Manager database.
Requests that are canceled or denied and the corresponding request history entries are deleted by default after
30 days. The deletion behavior is configurable by setting the Delete Aged Application Request Data site
maintenance task. Application approval requests that are in approved and pending states are never deleted.
Information that is sent to and from the Application Catalog is not sent to Microsoft.
The Application Catalog is not installed by default. This installation requires several configuration steps.
Create applications with System Center
Configuration Manager
11/23/2016 27 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


A System Center Configuration Manager application has the files and information that are required to deploy
software to a device. An application has one or more deployment types that comprise the installation files and
information that are required to install software. A deployment type also has rules that specify when and how
the software is deployed.
You can create applications by using the following methods:
Automatically create the application and deployment types by reading the application installation files.
Manually create the application and then add deployment types later.
Import an application from a file.
Use the following steps to create Configuration Manager applications and deployment types.

Start the create application wizard


1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. On the Home tab, in the Create group, choose Create Application.

Specify whether you want to automatically detect application


information or manually define the information
Automatically detect application information when you want to create a simple application that has a
single deployment type, like a Windows Installer file that has no dependencies or requirements. After you
create an application by using this procedure, you can edit it as needed to add or change deployment
types and add detection methods, dependencies, or requirements.
Manually specify application information to create more complex applications that have multiple
deployment types, dependencies, detection methods, or requirements.
Automatically detect application information
1. On the General page of the Create Application wizard, select Automatically detect information about
this application from installation files.
2. In the Type drop-down list, select the application installation file type that you want to use to detect
application information. For information about the available installation types, see Deployment types
supported by Configuration Manager in this topic.
3. In the Location box, specify the UNC path (in the form \\server\share\\filename) or the store link for the
application installation file that you want to use to detect application information. Alternatively, click
Browse to browse to the installation file.
IMPORTANT
When you select Windows Installer (*.msi file) as an application type, all of the files in the folder that you specify
will be imported with the application and will be sent to distribution points. Ensure that the folder that you specify
contains only the files that are necessary to install the application. Configuration Manager is tested to support up
to 20,000 application files in the application package. If your application has more files, consider creating multiple
applications that have a smaller number of files.
You must have access to the UNC path that has the application and any subfolders that contain application
content.

4. On the Import Information page of the Create Application wizard, review the information that was
imported, and then choose Next. If necessary, you can choose Previous to go back and fix any errors.
5. On the General Information page of the Create Application wizard, specify the following information:

NOTE
Some of this information might already be populated if it was automatically obtained from the application
installation files. Additionally, the displayed options might be different depending on the application type that you
create.

General information about the application, like the application name, comments, version, and an
optional reference to help you find the application in the Configuration Manager console.
Installation program--Specify the installation program and any required properties that are
needed to install the application deployment type.

TIP
If the installation program does not appear, choose Browse and browse to the installation program
location.

Install behavior--Specify whether the application deployment type will be installed for only the
currently logged-on user or for all users. You can also specify that the deployment type will be
installed for all users if it is deployed to a device, or only to a specific user if it is deployed to a user.
Use an automatic VPN connection (if configured)--If a VPN profile has been deployed to the
device on which the app is launched, launch the VPN connection when the app starts (Windows 8.1
and Windows Phone 8.1 only).
On Windows Phone 8.1 devices, automatic VPN connections are not supported if more than one
VPN profile has been deployed to the device.
For more about VPN profiles, see VPN profiles.
6. Choose Next, review the application information on the Summary page, and then finish the Create
Application wizard.
The new application appears in the Applications node of the Configuration Manager console, and you have
finished creating an application. If you want to add more deployment types to the application, see Create
deployment types for the application in this topic.
Manually specify application information
1. On the General page of the Create Application wizard, select Manually specify the application
information, and then choose Next.
2. Specify general information about the application, like the application name, comments, version, and an
optional reference to help you find the application in the Configuration Manager console.
3. On the Application Catalog page of the Create Application wizard, specify the following information:
Selected language--In the drop-down list, select the language version of the application that you
want to set up. Choose Add/Remove to set up more languages for this application.
Localized application name--Specify the application name in the language that you selected in
the Selected language drop-down list.

IMPORTANT
You must specify a localized application name for each language version that you set up.

User categories--Choose Edit to specify application categories in the language that you selected
in the Selected Language drop-down list. Users of Software Center can use these selected
categories to help filter and sort the available applications.
User documentation--Choose Browse to specify the URL to, or the UNC path and file name of, a
file that users of Software Center can read to get more information about this application.
Link text--Specify the text that will appear in place of the URL to the application.
Application Privacy URL--Specify a URL that links to the privacy statement for the application.
Localized description--Enter a description for this application in the language that you selected
in the Selected Language drop-down list.
Keywords--Enter a list of keywords in the language that you selected in the Selected Language
drop-down list. These keywords will help users of Software Center search for the application.
Icon--Choose Browse to select an icon for this application from the available icons. If you do not
specify an icon, a default icon will be used for this application.
Display this as a featured app and highlight it in the company portal--Select this option to
display the app prominently in the company portal.
4. On the Deployment Types page of the Create Application wizard, choose Add to create a new
deployment type.
For more information, see Create deployment types for the application.
5. Choose Next, review the application information on the Summary page, and then finish the Create
Application wizard.
The new application appears in the Applications node of the Configuration Manager console.

Create deployment types for the application


If you select Automatically identify information about this deployment type from installation files on
the General page of the Create Deployment Type wizard, you might not need to finish some of the steps in the
following procedures.

Start the create deployment type wizard


1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. Select an application, and then on the Home tab, in the Application group, choose Create Deployment
Type.

TIP
You can also start the Create Deployment Type wizard from the Create Application wizard and from the Deployment
Types tab of the Properties dialog box.

Specify whether you want to automatically detect deployment type


information or manually set up the information
Use one of the following procedures to automatically detect or manually set up deployment type information.
Automatically detect deployment type information
1. On the General page of the Create Deployment Type wizard, select Automatically identify
information about this deployment type from installation files.
2. In the Type box, select the application installation file type that you want to use to detect the deployment
type information.
3. In the Location box, specify the UNC path (in the form \\server\share\filename) or specify the store link
to the application installation files and the content that you want to use to detect the deployment type
information. You can also choose Browse to locate the installation file.

NOTE
You must have access to the UNC path that has the application and any subfolders that contain the application
content.

4. On the Import Information page of the Create Deployment Type wizard, review the information that
was imported, and then choose Next. You can also choose Previous to go back and fix any errors.
5. On the General Information page of the Create Deployment Type wizard, specify the following
information:

NOTE
Some of the deployment type information might already be present if it was read from the application installation
files. Additionally, the displayed options might differ, depending on the deployment type that you are creating.

General information about the deployment type, like the name, admin comments, and available
languages.
Installation program--Specify the installation program and any properties that you require to
install the deployment type.
Install behavior-- Specify whether to install the deployment type for the current user or for all
users. You can also specify whether to install the deployment type for all users if it is deployed to a
device, or whether to install the deployment type to a user only if it is deployed to a user.
Use an automatic VPN connection (if configured)--If a VPN profile has been deployed to the
device on which the app is launched, launch the VPN connection when the app starts (Windows 8.1
and Windows Phone 8.1 only). If multiple VPN profiles have been deployed to a Windows 8.1
device, the first deployed VPN profile is used by default.
On Windows Phone 8.1 devices, automatic VPN connections are not supported if more than one
VPN profile has been deployed to the device.
For more about VPN profiles, see VPN profiles in System Center Configuration Manager.
6. Choose Next, and then continue to Specify content options for the deployment type.
Manually set up the deployment type information
1. On the General page of the Create Deployment Type wizard, select Manually specify the deployment
type information.
2. In the Type box, choose the application installation file type that you want to use to detect the
deployment type information. You can choose the same installation types that you would use when you
automatically detect the deployment type information, and you can also specify a script to install the
deployment type.
3. On the General Information page of the Create Deployment Type wizard, specify a name for the
deployment type, an optional description, and the languages in which you want to make this deployment
type available, and then choose Next.
4. Continue to Specify content options for the deployment type.

Specify content options for the deployment type


1. On the Content page of the Create Deployment Type wizard, specify the following information:
Content location--Specify the location of the content for this deployment type, or select Browse
to choose the deployment type content folder.

IMPORTANT
The System account of the site server computer must have permissions to the content location that you
specify.

Persist content in the client cache--Select this option to specify whether the content should be
retained in the cache on the client computer indefinitely, even if it has already been run. Although
this option can be useful with some deployments, like Windows Installerbased software that
requires a local source copy to be available for applying updates, it will reduce the available cache
space. If you select this option, it might cause a large deployment to fail at a later point if the cache
does not have sufficient available space.
Allow clients to share content with other clients on the same subnet--Select this option to
reduce load on the network by allowing clients to download content from other local clients on the
network that have already downloaded and cached the content. This option utilizes Windows
BranchCache technology.
Installation program--Specify the name of the installation program and any required installation
parameters, or choose Browse to locate the installation file.
Installation start in--Optionally, specify the folder that has the installation program for the
deployment type. This folder can be an absolute path on the client or a path to the distribution
point folder that has the installation files.
Uninstall program--Optionally, specify the name of the uninstall program and any required
parameters, or choose Browse to locate it.
Uninstall start in--Optionally, specify the folder that has the uninstall program for the
deployment type. This folder can be an absolute path on the client or a path that is relative to the
distribution point folder that has the package.
Run installation and uninstall program as 32-bit process on 64-bit clients--Use the 32-bit
file and registry locations on Windows-based computers to run the installation program for the
deployment type.
2. Choose Next.

Set up detection methods to indicate the presence of the deployment


type (Windows PCs only)
This procedure sets up a detection method that indicates whether the deployment type is already installed.
1. On the Detection Method page of the Create Deployment Type wizard, select Configure rules to
detect the presence of this deployment type, and then choose Add Clause.

NOTE
You can also select Use a custom script to detect the presence of this deployment type. For more
information, see Use a custom script to check for the presence of a deployment type.

2. In the Detection Rule dialog box, in the Setting type drop-down list, select the method that you want to
use to detect the presence of the deployment type. You can choose from the following available methods:
File System--Use this method to detect whether a specified file or folder exists on a client device,
thus indicating that the application is installed.

NOTE
The File system setting type does not support specifying a UNC path to a network share in the Path field.
You can only specify a local path on the client device.
To check 32-bit file locations for the specified file or folder, select the option This file or folder is
associated with a 32-bit application on 64-bit systems first. If the file or folder is not found, 64-bit
locations will be searched.

Registry--Use this method to detect whether a specified registry key or registry value exists on a
client device, thus indicating that the application is installed.

NOTE
To check 32-bit registry locations for the specified registry key, select the option This registry key is
associated with a 32-bit application on 64-bit systems first. If the registry key is not found, 64-bit
locations will be searched.

Windows Installer--Use this method to detect whether a specified Windows Installer file exists on
a client device, thus indicating that the application is installed.
3. Specify details about the item that you want to use to detect whether this deployment type is installed. For
example, you can use a file, folder, registry key, registry value, or a Windows Installer product code.
4. Specify details about the value that you want to assess against the item that you use to detect whether the
deployment type is installed. For example, if you use a file to check whether the deployment type is
installed, you can select The file system setting must exist on the target system to indicate
presence of this application.
5. Choose Next to close the Detection Rule dialog box.
Use a custom script to check for the presence of a deployment type
1. On the Detection Method page of the Create Deployment Type wizard, select the Use a custom script
to detect the presence of this deployment type box, and then choose Edit.
2. In the Script Editor dialog box, in the Script type drop-down list, select the script language that you
want to use to detect the deployment type.
3. In the Script contents box, enter the script that you want to use. You can also paste the contents of an
existing script in this field, or choose Open to browse to an existing saved script. Configuration Manager
checks the results from the script by reading the values that are written to the Standard Out (STDOUT)
output stream, the Standard Error (STDERR) output stream, and the exit code from the script. If the exit
code is a nonzero value, the script has failed and the application detection status is unknown. If the exit
code is zero and STDOUT has data, the application detection status is Installed.
Use the following table to see how to use the output from a script to check whether an application is
installed.

SCRIPT EXIT CODE DETAILS

0 Data read from STDOUT--Empty

Data read from STDERR--Empty

Script result--Success

Application detection state--Not installed

0 Data read from STDOUT--Empty

Data read from STDERR--Not empty

Script result--Failure

Application detection state--Unknown

0 Data read from STDOUT--Not empty

Data read from STDERR--Empty

Script result--Success

Application detection state--Installed

0 Data read from STDOUT--Not empty

Data read from STDERR--Not empty

Script result--Success

Application detection state--Installed


SCRIPT EXIT CODE DETAILS

Non-zero value Data read from STDOUT--Empty

Data read from STDERR--Empty

Script result--Failure

Application detection state--Unknown

Non-zero value Data read from STDOUT--Empty

Data read from STDERR--Not empty

Script result--Failure

Application detection state--Unknown

Non-zero value Data read from STDOUT--Not empty

Data read from STDERR--Empty

Script result--Failure

Application detection state--Unknown

Non-zero value Data read from STDOUT--Not empty

Data read from STDERR--Not empty

Script result--Failure

Application detection state--Unknown

The following table has Microsoft Visual Basic (VB) sample scripts that you can use to write your own application
detection scripts.

VISUAL BASIC SAMPLE SCRIPT DESCRIPTION

WScript.Quit(1) The script returns an exit code that is not zero, which
indicates that it failed to run successfully. In this case, the
application detection state is unknown.

WScript.StdErr.Write "Script failed" The script returns an exit code of zero, but the value of
STDERR is not empty, which indicates that the script failed to
WScript.Quit(0) run successfully. In this case, the application detection state
is unknown.

WScript.Quit(0) The script returns an exit code of zero, which indicates that it
ran successfully. However, the value for STDOUT is empty,
which indicates that the application is not installed.

WScript.StdOut.Write "The application is installed" The script returns an exit code of zero, which indicates that it
ran successfully. The value for STDOUT is not empty, which
WScript.Quit(0) indicates that the application is installed.
VISUAL BASIC SAMPLE SCRIPT DESCRIPTION

WScript.StdOut.Write "The application is installed" The script returns an exit code of zero, which indicates that it
ran successfully. The values for STDOUT and STDERR are not
WScript.StdErr.Write "Completed" empty, which indicates that the application is installed.

WScript.Quit(0)

NOTE
The maximum size that you can use for a script is 32 kilobytes (KB).

1. Choose OK to close the Script Editor dialog box.

Specify user experience options for the deployment type


These settings specify how the application will be installed on devices and what the user will see.
1. On the User Experience page of the Create Deployment Type wizard, specify the following information:
Installation behavior--In the drop-down list, select one of the following options:
Install for User--The application is installed only for the user to whom the application is
deployed.
Install for System--The application is installed only once, and it is available to all users.
Install for System if resource is device; otherwise install as user--If the application is
deployed to a device, it will be installed for all users. If the application is deployed to a user,
it will be installed for only that user.
Logon requirement--Specify the logon requirements for this deployment type from the following
options:
Only when a user is logged on
Whether or not a user is logged on
Only when no user is logged on

NOTE
This option defaults to Only when a user is logged on, and it cannot be changed if you selected Install
for user in the Installation behavior drop-down list.

Installation program visibility--Specify the mode in which the deployment type will run on
client devices. The following options are available:
Maximized--The deployment type runs maximized on client devices. Users will see all
installation activity.
Normal--The deployment type runs in the normal mode based on system and program
defaults. This is the default mode.
Minimized--The deployment type runs minimized on client devices. Users might see the
installation activity in the notification area or taskbar.
Hidden--The deployment type runs hidden on client devices, and users will see no
installation activity.
Allow users to view and interact with the program installation--Specify whether a user can
interact with the deployment type installation to set up the installation options.

NOTE
This option is enabled by default if you selected the Install for user option in the Installation behavior
drop-down list.

Maximum allowed run time (minutes)--Specify the maximum time that the program is
expected to run on the client computer. You can specify this setting as a whole number greater
than zero. The default setting is 120 minutes.
This value is used to:
Monitor the results from the deployment type.
Check whether a deployment type will be installed when maintenance windows are defined
on client devices. When a maintenance window is in place, a program will start only if
enough time is available in the maintenance window to accommodate the Maximum
Allowed Run Time setting.

IMPORTANT
A conflict might occur if the Maximum allowed run time is longer than the scheduled maintenance
window. If the user sets the maximum run time to a period that exceeds the length of any available
maintenance window, that deployment type will not be run.

2. Estimated installation time (minutes)--Specify the estimated time that installation of the deployment
type will take. This is displayed to users of Software Center.

Specify requirements for the deployment type


1. On the Requirements page of the Create Deployment Type wizard, choose Add to open the Create
Requirement dialog box, and add a new requirement.

NOTE
You can also add new requirements on the Requirements tab of the Properties dialog box.

2. In the Category drop-down list, select whether this requirement is for a device or a user, or select
Custom to use a previously created global condition. When you select Custom, you can also choose
Create to create a new global condition. For more about global conditions, see How to create global
conditions.
IMPORTANT
Any requirement of the category User and the condition Primary Device will be ignored if you deploy the
application to a device collection.
If you created a Windows package and program or task sequence that has Windows 10 as a requirement using
System Center 2012 R2 Configuration Manager SP1 and then upgrade to System Center Configuration Manager,
the requirements for Windows 10 might be removed. To fix this problem, specify the requirements again. Note
that although the requirement has been removed from the requirements display, it is still processed correctly on
devices.

3. In the Condition drop-down list, select the condition that you want to use to assess whether the user or
device meets the installation requirements. The contents of this list will vary depending on the selected
category.
4. In the Operator drop-down list, select the operator that will be used to compare the selected condition to
the specified value to assess whether the user or device meets the installation requirements. The available
operators will vary depending on the selected condition.

IMPORTANT
The available requirements will differ depending on the device type that the deployment type uses.

5. In the Value box, specify the values that will be used with the selected condition and operator to evaluate
whether the user or device meets the installation requirements. The available values will vary depending
on the selected condition and the selected operator.
6. Choose OK to save the requirement and close the Create Requirement dialog box.

Specify dependencies for the deployment type


Dependencies define one or more deployment types from another application that must be installed before a
deployment type is installed. You can set up the dependent deployment types to be installed automatically
before a deployment type is installed.

IMPORTANT
In some cases, a deployment type is dependent on a deployment type that also has dependencies. The maximum number
of supported dependencies in the chain is five.

1. On the Dependencies page of the Create Deployment Type wizard, choose Add if you want to specify
the deployment types that must be installed before this deployment type can be installed.

IMPORTANT
You can also add new dependencies on the Dependencies tab of the Properties dialog box.

2. In the Add Dependency dialog box, choose Add.


3. In the Specify Required Application dialog box, select an existing application and one of the application
deployment types to use as a dependency.
TIP
You can choose View to display the properties of the selected application or deployment type.

4. Choose OK to close the Specify Required Application dialog box.


5. If you want a dependent application to be automatically installed, select Auto Install next to the
dependent application.

NOTE
A dependent application does not need to be deployed to be automatically installed.

6. In the Add Dependency dialog box under Dependency group name, enter a name to refer to this
group of application dependencies.
7. Optionally, use the Increase Priority and Decrease Priority buttons to change the order in which each
dependency is evaluated.
8. Choose OK to close the Add Dependency dialog box.

Confirm the deployment type settings and finish the wizard


1. On the Summary page of the Create Deployment Type wizard, review the actions that the wizard will
take. Choose Next to create the deployment type, or choose Previous to go back and change the settings
for the deployment type.
2. After the Progress page finishes, review the actions that the wizard took, and then choose Close to finish
the wizard.
3. If you started the Create Deployment Type wizard from the Create Application wizard, you will return to
the Deployment Types page of the Create Application wizard.

Set up additional options for deployment types that contain virtual


applications
Use the following procedures to set up additional options for deployment types that contain virtual applications.
Set up content options for Application Virtualization (App-V ) deployment types
1. In the Configuration Manager console, choose Software Library > Applications.
2. In the Applications list, select an application that has an App-V deployment type. Then, on the Home tab,
in the Properties group, choose Properties.
3. In the Properties dialog box, on the Deployment Types tab, select an App-V deployment type, and then
choose Edit.
4. In the Properties dialog box, on the Content tab, set up the following options if required:
Persist content in the client cache--Select this option to ensure that the content for this
deployment type is not deleted from the Configuration Manager client cache.
Load content into App-V cache before launch--Select this option to ensure that all content for
the virtual application is loaded into the App-V cache before the application starts. Selection of this
option also ensures that the application content is not pinned in the cache and can be deleted as
required.
5. Choose OK to close the Properties dialog box.
6. Choose OK to close the Properties dialog box.
Set up publishing options for App-V deployment types
1. In the Configuration Manager console, choose Software Library > Applications.
2. In the Applications list, select an application that has an App-V deployment type. Then, on the Home tab,
in the Properties group, choose Properties.
3. In the Properties dialog box, on the Deployment Types tab, select an App-V deployment type, and then
choose Edit.
4. In the Properties dialog box, on the Publishing tab, select the items in the virtual application that you
want to publish.
5. Choose OK to close the Properties dialog box.
6. Choose OK to close the Properties dialog box.

Import an application
Use the following procedure to import an application into Configuration Manager. For information about how to
export an application, see Management tasks for System Center Configuration Manager applications.
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. On the Home tab, in the Create group, choose Import Application.
3. On the General page of the Import Application wizard, choose Browse, and then specify a UNC path
to the .zip file that has the application you want to import.
4. On the File Content page, select the action that will be taken if the application that you are trying to
import is a duplicate of an existing application. You can create a new application or ignore the duplicate
and add a new revision to the existing application.
5. On the Summary page, review the actions to be taken, and then finish the wizard.
The new application appears in the Applications node.

TIP
The Windows PowerShell cmdlet Import-CMApplication has the same function as this procedure. For more information,
see Import-CMApplication in Microsoft System Center 2012 Configuration Manager SP1 Cmdlet Reference.

Deployment types supported by Configuration Manager


DEPLOYMENT TYPE NAME MORE INFORMATION

Windows Installer (*.msi file) Creates a deployment type from a Windows Installer file.

Windows app package (*.appx, *.appxbundle) Creates a deployment type for the Windows 8, Windows RT,
or later from a Windows app package file or Windows app
bundle package.
DEPLOYMENT TYPE NAME MORE INFORMATION

Windows app package (in the Windows Store) Creates a deployment type for Windows 8, Windows RT, or
later by specifying a link to the app in the Windows Store or
by browsing the store to select the app you require.

If you want to deploy the app as a link to the Windows


Store, make sure that the Group Policy setting Turn off the
Store application is set to Disabled or Not configured. If
this setting is enabled, clients will not be able to connect to
the Windows Store to download and install applications.

Windows 8 deployment types that use a link to a store are


always evaluated before other deployment types, irrespective
of their priority.

Script Installer Creates a deployment type that specifies a script that runs
on client devices to install content or to do an action.

Microsoft Application Virtualization 4 Creates a deployment type from a Microsoft Application


Virtualization 4 manifest

Microsoft Application Virtualization 5 Creates a deployment type from a Microsoft Application


Virtualization 5 package file.

Windows Phone app package (*.xap file) Creates a deployment type from a Windows Phone app
package file.

Windows Phone app package (in the Windows Phone Creates a deployment type by specifying a link to the app in
Store) the Windows Phone store.

Windows Mobile Cabinet Creates a deployment type for Windows Mobile devices from
a Windows Mobile Cabinet (CAB) file.

App Package for iOS (*.ipa file) Creates a deployment type from an iOS app package file.

App Package for iOS from App Store Creates a deployment type by specifying a link to the iOS
app in the App Store.

App Package for Android (*.apk file) Creates a deployment type from an Android app package
file.

App Package for Android on Google Play Creates a deployment type by specifying a link to the app on
Google Play.

Mac OS X Creates a deployment type for Mac computers from a


.cmmac file that you have created by using the CMAppUtil
tool.

Applies only to Mac computers running the Configuration


Manager client.
DEPLOYMENT TYPE NAME MORE INFORMATION

Web Application Creates a deployment type that specifies a link to a web


application. The deployment type installs a shortcut to the
web application on the users device.

If you have installed the Intune managed browser on iOS or


Android devices that you manage, you can ensure that users
can only use the managed browser to open the app. To do
this, use one of the following formats when you specify a link
to the app by replacing http: with http-intunemam: or
https: with https-intunemam:

- http-intunemam://

- https-intunemam://

You can use Configuration Manager application


requirements to ensure that apps you want to associate with
the managed browser are only installed to iOS and Android
devices.

For more about the Intune managed browser, see Manage


Internet access using managed browser policies.

Windows Installer through MDM (*.msi) This installer type lets you create and deploy Windows
Installer-based apps to PCs that run Windows 10.

The following considerations apply when you use this


installer type:

- You can only upload a single file with the extension .msi.

- The file's product code and product version are used for
app detection.

- The default restart behavior of the app will be used.


Configuration Manager does not control this.

- Per-user MSI packages will be installed for a single user.

- Per-machine MSI packages will be installed for all users on


the device.

- Dual-mode MSI packages currently only install for all users


on the device.

- App updates are supported when the MSI product code of


each version is the same.
Create iOS applications with System Center
Configuration Manager
12/5/2016 1 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


Keep the following considerations in mind when you create and deploy applications for iOS devices.

General considerations
Configuration Manager supports the deployment of the following app types:

DEVICE TYPE SUPPORTED FILES

iOS *.ipa

In System Center Configuration Manager, you do not need to


specify a property list (.plist) file when importing an iOS app.

The following deployment actions are supported:

DEVICE TYPE SUPPORTED ACTIONS

iOS Available, Required. The user must consent to both


installation and uninstallation.

IMPORTANT
Currently, end-users cannot install corporate apps from the Microsoft Intune Company Portal app for iOS. This is because
there are restrictions that are placed on apps that are published in the iOS App Store (see App Store Review Guidelines,
Section 2). Users can install corporate apps (including managed App Store apps and line-of-business app packages) by
browsing to the Intune Web Portal on their device (portal.manage.microsoft.com). For more information about the mobile
management capabilities that are enabled by the Intune Company Portal app, see Enrolled device management capabilities in
Microsoft Intune.
Create Mac computer applications with System
Center Configuration Manager
12/29/2016 9 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


Keep the following considerations in mind when you create and deploy applications for Mac computers.

IMPORTANT
The procedures in this topic cover information about deploying applications to Mac computers on which you installed the
Configuration Manager client. Mac computers that you enrolled with Microsoft Intune do not support application
deployment.

General considerations
You can use System Center Configuration Manager to deploy applications to Mac computers that run the
Configuration Manager Mac client. The steps to deploy software to Mac computers are similar to the steps to
deploy software to Windows computers. However, before you create and deploy applications for Mac computers
that are managed by Configuration Manager, consider the following:
Before you can deploy Mac application packages to Mac computers, you must use the CMAppUtil tool on a
Mac computer to convert these applications into a format that can be read by Configuration Manager.
Configuration Manager does not support the deployment of Mac applications to users. Instead, these
deployments must be made to a device. Similarly, for Mac application deployments, Configuration Manager
does not support the Pre-deploy software to the users primary device option on the Deployment
Settings page of the Deploy Software Wizard.
Mac applications support simulated deployments.
You cannot deploy applications to Mac computers that have a purpose of Available.
The option to send wake-up packets when you deploy software is not supported for Mac computers.
Mac computers do not support Background Intelligent Transfer Service (BITS) for downloading application
content. If an application download fails, it is restarted from the beginning.
Configuration Manager does not support global conditions when you create deployment types for Mac
computers.

Steps to create and deploy an application


The following table provides the steps, details, and information for creating and deploying applications for Mac
computers.

STEP DETAILS
STEP DETAILS

Step 1: Prepare Mac applications for Configuration Manager Before you can create Configuration Manager applications
from Mac software packages, you must use the CMAppUtil
tool on a Mac computer to convert the Mac software into a
Configuration Manager.cmmac file.

Step 2: Create a Configuration Manager application that Use the Create Application Wizard to create an application
contains the Mac software for the Mac software.

Step 3: Create a deployment type for the Mac application This step is required only if you did not automatically import
this information from the application.

Step 4: Deploy the Mac application Use the Deploy Software Wizard to deploy the application
to Mac computers.

Step 5: Monitor the deployment of the Mac application Monitor the success of application deployments to Mac
computers.

Supplemental procedures to create and deploy applications for Mac


computers
Use the following procedures to create and deploy applications for Mac computers that are managed by
Configuration Manager.
Step 1: Prepare Mac applications for Configuration Manager
The process for creating and deploying Configuration Manager applications to Mac computers is similar to the
deployment process for Windows computers. However, before you create Configuration Manager applications that
contain Mac deployment types, you must prepare the applications by using the CMAppUtil tool. This tool is
downloaded with the Mac client installation files. The CMAppUtil tool can gather information about the
application, which includes detection data from the following Mac packages:
Apple Disk Image (.dmg)
Meta Package File (.mpkg)
Mac OS X Installer Package (.pkg)
Mac OS X Application (.app)
After it gathers application information, the CMAppUtil then creates a file with the extension .cmmac. This file
contains the installation files for the Mac software and information about detection methods that can be used to
evaluate whether the application is already installed. CMAppUtil can also process .dmg files that contain multiple
Mac applications and create different deployment types for each application.
1. Copy the Mac software installation package to the folder on the Mac computer where you extracted the
contents of the macclient.dmg file that you downloaded from the Microsoft Download Center.
2. On the same Mac computer, open a terminal window and navigate to the folder where you extracted the
contents of the macclient.dmg file.
3. Navigate to the Tools folder and type the following command-line command:
./CMAppUtil
For example, say you want to convert the contents of an Apple disk image file named MySoftware.dmg
that's stored in the user's desktop folder into a cmmac file in the same folder. You also want to create
cmmac files for all applications that are found in the disk image file. To do this, use the following command
line:
./CMApputil c /Users/ /Desktop/MySoftware.dmg -o /Users/ /Desktop -a

NOTE
The application name can't be more than 128 characters.

To configure options for CMAppUtil, use the command-line properties in the following table:

PROPERTY MORE INFORMATION

-h Displays the available command-line properties.

-r Outputs the detection.xml of the provided .cmmac file


to stdout. The output contains the detection parameters
and the version of CMAppUtil that was used to create the
.cmmac file.

-c Specifies the source file to be converted.

-o Specifies the output path in conjunction with the c


property.

-a Automatically creates .cmmac files in conjunction with the


c property for all applications and packages in the disk
image file.

-s Skips generating the detection.xml if no detection


parameters are found and forces the creation of the
.cmmac file without the detection.xml file.

-v Displays more detailed output from the CMAppUtil tool


together with diagnostic information.

4. Ensure that the .cmmac file has been created in the output folder that you specified.
Create a Configuration Manager application that contains the Mac software
Use the following procedure to help you create an application for Mac computers that are managed by
Configuration Manager.
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. On the Home tab, in the Create group, choose Create Application.
3. On the General page of the Create Application Wizard, select Automatically detect information
about this application from installation files.

NOTE
If you want to specify information about the application yourself, select Manually specify the application
information. For more information about how to manually specify the information, see How to create applications
with System Center Configuration Manager.
4. In the Type drop-down list, select Mac OS X.
5. In the Location field, specify the UNC path in the form \\\\ to the Mac application installation file (.cmmac
file) that will detect application information. Alternatively, choose Browse to browse to and specify the
installation file location.

NOTE
You must have access to the UNC path that contains the application.

6. Choose Next.
7. On the Import Information page of the Create Application Wizard, review the information that was
imported. If necessary, you can choose Previous to go back and correct any errors. Choose Next to
proceed.
8. On the General Information page of the Create Application Wizard, specify information about the
application such as the application name, comments, version, and an optional reference to help you
reference the application in the Configuration Manager console.

NOTE
Some of the application information might already be on this page if it was previously obtained from the application
installation files.

9. Choose Next, review the application information on the Summary page, and then complete the Create
Application Wizard.
10. The new application is displayed in the Applications node of the Configuration Manager console.
Step 3: Create a deployment type for the Mac application
Use the following procedure to help you create a deployment type for Mac computers that are managed by
Configuration Manager.

NOTE
If you automatically imported information about the application in the Create Application Wizard, a deployment type for
the application might already have been created.

1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. Select an application. Then, on the Home tab, in the Application group, choose Create Deployment Type
to create a new deployment type for this application.

NOTE
You can also start the Create Deployment Type Wizard from the Create Application Wizard and from the
Deployment Types tab of the Properties dialog box.

3. On the General page of the Create Deployment Type Wizard, in the Type drop-down list, select Mac OS
X.
4. In the Location field, specify the UNC path in the form \\\\ to the application installation file (.cmmac file).
Alternatively, choose Browse to browse to and specify the installation file location.

NOTE
You must have access to the UNC path that contains the application.

5. Choose Next.
6. On the Import Information page of the Create Deployment Type Wizard, review the information that
was imported. If necessary, choose Previous to go back and correct any errors. Choose Next to continue.
7. On the General Information page of the Create Deployment Type Wizard, specify information about
the application such as the application name, comments, and the languages in which the deployment type is
available.

NOTE
Some of the deployment type information might already be on this page if it was previously obtained from the
application installation files.

8. Choose Next.
9. On the Requirements page of the Create Deployment Type Wizard, you can specify the conditions that
must be met before the deployment type can be installed on Mac computers.
10. Choose Add to open the Create Requirement dialog box and add a new requirement.

NOTE
You can also add new requirements on the Requirements tab of the Properties dialog box.

11. From the Category drop-down list, select that this requirement is for a device.
12. From the Condition drop-down list, select the condition that you want to use to assess whether the Mac
computer meets the installation requirements. The contents of this list varies depending on the category that
you select.
13. From the Operator drop-down list, choose the operator to use to compare the selected condition to the
specified value to assess whether the user or device meets the installation requirements. The available
operators vary depending on the selected condition.
14. In the Value field, specify the values to use with the selected condition and operator to assess whether the
user or device meets in the installation requirement. The available values vary depending on the condition
and operator that you select.
15. Choose OK to save the requirement rule and exit the Create Requirement dialog box.
16. On the Requirements page of the Create Deployment Type Wizard, choose Next.
17. On the Summary page of the Create Deployment Type Wizard, review the actions for the wizard to take.
If necessary, choose Previous to go back and change deployment type settings. Choose Next to create the
deployment type.
18. After the Progress page finishes, review the actions that have been taken, and then choose Close to
complete the Create Deployment Type Wizard.
19. If you started this wizard from the Create Application Wizard, you will return to the Deployment Types
page.
Deploy the Mac application
The steps to deploy an application to Mac computers are the same as the steps to deploy an application to
Windows computers, except for the following differences:
The deployment of applications to users is not supported.
Deployments that have a purpose of Available are not supported.
The Pre-deploy software to the users primary device option on the Deployment Settings page of the
Deploy Software Wizard is not supported.
Because Mac computers do not support Software Center, the setting User notifications on the User
Experience page of the Deploy Software Wizard is ignored.
The option to send wake-up packets when you deploy software is not supported for Mac computers.

NOTE
You can build a collection that contains only Mac computers. To do so, create a collection that uses a query rule and use the
example WQL query in the How to create queries topic.

For more information, see Deploy applications.


Step 5: Monitor the deployment of the Mac application
You can use the same process to monitor application deployments to Mac computers as you would to monitor
application deployments to Windows computers.
For more information, see Monitor applications.
Create Windows applications with System Center
Configuration Manager
12/6/2016 1 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In addition to the other System Center Configuration Manager requirements and procedures for creating an
application, you must also take the following considerations into account when you create and deploy applications
for Windows devices.

General considerations
Configuration Manager supports deploying the following app file types:

DEVICE TYPE SUPPORTED FILE TYPES

Windows RT and Windows RT 8.1 .appx, \.appxbundle

Windows 8.1 and later enrolled as a mobile device .appx, \.appxbundle

The following deployment actions are supported:

DEVICE TYPE SUPPORTED ACTIONS

Windows 8.1 and later available, required, uninstall

Windows RT available, required, uninstall

Support for Universal Windows Platform (UWP) apps


Windows 10 devices do not require a sideloading key to install line-of-business apps. For sideloading to be
enabled, however, the registry key
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps must have a
value of 1.
If this registry key is not configured, Configuration Manager automatically sets this value to 1 the first time you
deploy an app to the device. If you have set this value to 0, Configuration Manager cannot automatically change the
value, and the deployment of line-of-business apps fails.
Universal Windows Platform line-of-business apps must be signed with a code-signing certificate that is trusted on
each device to which the app is deployed. You can use certificates from an in-house PKI infrastructure, or a
certificate from a third-party public root certificate installed on the device.
On Windows 10 Mobile devices, you can use a non-Symantec code signing certificate to sign universal .appx apps.
For .xap apps, and also .appx packages built for Windows Phone 8.1 that you want to install on Windows 10
Mobile devices, you must use a Symantec code-signing certificate.

Deploy Windows Installer apps to enrolled Windows 10 PCs


The Windows Installer through MDM (*.msi) installer type lets you create and deploy Windows Installer-based
apps to enrolled PCs that run Windows 10.
The following considerations apply when you use this installer type:
You can only upload a single file with the extension .msi.
The file's product code and product version are used for app detection.
The default restart behavior of the app is used. Configuration Manager does not control this.
Per user MSI packages are installed for a single user.
Per machine MSI packages are installed for all users on the device.
App updates are supported when the MSI product code of each version is the same.
Create Windows Phone applications with System
Center Configuration Manager
12/29/2016 2 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In addition to the other System Center Configuration Manager requirements and procedures for creating an
application, you must also take the following considerations into account when you create and deploy applications
for Windows Phone devices.

General considerations
Configuration Manager supports deploying the following app file types:

DEVICE TYPE SUPPORTED FILE TYPES

Windows Phone 8 .xap

Windows Phone 8.1 .xap, .appx, .appxbundle

Windows 10 Mobile .xap, .appx, .appxbundle

The following deployment actions are supported:

DEVICE TYPE SUPPORTED ACTIONS

Windows Phone 8, Windows Phone 8.1, and Windows 10 Available, Required, Uninstall
Mobile

Steps to deploy the latest Windows Phone company portal app with
supersedence
The following table provides the steps, details, and more information for creating and deploying the latest
Windows Phone 8 company portal app.

STEP MORE INFORMATION

Step 1: Get the latest company portal app. Download the Windows Phone 8 company portal app.

Step 2: Sign the company portal app with your Symantec For information on how to sign the company portal app, see
certificate. Set up Windows Phone and Windows 10 Mobile hybrid device
management with System Center Configuration Manager and
Microsoft Intune.

Step 3: Create a new application with the latest version of the For more information, see Create applications and Revise and
company portal app, and specify a supersedence relationship. supersede applications.
STEP MORE INFORMATION

Step 4: Add the application to the Microsoft Intune For more information, see Set up Windows Phone and
Subscription Wizard. Windows 10 Mobile hybrid device management with System
Center Configuration Manager and Microsoft Intune.

Step 5: Delete the deployment that is automatically created The Microsoft Intune subscription has created an automatic
when you added the company portal app to the Microsoft deployment of this app, as this deployment will not support
Intune Subscription Wizard. supersedence.

Step 6: Create a new deployment of the application. On the Create a new deployment with supersedence using the
Deployment Settings page of the Deploy Software application you created with the supersedence relationship.
Wizard, check Automatically upgrade any superceded
versions of this application.

Step 7 (Optional): By default, the superseding apps install on No additional information.


devices after 7 days. To deploy the company portal app
sooner to previously enrolled devices, change the schedule
re-evaluation for deployments setting to a lower value.

If you set this value to a lower value than the default, it might
negatively affect the performance of your network and client
computers.
Create Linux and UNIX server applications with
System Center Configuration Manager
12/6/2016 11 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


Take the following considerations into account when you create and deploy applications for computers that run
Linux and UNIX.

General considerations
The Configuration Manager client for Linux and UNIX supports software deployments that use packages and
programs. You cannot deploy Configuration Manager applications to computers that run Linux and UNIX.
The capabilities of Linux and UNIX software deployment includes:
Software installation for Linux and UNIX servers, including the following:
New software deployment
Software updates for programs that are already on a computer
Operating system patches
Native Linux and UNIX commands, and scripts that are located on Linux and UNIX servers
Deployments that are limited to the operating systems that you specify when you select the program option
Only on specified client platforms
Maintenance windows to control when software installs
Deployment status messages to monitor deployments
The option for the client to throttle network usage when it's downloading software from a distribution point
Differences between deploying to Linux and UNIX computers and deploying to Windows devices
The main differences between deploying packages and programs to Linux and UNIX computers and deploying
packages and programs to Windows devices are as follows:

CONFIGURATION DETAILS

Use only configurations that are intended for computers, and The Configuration Manager client for Linux and UNIX does
don't use configurations that are intended for users. not support configurations that are intended for users.
CONFIGURATION DETAILS

Configure programs to download software from the The Configuration Manager client for Linux and UNIX does
distribution point and run the programs from the local client not support running software from the distribution point.
cache. Instead, you must configure the software to download to the
client and then get installed.

By default, after the client for Linux and UNIX installs software,
that software is deleted from the clients cache. However,
packages that are configured with Persist content in the
client cache are not deleted from the client and remain in the
clients cache after the software installs.

The client for Linux and UNIX does not support configurations
for the client cache, and the maximum size of the client cache
is limited only by the free disk space on the client computer.

Configure the Network Access Account for distribution point Linux and UNIX computers are designed to be workgroup
access computers. To access packages from the distribution point in
the Configuration Manager site server domain, you must
configure the Network Access Account for the site. You must
specify this account as a software distribution component
property and configure the account before you deploy
software.

You can configure multiple Network Access Accounts at each


site. The client for Linux and UNIX can use each of the
accounts you configure as a Network Access Account.

For more information, see Site components for System Center


Configuration Manager.

You can deploy packages and programs to collections that contain only Linux or UNIX clients, or you can deploy
them to collections that contain a mix of client types, such as the All Systems Collection. However, non-Linux and
non-UNIX clients won't install the software or report failure.
When the Configuration Manager client for Linux and UNIX receives and runs a deployment, it generates status
messages. You can view these status messages in the Configuration Manager console, or by using reports to
monitor the deployment status.
For information about how to use packages and programs, see Packages and programs.

Configure packages, programs, and deployments for Linux and UNIX


servers
You can create and deploy packages and programs by using the available default options in the Configuration
Manager console. The client does not require any unique configurations.
Use the information in the following sections to configure packages and programs as well as deployments.
Packages and programs
To create a package and program for a Linux or UNIX server, use the Create Package and Program Wizard from
the Configuration Manager console. The client for Linux and UNIX supports most package and program settings.
However, several settings are not supported. When you create or configure a package and program, consider the
following:
Include the file types that are supported by the destination computers.
Define the command lines that are appropriate for use on the destination computer.
Keep in mind that settings that interact with users are not supported.
The following table lists the properties for packages and programs that are not supported:

PACKAGE AND PROGRAM PROPERTY BEHAVIOR MORE INFORMATION

Package share settings: An error is generated and the software The client does not support this
installation fails configuration. Instead, the client must
- All options download the software by using HTTP
or HTTPS, and then run the command
line from its local cache.

Package update settings: Settings are ignored The client does not support this
configuration.
- Disconnect users from distribution
points

Operating system deployment settings: Settings are ignored The client does not support this
configuration.
- All options

Reporting: Settings are ignored The client does not support the use of
status MIF files.
- Use package properties for status MIF
matching

- Use these fields for status MIF


matching

Run: Settings are ignored The client always runs packages with no
user interface.
- All options
The client ignores all configuration
options for Run.

After running: An error is generated and the software The system restart setting and user-
installation fails specific settings are not supported.
- Configuration Manager restarts
computer When any setting other than the No
action required setting is in use, the
- Program controls restart client generates an error and continues
the software installation, with no action
- Configuration Manager signs the user taken.
out

Program can run: An error is generated and the software User-specific settings are not
installation fails supported.
- Only when a user is signed in
When this option is configured, the
client generates an error and fails the
installation of the software.

Other options are ignored and the


software installation continues.
PACKAGE AND PROGRAM PROPERTY BEHAVIOR MORE INFORMATION

Run mode: Settings are ignored User-specific settings are not


supported.
- Run with users rights
However, the client supports the
configuration running with
Administrative rights.

When you specify Run with


administrative rights, the
Configuration Manager client uses its
root credentials.

This setting does not generate an error


or log entry. Instead, the software
installation fails when the client
generates an error for the prerequisite
configuration of Program can run =
Only when a user is signed in.

Allow users to view and interact with Settings are ignored User-specific settings are not
the program installation supported.

This configuration is ignored and the


software installation continues.

Drive mode: Settings are ignored This setting is not supported because
content is always downloaded to the
- All options client and run locally.

Run another program first An error is generated and the software Recursive program installation is not
installation fails supported.

When a program is configured to run


another program first, the software
installation fails, and the other program
installation is not started.

When this program is assigned to a Settings are ignored User-specific settings are not
computer: supported.

- Run once for every user who signs in However, the client supports the
configuration running once for the
computer.

This setting does not generate an error


or log entry because an error and log
entry are already created for the
prerequisite configuration of Program
can run = Only when a user is
logged on.

Suppress program notifications Settings are ignored The client does not implement a user
interface.

When this configuration is selected, it is


ignored and the software installation
continues.
PACKAGE AND PROGRAM PROPERTY BEHAVIOR MORE INFORMATION

Disable this program on computers Settings are ignored This setting is not supported and does
where it is deployed not affect the installation of software.

Allow this program to be installed from The client does not support task
the Install Package task sequence sequences.
without being deployed
This setting is not supported and does
not affect the installation of software.

Windows Installer: Settings are ignored The client does not support Windows
Installer files or settings.
- All options

OpsMgr Maintenance Mode: Settings are ignored The client does not support this
configuration.
- All options

Deploy software to a Linux or UNIX server


To deploy software to a Linux or UNIX server by using a package and program, you can use the Deploy Software
Wizard from the Configuration Manager console. Most deployment settings are supported by the client for Linux
and UNIX. However several settings are not supported. When you deploy software, consider the following:
You must provision the package on at least one distribution point that is associated with a boundary group
that is configured for content location.
The client for Linux and UNIX that receives this deployment must be able to access this distribution point
from its network location.
The client for Linux and UNIX downloads the package from the distribution point and runs the program on
the local computer.
The client for Linux and UNIX cannot download packages from shared folders. It downloads packages from
IIS-enabled distribution points that support HTTP or HTTPS.
The following table lists properties for deployments that are not supported:

DEPLOYMENT PROPERTY BEHAVIOR MORE INFORMATION

Deployment settings purpose: Settings are ignored User-specific settings are not
supported.
- Available
However, the client supports the setting
- Required Required, which enforces the
scheduled installation time, but does
not support manual installation prior to
that scheduled time.

Send wake-up packets Settings are ignored The client does not support this
configuration.

Assignment schedule: An error is generated and the software User-specific settings are not
installation fails supported.
- logon
However, the client supports the setting
- logoff As soon as possible.
DEPLOYMENT PROPERTY BEHAVIOR MORE INFORMATION

Notification settings: Settings are ignored The client does not implement a user
interface.
- Allow users to run the program
independently of assignments

When the scheduled assignment time is An error is generated The client does not support a system
reached, allow the following activity to restart.
be performed outside the maintenance
window:

- System restart (if required to complete


the installation)

Deployment option for fast (LAN) An error is generated and the software The client cannot run software from the
networks: installation fails distribution point and instead must
download the program before it can
- Run program from distribution point run.

Deployment option for a slow or Settings are ignored The client does not support sharing
unreliable network boundary, or a content between peers.
fallback source location for content:

- Allow clients to share content with


other clients on the same subnet

For more information about content location, see Manage content and content infrastructure for System Center
Configuration Manager.
For more information about how to create a deployment, see Deploy applications.

Manage network bandwidth for software downloads from distribution


points
The Linux and UNIX client supports network bandwidth controls when it's downloading software from a
distribution point.
The client uses the Background Intelligent Transfer (BITS) settings that you configure as client settings in
Configuration Manager, but does not implement BITS. Instead, to throttle the use of network bandwidth, the client
controls the HTTP request chunk size and inter-chunk delay for the software download.
To configure a client to use network bandwidth controls, you configure client settings for Background Intelligent
Transfer and then apply the settings to the client computer. To use bandwidth controls, the client must receive
client settings for Background Intelligent Transfer with the following settings configured as Yes:
Limit the maximum network bandwidth for BITS background transfers
The client supports the following configurations for Background Intelligent Transfer:
Throttling window start time
Throttling window end time
Maximum transfer rate during throttling window (Kbps)
Maximum transfer rate during throttling window (Kbps)
The following configuration for Background Intelligent Transfer is not supported, and is ignored by the client for
Linux and UNIX:
Allow BITS downloads outside the throttling window
If the download of software to the client from a distribution point is interrupted, the client for Linux and
UNIX does not resume the download. Instead, it restarts the download of the entire software package.

Configure operations for software deployments


Similarly to the Windows client, the Configuration Manager client for Linux and UNIX discovers new software
deployments when it polls and checks for new policy. The frequency at which the client checks for new policy
depends on client settings. You can configure maintenance windows to control when software deployments occur.
You can configure software deployments to Linux and UNIX servers by using package properties, program
properties, and deployment properties.
When the client receives policy for a deployment, it submits a status message. It also submits status messages
when it starts the installation of software and when the installation finishes or fails.
Programs for software deployments run with the root credentials that the Configuration Manager client for Linux
and UNIX runs with. The exit code of the programs command is used to determine success or failure. An exit code
of 0 (zero) is treated as success. In addition, the stdout (standard output stream) and stderr (standard error
stream) are copied to the log file when the log level is set to INFO or TRACE.

TIP
If the software that you want to deploy is located on a Network File System (NFS) share that the Linux or UNIX server can
access, you do not need to use a distribution point to download the package. Instead, when you create the package, do not
select the check box for This package contains source files. Then, when you configure the program, specify the appropriate
command line to directly access the package on the NFS mount point.
Create Android applications with System Center
Configuration Manager
12/5/2016 1 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


Keep in mind the following considerations when you create and deploy applications for Android devices.

General considerations
Configuration Manager supports the deployment of the following app types for Android:

DEVICE TYPE SUPPORTED FILES

Android .apk

The following deployment actions are supported:

DEVICE TYPE SUPPORTED ACTIONS

Android Available, Required. The user must consent to both


installation and uninstallation.
Create Windows Embedded applications with System
Center Configuration Manager
12/6/2016 2 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In addition to the other System Center Configuration Manager requirements and procedures for creating an
application, you must also take the following considerations into account when you create and deploy applications
for Windows Embedded devices.

General considerations
When you deploy applications to Windows Embedded devices that are enabled for write filtering, you can
specify whether to disable the write filter on the device during the app deployment. You can then choose to
restart the write filter after the app deployment. If the write filter is not disabled, the software is deployed to
a temporary overlay. This means that unless another deployment forces changes to persist, the software will
no longer be installed when the device restarts.
When you deploy an application to a Windows Embedded device, make sure that the device is a member of
a collection that has a configured maintenance window. This lets you manage when the write filter is
disabled and enabled, and when the device restarts.
The setting that controls the write filter behavior is a check box named Commit changes at deadline or
during a maintenance window (requires restarts).

Tips for deploying applications


Use required applications rather than available applications for Windows Embedded devices that have
write filters enabled. Because users cannot install apps from Software Center on a Windows Embedded device
that has write filters enabled, always deploy applications with a deployment purpose of required rather than
available to these devices. Typically, this isn't a problem because computers that run a Windows Embedded
operating system often run a single application that must run in the same way for multiple users. Because of this,
these devices are highly managed and locked down by the IT department. Required applications are well-suited to
this scenario.
However, if users do run more than one application on embedded devices when write filters are enabled, educate
these users about the following limitations:
Users cannot install required software from Software Center.
Users cannot change their business hours in the Options tab of Software Center.
Users cannot postpone the installation of a required application.
In addition, low-rights users cannot log on during a maintenance period if Configuration Manager is committing
changes for software installations and updates. During this period, users see a message informing them that the
device is unavailable because it is being serviced.
Do not deploy applications to Windows Embedded devices that have write filters enabled if the
applications require the user to accept the license terms. When write filters are disabled so that
Configuration Manager can install software on embedded devices, low-rights users cannot log on to the device. If
the installation requires the user to accept the license terms, this will not be possible and the installation will fail.
Make sure that you do not deploy software to Windows Embedded devices if the installation requires user
interaction. You can use the Applicable Platforms list to filter these operating systems.
How to create global conditions in System Center
Configuration Manager
11/23/2016 9 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In System Center Configuration Manager, global conditions are rules that represent business or technical
conditions that you can use to specify how an application is provided and deployed to client devices. Global
conditions are accessed from the Requirements page of the Create Deployment Type Wizard.

NOTE
You can edit global conditions only from the site where they were created.

Use the following procedures to create Configuration Manager global conditions.

Provide basic information about the global condition


Several different types of global conditions are available. Different options are associated with the different global
condition types. When you select a specific global condition type, Configuration Manager shows the options that
apply to your selection.
1. In the Configuration Manager console, choose Software Library > Application Management > Global
Conditions.
2. On the Home tab, in the Create group, choose Create Global Condition.
3. In the Create Global Condition dialog box, provide a name and an optional description for the global
condition.
4. In the Device type drop-down list, choose whether the global condition is for a Windows computer or a
Windows Mobile device.
5. In the Condition Type drop-down list, choose one of the following options:
Setting This option checks for the existence of one or more items on client devices. For example,
you can check that a file, folder, or registry key value exists on a client device.
Expression This option lets you to set up more complex rules to check if the condition is satisfied
on client devices. For example, you can check if the physical memory on a computer is between 2 GB
and 4 GB or if a mobile device uses touch screen input.

Set up rules for the global condition


The procedure to define the global condition rules is different depending on whether you are configuring a setting
or an expression. Use the applicable procedure here to set up a setting or an expression for the global condition.
To set up a setting for the global condition
1. In the Condition Type drop-down list, choose Setting.
2. In the Setting type drop-down list, choose the item to use as the condition for which requirements will be
checked. The following setting types and configurations are available.
Active Directory query
LDAP prefix - Specify a valid LDAP prefix to the Active Directory Domain Services query to
assess compliance on client computers. You can use either LDAP:// or GC://.
Distinguished name (DN) - Specify the distinguished name of the Active Directory Domain
Services object that will be assessed for compliance on client computers.
Search filter - Specify an optional LDAP filter to refine the results from the Active Directory
Domain Services query to assess compliance on client computers.
Search scope - Specify the search scope in Active Directory Domain Services:
Base - Queries only the specified object.
One Level - This option is not used in this version of Configuration Manager.
Subtree - Queries the specified object and its complete subtree in the directory.
Property - Specify the property of the Active Directory Domain Services object that will be
used to assess compliance on client computers.
Query - Shows the LDAP query that is constructed from the entries in LDAP prefix,
Distinguished name (DN), Search Filter if specified, and Property. This query will be used
to assess compliance on client computers.
Assembly
Assembly name - Specifies the name of the assembly object to search for. The name cannot be
the same as any other assembly object of the same type, and the name must be registered in the
Global Assembly Cache. The assembly name can be a maximum of 256 characters.

NOTE
An assembly is a piece of code that can be shared between applications. Assemblies can have the .dll or .exe
file name extension. The Global Assembly Cache is a folder named %systemroot%\assembly on client
computers in which all shared assemblies are stored.

File system
Type From the drop-down list, choose whether you want to search for a File or a Folder.
Path - Specify the path to the specified file or folder on client computers. You can specify
system environment variables and the %USERPROFILE% environment variable in the path.

NOTE
If you use the %USERPROFILE% environment variable in the Path or File or folder name fields, all
user profiles on the client computer will be searched. This could result in the discovery of multiple
instances of the file or folder.

File or folder name - Specify the name of the file or folder object that will be searched for.
You can specify system environment variables and the %USERPROFILE% environment variable
in the file or folder name. You can also use the * and ? wildcards in the file name.
NOTE
If you specify a file or folder name and use wildcards, this might produce a high numbers of results.
This could result in high resource use on the client computer and high network traffic when reporting
results to Configuration Manager.

Include subfolders Enable this option if you also want to search any subfolders under the
specified path.
This file or folder is associated with a 64-bit application - Choose whether the 64-bit
system file location (%windir%\system32) should be searched in addition to the 32-bit system
file location (%windir%\syswow64) on Configuration Manager clients that run a 64-bit version
of Windows.

NOTE
If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit
computer, multiple files will be discovered by the global condition.

The File system setting type does not support specifying a UNC path to a network share in
the Path field.
IIS metabase
Metabase path - Specify a valid path to the IIS Metabase.
Property ID - Specify the numeric property of the IIS Metabase setting.
Registry key
Hive From the drop-down list, choose the registry hive that you want to search in.
Key - Specify the registry key name that you want to search for. The format used should be
key\subkey.
This registry key is associated with a 64-bit application - Specifies whether the 64-bit
registry keys should be searched in addition to the 32-bit registry keys on clients that run a
64-bit version of Windows.

NOTE
If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit
computer, both registry keys will be discovered by the global condition.

Registry value
Hive - From the drop-down list, select the registry hive that you want to search in.
Key - Specify the registry key name that you want to search for. The format used should be
key\subkey.
Value Specify the value that must be contained within the specified registry key.
This registry key is associated with a 64-bit application - Specifies whether the 64-bit
registry keys should be searched in addition to the 32-bit registry keys on clients that run a
64-bit version of Windows.
NOTE
If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit
computer, both registry keys will be discovered by the global condition.

Script
Discovery script Choose Add to enter, or browse to the script to use. You can use Windows
PowerShell, VBScript, or JScript scripts.
Run scripts by using the logged on user credentials If you enable this option, the script
will run on client computers by using the credentials of the user who is signed in.

NOTE
The value returned by the script will be used to assess the compliance of the global condition. For
example, when you use VBScript, you could use the WScript.Echo Result command to return the
Result variable value to the global condition.
If your script returns multiple values, these values must be on a single line and separated with a semi-
colon. If each value is on a separate line, the evaluation will fail.

SQL query
SQL Server instance Choose whether you want the SQL query to run on the default
instance, all instances, or a specified database instance name.

NOTE
The instance name must refer to a local instance of SQL Server. To refer to a clustered SQL server
instance, you should use a script setting.

Database - Specify the name of the Microsoft SQL Server database for which the SQL query
will be run.
Column - Specify the column name returned by the Transact-SQL statement to use to assess
the compliance of the global condition.
Transact-SQL statement Specify the full SQL query to use for the global condition. You can
also choose Open to open an existing SQL query.
WQL query
Namespace - Specify the WMI namespace that will be used to build a WQL query that will be
assessed for compliance on client computers. The default value is Root\cimv2.
Class - Specifies the WMI class that will be used to build a WQL query that will be assessed for
compliance on client computers.
Property - Specifies the WMI property that will be used to build a WQL query that will be
assessed for compliance on client computers.
WQL query WHERE clause - You can use the WQL query WHERE clause item to specify a
WHERE clause to be applied to the specified namespace, class, and property on client
computers.
XPath query
Path - Specify the path to the XML file on client computers that will be used to assess
compliance. Configuration Manager supports the use of all Windows system environment
variables and the %USERPROFILE% user variable in the path name.
XML file name - Specify the file name that contains the XML query to use to assess
compliance on client computers.
Include subfolders - Enable this option if you also want to search any subfolders under the
specified path.
This file is associated with a 64-bit application - Choose whether the 64-bit system file
location (%windir%\system32) should be searched in addition to the 32-bit system file
location (%windir%\syswow64) on Configuration Manager clients that run a 64-bit version of
Windows.
XPath query - Specify a valid full XML path language (XPath) query to use to assess
compliance on client computers.
Namespaces - Opens the XML Namespaces dialog box to identify namespaces and prefixes
to use during the XPath query.
3. In the Data type drop-down list, choose the format in which data will be returned by the condition before it
is used to check requirements.

NOTE
The Data type drop-down list is not shown for all setting types.

4. Set up further details about this setting below the Setting type drop-down list. The items you can set up
will vary depending on the setting type you have selected.
5. Choose OK to save the rule and to close the Create Global Condition dialog box.
Set up an expression for the global condition
1. In the Condition Type drop-down list, choose Expression.
2. Choose Add Clause to open the Add Clause dialog box.
3. From the Select category drop-down list, select whether this expression is for a device or a user.
Alternatively, select Custom to use a previously configured global condition.
4. From the Select a condition drop-down list, select the condition to use to assess whether the user or
device meets the rule requirements. The contents of this list will vary depending on the selected category.
5. From the Choose operator drop-down list, choose the operator that will be used to compare the selected
condition to the specified value to assess whether the user or device meets the rule requirements. The
available operators will vary depending on the selected condition.
6. In the Value field, specify the values that will be used with the selected condition and operator to assess
whether the user or device meets the rule requirements. The available values will vary depending on the
selected condition and the selected operator.
7. Choose OK to save the expression and to close the Add Clause dialog box.
8. When you have finished adding clauses to the global condition, choose OK to close the Create Global
Condition dialog box and to save the global condition.
Packages and programs in System Center
Configuration Manager
11/29/2016 22 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


System Center Configuration Manager continues to support packages and programs that were used in
Configuration Manager 2007. A deployment that uses packages and programs might be more suitable than a
deployment that uses an application when you deploy any of the following:
Applications to Linux and UNIX servers
Scripts that do not install an application on a computer, such as a script to defragment the computer disk drive
One-off scripts that do not need to be continually monitored
Scripts that run on a recurring schedule and cannot use global evaluation
When you migrate packages from an earlier version of Configuration Manager, you can deploy them in your
Configuration Manager hierarchy. After migration is complete, the packages appear in the Packages node in the
Software Library workspace.
You can modify and deploy these packages in the same way you did by using software distribution. The Import
Package from Definition Wizard remains in Configuration Manager to import legacy packages. Advertisements
are converted to deployments when they are migrated from Configuration Manager 2007 to a Configuration
Manager hierarchy.

NOTE
You can use Microsoft System Center Configuration Manager Package Conversion Manager to convert packages and
programs into Configuration Manager applications.
For more information, see Configuration Manager Package Conversion Manager.

Packages can use some new features of Configuration Manager, including distribution point groups and
monitoring. Microsoft Application Virtualization (App-V) applications cannot be distributed by using packages and
programs in Configuration Manager. To distribute virtual applications, you must create them as Configuration
Manager applications.

Create a package and program


Use one of these procedures to help you create or import packages and programs.
Create a package and program using the Create Package and Program wizard
1. In the Configuration Manager console, choose Software Library > Application Management >
Packages.
2. In the Home tab, in the Create group, choose Create Package.
3. On the Package page of the Create Package and Program Wizard, specify the following information:
Name: Specify a name for the package with a maximum of 50 characters.
Description: Specify a description for this package with a maximum of 128 characters.
Manufacturer (optional): Specify a manufacturer name to help you identify the package in the
Configuration Manager console. This name can be a maximum of 32 characters.
Language (optional): Specify the language version of the package with a maximum of 32 characters.
Version (optional): Specify a version number for the package with a maximum of 32 characters.
This package contains source files: This setting indicates whether the package requires source
files to be present on client devices. By default, this check box is cleared, and Configuration Manager
does not use distribution points for the package. When this check box is selected, distribution points
are used.
Source folder: If the package contains source files, choose Browse to open the Set Source Folder
dialog box, and then specify the location of the source files for the package.

NOTE
The computer account of the site server must have read access permissions to the source folder that you
specify.

4. On the Program Type page of the Create Package and Program Wizard, select the type of program to
create, and then choose Next. You can create a program for a computer or device, or you can skip this step
and create a program later.

TIP
To create a new program for an existing package, first select the package. Then, in the Home tab, in the Package
group, choose Create Program to open the Create Program Wizard.

5. Use one of the following procedures to create a standard program or a device program.
Create a standard program
a. On the Program Type page of the Create Package and Program Wizard, choose Standard
Program, and then choose Next.
b. On the Standard Program page, specify the following information:
Name: Specify a name for the program with a maximum of 50 characters.

NOTE
The program name must be unique within a package. After you create a program, you cannot modify
its name.

Command Line: Enter the command line to use to start this program, or choose Browse to
browse to the file location.
If a file name does not have an extension that's specified, Configuration Manager attempts to
use .com, .exe, and .bat as possible extensions.
When the program is run on a client, Configuration Manager first searches for the command-
line file name within the package, searches next in the local Windows folder, and then searches
in local %path%. If the file cannot be found, the program fails.
Startup folder (optional): Specify the folder from which the program runs, up to 127
characters. This folder can be an absolute path on the client or a path that's relative to the
distribution point folder that contains the package.
Run: Specify the mode in which the program runs on client computers. Select one of the
following:
Normal: The program runs in the normal mode based on system and program
defaults. This is the default mode.
Minimized: The program runs minimized on client devices. Users might see
installation activity in the notification area or on the taskbar.
Maximized: The program runs maximized on client devices. Users see all installation
activity.
Hidden: The program runs hidden on client devices. Users don't see any installation
activity.
Program can run: Specify whether the program runs only when a user is signed in, only
when no user is signed in, or regardless of whether a user is signed in to the client computer.
Run mode: Specify whether the program runs with administrative permissions or with the
permissions of the user who's currently signed in.
Allow users to view and interact with the program installation: Use this setting, if
available, to specify whether to allow users to interact with the program installation. This check
box is available only when Only when no user is logged on or Whether or not a user is
logged on is selected for Program can run and when Run with administrative rights is
selected for Run mode.
Drive mode: Specify information about how this program runs on the network. Choose one
of the following:
Runs with UNC name: Specify that the program runs with a Universal Naming
Convention (UNC) name. This is the default setting.
Requires drive letter: Specify that the program requires a drive letter to fully qualify
its location. For this setting, Configuration Manager can use any available drive letter on
the client.
Requires specific drive letter : Specify that the program requires a specific drive
letter that you specify to fully qualify its location (for example, Z:). If the specified drive
letter is already used on a client, the program does not run.
Reconnect to distribution point at log on: Use this check box to indicate whether the client
computer reconnects to the distribution point when the user signs in. By default, this check
box is cleared.
c. On the Requirements page of the Create Package and Program Wizard, specify the following
information:
Run another program first: Use this setting to identify a package and program that runs
before this package and program runs.
Platform requirements: Select This program can run on any platform or This program
can run only on specified platforms, and then choose the operating systems that clients
must be running to be able to install the package and program.
Estimated disk space: Specify the amount of disk space that the software program requires
to run on the computer. This can be specified as Unknown (the default setting) or as a whole
number greater than or equal to zero. If a value is specified, units for the value must also be
specified.
Maximum allowed run time (minutes): Specify the maximum time that the program is
expected to run on the client computer. This can be specified as Unknown (the default setting)
or as a whole number greater than zero.
By default, this value is set to 120 minutes.

IMPORTANT
If you are using maintenance windows for the collection on which this program is run, a conflict could
occur if the Maximum allowed run time is longer than the scheduled maintenance window.
However, if the maximum run time is set to Unknown, the program starts to run during the
maintenance window and continues to run as needed after the maintenance window is closed. If the
user sets the maximum run time to a specific period that exceeds the length of any available
maintenance window, then the program doesn't run.

If the value is set to Unknown, Configuration Manager sets the maximum allowed run time as
12 hours (720 minutes).

NOTE
If the maximum run time (whether set by the user or as the default value) is exceeded, Configuration
Manager stops the program if run with administrative rights is selected and Allow users to view
and interact with the program installation is not selected.

d. Choose Next.
Create a device program
a. On the Program Type page of the Create Package and Program Wizard, select Program for
device, and then choose Next.
b. On the Program for Device page, specify the following:
Name: Specify a name for the program with a maximum of 50 characters.

NOTE
The program name must be unique within a package. After you create a program, you cannot modify
its name.

Comment (optional): Specify a comment for this device program with a maximum of 127
characters.
Download folder: Specify the name of the folder on the Windows CE device in which the
package source files will be stored. The default value is \Temp\.
Command Line: Enter the command line to use to start this program, or choose Browse to
browse to the file location.
Run command line in download folder: Select this option to run the program from the
previously specified download folder.
Run command line from this folder: Select this option to specify a different folder from
which to run the program.
c. On the Requirements page, specify the following:
Estimated disk space: Specify the amount of disk space that's required for the software. This
is displayed to users of mobile devices before they install the program.
Download program: Specify information regarding when this program can be downloaded
to mobile devices. You can specify As soon as possible, Only over a fast network, or Only
when the device is docked.
Additional requirements: Specify any additional requirements for this program. These are
displayed to users before they install the software. For example, you could notify users that
they need to close all other applications before running the program.
d. Choose Next.
e. On the Summary page, review the actions that will be taken, and then complete the wizard.
Verify that the new package and program are displayed in the Packages node of the Software Library
workspace.

Create a package and program from a package definition file


1. In the Configuration Manager console, choose Software Library > Application Management >
Packages.
2. On the Home tab, in the Create group, choose Create Package from Definition.
3. On the Package Definition page of the Create Package from Definition Wizard, choose an existing
package definition file, or choose Browse to open a new package definition file. After you have specified a
new package definition file, select it from the Package definition list, and then choose Next.
4. On the Source Files page, specify information about any required source files for the package and
program, and then choose Next.
5. If the package requires source files, on the Source Folder page, specify the location from which the source
files are to be obtained, and then choose Next.
6. On the Summary page, review the actions that will be taken, and then complete the wizard. The new
package and program are displayed in the Packages node of the Software Library workspace.
For more information about package definition files, see About the package definition file format in this
topic.

Deploy packages and programs


1. In the Configuration Manager console, choose Software Library > Application Management >
Packages.
2. Select the package that you want to deploy, and then in the Home tab in the Deployment group, choose
Deploy.
3. On the General page of the Deploy Software Wizard, specify the name of the package and program that
you want to deploy, the collection to which you want to deploy the package and program, and optional
comments for the deployment.
Select Use default distribution point groups associated to this collection if you want to store the
package content on the collections default distribution point group. If you did not associate the selected
collection with a distribution point group, this option is unavailable.
4. On the Content page, choose Add, and then select the distribution points or distribution point groups to
which you want to deploy the content that is associated with this package and program.
5. On the Deployment Settings page, choose a purpose for this deployment, and specify options for wake-
up packets and metered connections:
Purpose: Choose from:
Available: If the application is deployed to a user, the user sees the published package and
program in the Application Catalog and can request it on demand. If the package and program
is deployed to a device, the user sees it in Software Center and can install it on demand.
Required: The package and program is deployed automatically, according to the configured
schedule. However, a user can track the package and program deployment status and install it
before the deadline by using Software Center.
Send wake-up packets: If the deployment purpose is set to Required and this option is selected, a
wake-up packet is sent to computers before the deployment is installed to wake the computer from
sleep at the installation deadline time. Before you can use this option, computers must be configured
for Wake On LAN.
Allow clients on a metered Internet connection to download content after the installation
deadline, which might incur additional costs: Select this if it's required.

NOTE
The Pre-deploy software to the user's primary device option is not available when you deploy a package and
program.

6. On the Scheduling page, configure when this package and program will be deployed or made available to
client devices.
The options on this page vary depending on whether the deployment action is set to Available or
Required.
7. If the deployment purpose is set to Required, configure the rerun behavior for the program from the
Rerun behavior drop-down menu. Choose from the following options:

RERUN BEHAVIOR MORE INFORMATION

Never rerun deployed program The program won't be rerun on the client, even if the
program originally failed or if the program files are
changed.

Always rerun program The program is always rerun on the client when the
deployment is scheduled, even if the program has already
successfully run. This can be useful when you use recurring
deployments in which the program is updated, for
example with antivirus software.

Rerun if failed previous attempt The program is rerun when the deployment is scheduled
only if it failed on the previous run attempt.
RERUN BEHAVIOR MORE INFORMATION

Rerun if succeeded on previous attempt The program is rerun only if it previously ran successfully
on the client. This is useful when you use recurring
advertisements in which the program is routinely updated,
and in which each update requires the previous update to
be successfully installed.

8. On the User Experience page, specify the following information:


Allow users to run the program independently of assignments: If enabled, users can install this
software from Software Center regardless of any scheduled installation time.
Software installation: Allows the software to be installed outside of any configured maintenance
windows.
System restart (if required to complete the installation): If the software installation requires a
device restart to finish, allow this to happen outside of any configured maintenance windows.
Embedded devices: When you deploy packages and programs to Windows Embedded devices that
are write-filter-enabled, you can specify that packages and programs be installed on the temporary
overlay and commit changes later. Alternately, you commit the changes on the installation deadline
or during a maintenance window. When you commit changes on the installation deadline or during a
maintenance window, a restart is required and the changes persist on the device.

NOTE
When you deploy a package or program to a Windows Embedded device, make sure that the device is a
member of a collection that has a configured maintenance window. For more information about how
maintenance windows are used when you deploy packages and programs to Windows Embedded devices,
see Creating Windows Embedded applications.

9. On the Distribution Points page, specify the following information:


Deployment options: Specify the actions that a client should take to run program content. You can
specify behavior when the client is in a fast network boundary, or a slow or unreliable network
boundary.
Allow clients to share content with other clients on the same subnet: Select this option to
reduce load on the network by allowing clients to download content from other clients on the
network that already downloaded and cached the content. This option utilizes Windows BranchCache
and can be used on computers that run Windows Vista SP2 and later.
Allow clients to use a fallback source location for content:
Versions earlier than 1610: You can select the Allow fallback source location for content
check box to enable clients outside these boundary groups to fall back and use the
distribution point as a source location for content when no other distribution points are
available.
Version 1610 and later: You can no longer configure Allow fallback source location for
content. Instead, you configure relationships between boundary groups that determine when
a client can begin to search additional boundary groups for a valid content source location.
10. On the Summary page, review the actions that will be taken, and then complete the wizard.
You can view the deployment in the Deployments node of the Monitoring workspace and in the details
pane of the package deployment tab when you select the deployment. For more information, see Monitor
packages and programs in this topic.

IMPORTANT
If you configured the option Run program from distribution point on the Distribution Points page of the Deploy
Software Wizard, do not clear the option Copy the content in this package to a package share on distribution points
because this makes the package unavailable to run from distribution points.

Monitor packages and programs


To monitor package and program deployments, use the same procedures that you use to monitor applications as
detailed in Monitor applications.
Packages and programs also includes a number of built-in reports, which enable you to monitor information about
the deployment status of packages and programs. These reports have the report category of Software
Distribution Packages and Programs and Software Distribution Package and Program Deployment
Status.
For more information about how to configure reporting in Configuration Manager, see Reporting in System Center
Configuration Manager.

Manage packages and programs


In the Software Library workspace, expand Application Management, choose Packages, choose the package
that you want to manage, and then choose a management task from the following table:

TASK MORE INFORMATION

Create Prestage Content File Opens the Create Prestaged Content File Wizard, which
enables you to create a file that contains the package content
that can be manually imported to another site. This is useful in
situations where you have low network bandwidth between
the site server and the distribution point.

Create Program Opens the Create Program Wizard, which enables you to
create a new program for this package.

Export Opens the Export Package Wizard, which enables you to


export the selected package and its content to a file.

For information about how to import packages and programs,


see Create packages and programs in this topic.

Deploy Opens the Deploy Software Wizard, which enables you to


deploy the selected package and program to a collection. For
more information, see Deploy packages and programs in this
topic.

Distribute Content Opens the Distribute Content Wizard, which enables you to
send the content that is associated with the package and
program to selected distribution points or distribution point
groups.

Update Distribution Points Updates distribution points with the latest content for the
selected package and program.
About the package definition file format
Package definition files are scripts that you can use to help automate package and program creation with
Configuration Manager. They provide all of the information that Configuration Manager needs to create a package
and program, except for the location of package source files. Each package definition file is an ASCII or UTF-8 text
file that uses the .ini file format and that contains the following sections:
[PDF ]
This section identifies the file as a package definition file. It contains the following information:
Version: Specify the version of the package definition file format that is used by the file. This corresponds to the
version of System Management Server (SMS) or Configuration Manager for which it was written. This entry is
required.
[Package Definition]
Specify the properties of the package and program. It provides the following information:
Name: The name of the package, up to 50 characters.
Version (optional): The version of the package, up to 32 characters.
Icon (optional): The file that contains the icon to use for this package. If specified, this icon replaces the
default package icon in the Configuration Manager console.
Publisher: The publisher of the package, up to 32 characters.
Language: The language version of the package, up to 32 characters.
Comment (optional): A comment about the package, up to 127 characters.
ContainsNoFiles: This entry indicates whether or not a source is associated with the package.
Programs: The programs that are defined for this package. Each program name corresponds to a
[Program] section in this package definition file.
Example:
Programs=Typical, Custom, Uninstall

MIFFileName: The name of the Management Information Format (MIF) file that contains the package
status, up to 50 characters.
MIFName: The name of the package (for MIF matching), up to 50 characters.
MIFVersion: The version number of the package (for MIF matching), up to 32 characters.
MIFPublisher: The software publisher of the package (for MIF matching), up to 32 characters.
[Program]
For each program that's specified in the Programs entry in the [Package Definition] section, the package
definition file must include a [Program] section that defines that program. Each Program section provides the
following information:
Name: The name of the program, up to 50 characters. This entry must be unique within a package. This
name is used when defining advertisements. On client computers, the name of the program is shown in
Run Advertised Programs in Control Panel.
Icon (optional): Specify the file that contains the icon to use for this program. If specified, this icon replaces
the default program icon in the Configuration Manager console and is displayed on client computers when
the program is advertised.
Comment (optional): A comment about the program, up to 127 characters.
CommandLine: Specify the command line for the program, up to 127 characters. The command is relative
to the package source folder.
StartIn: Specify the working folder for the program, up to 127 characters. This entry can be an absolute
path on the client computer or a path that's relative to the package source folder.
Run: Specify the program mode in which the program runs. You can specify Minimized, Maximized, or
Hidden. If this entry is not included, the program runs in normal mode.
AfterRunning: Specify any special action that occurs after the program is successfully completed. Options
available are SMSRestart, ProgramRestart, or SMSLogoff. If this entry is not included, the program
doesn't run a special action.
EstimatedDiskSpace: Specify the amount of disk space that the software program requires to run on the
computer. This can be specified as Unknown (the default setting) or as a whole number greater than or
equal to zero. If a value is specified, the units for the value must also be specified.
Example:
EstimatedDiskSpace=38MB

EstimatedRunTime: Specify the estimated duration (in minutes) that the program is expected to run on the
client computer. This can be specified as Unknown (the default setting) or as a whole number greater than
zero.
Example:
EstimatedRunTime=25

SupportedClients: Specify the processors and operating systems on which this program runs. The
specified platforms must be separated by commas. If this entry is not included, supported platform checking
is disabled for this program.
SupportedClientMinVersionX, SupportedClientMaxVersionX: Specify the beginning-to-ending range
for version numbers for the operating systems that are specified in the SupportedClients entry.
Example:

SupportedClients=Win NT (I386),Win NT (IA64),Win NT (x64)


Win NT (I386) MinVersion1=5.00.2195.4
Win NT (I386) MaxVersion1=5.00.2195.4
Win NT (I386) MinVersion2=5.10.2600.2
Win NT (I386) MaxVersion2=5.10.2600.2
Win NT (I386) MinVersion3=5.20.0000.0
Win NT (I386) MaxVersion3=5.20.9999.9999
Win NT (I386) MinVersion4=5.20.3790.0
Win NT (I386) MaxVersion4=5.20.3790.2
Win NT (I386) MinVersion5=6.00.0000.0
Win NT (I386) MaxVersion5=6.00.9999.9999
Win NT (IA64) MinVersion1=5.20.0000.0
Win NT (IA64) MaxVersion1=5.20.9999.9999
Win NT (x64) MinVersion1=5.20.0000.0
Win NT (x64) MaxVersion1=5.20.9999.9999
Win NT (x64) MinVersion2=5.20.3790.0
Win NT (x64) MaxVersion2=5.20.9999.9999
Win NT (x64) MinVersion3=5.20.3790.0
Win NT (x64) MaxVersion3=5.20.3790.2
Win NT (x64) MinVersion4=6.00.0000.0
Win NT (x64) MaxVersion4=6.00.9999.9999
AdditionalProgramRequirements (optional): Provide any other information or requirements for client
computers, up to 127 characters.
CanRunWhen: Specify the user status that the program requires to run on the client computer. Available
values are UserLoggedOn, NoUserLoggedOn, or AnyUserStatus. The default value is UserLoggedOn.
UserInputRequired: Specify whether the program requires interaction with the user. Available values are
True or False. The default value is True. This entry is set to False if CanRunWhen is not set to
UserLoggedOn.
AdminRightsRequired: Specify whether the program requires administrative credentials on the computer
to run. Available values are True or False. The default value is False. This entry is set to True if
CanRunWhen is not set to UserLoggedOn.
UseInstallAccount: Specify whether the program uses the Client Software Installation Account when it
runs on client computers. By default, this value is False. This value is also False if CanRunWhen is set to
UserLoggedOn.
DriveLetterConnection: Specify whether the program requires a drive letter connection to the package
files that are located on the distribution point. You can specify True or False. The default value is False,
which enables the program to use a Universal Naming Convention (UNC) connection. When this value is set
to True, the next available drive letter is used (starting with Z: and proceeding backward).
SpecifyDrive (optional): Specify a drive letter that the program requires to connect to the package files on
the distribution point. This specification forces the use of the specified drive letter for client connections to
distribution points.
ReconnectDriveAtLogon: Specify whether the computer reconnects to the distribution point when the
user signs in. Available values are True or False. The default value is False.
DependentProgram: Specify a program in this package that must run before the current program. This
entry uses the format DependentProgram=<ProgramName>, where is the Name entry for that
program in the package definition file. If there are no dependent programs, leave this entry empty.
Example:
DependentProgram=Admin
DependentProgram=
Assignment: Specify how the program is assigned to users. This value can be: FirstUser (only the first user
who signs in to the client runs the program) or EveryUser (every user who signs in runs the program).
When CanRunWhen is not set to UserLoggedOn, this entry is set to FirstUser.
Disabled: Specify whether this program can be advertised to clients. Available values are True or False. The
default value is False.
Deploy applications with System Center
Configuration Manager
11/23/2016 9 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


Before you can deploy a System Center Configuration Manager application, you must create at least one
deployment type for the application. For more information about creating applications and deployment types, see
Create applications .
You can also simulate an application deployment. This type of deployment tests the applicability of an application
deployment to computers without installing or uninstalling the application. A simulated deployment evaluates the
detection method, requirements, and dependencies for a deployment type and reports the results in the
Deployments node of the Monitoring workspace. For more information, see Simulate application deployments .

IMPORTANT
You can deploy (install or uninstall) required applications, but not packages or software updates. MDM-enrolled devices also
do not support simulated deployments, user experience, or scheduling settings.

Deploy an application
1. In the Configuration Manager console, go to Software Library > Application Management >
Applications.
2. In the Applications list, select the application that you want to deploy. Then, on the Home tab, in the
Deployment group, click Deploy.
Specify general information about the deployment
On the General page of the Deploy Software wizard, specify the following information:
Software--This displays the application to deploy. You can click Browse to select a different application.
Collection--Click Browse to select the collection to deploy the application to.
Use default distribution point groups associated to this collection--Select this option if you want to
store the application content on the collection's default distribution point group. If you have not associated the
selected collection with a distribution point group, this option is grayed out.
Automatically distribute content for dependencies--If this is enabled and if any of the deployment
types in the application contain dependencies, then the dependent application content will be also sent to
distribution points.

IMPORTANT
If you update the dependent application after the primary application has been deployed, any new content for the
dependency will not be automatically distributed.

Comments (optional) Optionally, enter a description of this deployment.


Specify content options for the deployment
On the Content page, click Add to add the content associated with this deployment to distribution points or
distribution point groups. If you have selected Use default distribution points associated to this collection
on the General page, then this option will be automatically populated and can only be modified by a member of
the Application Administrator security role.
Specify deployment settings
On the Deployment Settings page of the Deploy Software wizard, specify the following information:
Action--From the drop-down list, choose whether this deployment is intended to Install or Uninstall the
application.

NOTE
If an application is deployed twice to a device, once with an action of Install and once with an action of Uninstall,
the application deployment with an action of Install will take priority.

You cannot change the action of a deployment after it has been created.
Purpose--From the drop-down list, choose one of the following options:
Available--If the application is deployed to a user, the user sees the published application in Software
Center and can install it on demand.
Required--The application is deployed automatically according to the schedule. If the application
deployment status is not hidden, anyone using the application can track its deployment status and
install the application from Software Center before the deadline.

NOTE
When the deployment action is set to Uninstall, the deployment purpose is automatically set to Required
and cannot be changed.

Deploy automatically according to schedule whether or not a user is logged on--If the deployment
is to a user, select this option to deploy the application to the users primary devices. This setting does not
require the user to log on before the deployment runs. Do not select this option if the user must provide
input to complete the installation. This option is only available when the deployment has a purpose of
Required.
Send wake-up packets--If the deployment purpose is set to Required and this option is selected, a wake-
up packet is sent to computers before the deployment is installed. This packet wakes the computers at the
installation deadline time. Before you can use this option, computers and networks must be configured for
Wake On LAN.
Allow clients on a metered Internet connection to download content after the installation deadline,
which might incur additional costs--This option is only available for deployments with a purpose of
Required.
Require administrator approval if users request this application--If this option is selected, the
administrator must approve any user requests for the application before it can be installed. This option is
grayed out when the deployment purpose is Required or when the application is deployed to a device
collection.
NOTE
Application approval requests are displayed in the Approval Requests node, under Application Management in
the Software Library workspace. If a request is not approved within 45 days, it will be removed. Additionally,
reinstalling the Configuration Manager client might cancel any pending approval requests. After you have approved
an application for installation, you can subsequently choose to deny the request by clicking Deny in the
Configuration Manager console (previously, this button was grayed out after approval). This action does not cause
the application to be uninstalled from any devices, but it does stop users from installing new copies of the
application from Software Center.

Automatically upgrade any superseded version of this application--If this option is selected, any
superseded versions of the application will be upgraded with the superseding application.
Specify scheduling settings for the deployment
On the Scheduling page of the Deploy Software wizard, set the time when this application will be deployed or
made available to client devices. The options on this page will differ depending on whether the deployment action
is set to Available or Required.
In some cases, you might want to give users more time to install required application deployments or software
updates beyond any deadlines you set up. This is typically be required when a computer has been turned off for
an extended period of time and needs to install a large number of updates or application deployments. For
example, if a user has just returned from vacation, they might have to wait for a long time as overdue application
deployments are installed. To help solve this problem, you can now define an enforcement grace period by
deploying Configuration Manager client settings to a collection.
To configure the grace period, take the following actions:
On the Computer Agent page of client settings, configure the new property Grace period for enforcement
after deployment deadline (hours) with a value between 1 and 120 hours.
On the Scheduling page in a new required application deployment, or in the properties of an existing
deployment, select the box Delay enforcement of this deployment according to user preferences, up to
the grace period defined in client settings. The enforcement grace period is used by all deployments that
have this box selected and are targeted to devices to which you also deployed the client setting.
After the application install deadline is reached, the application will be installed in the first non-business window
that the user configured up to that grace period. However, the user can still open Software Center and install the
application at any time they want. Once the grace period expires, enforcement reverts to normal behavior for
overdue deployments.
If the application you are deploying supersedes another application, you can set the installation deadline when
users will receive the new application. Do this by using the setting Installation Deadline to upgrade users with
the superseded application.
Specify user experience settings for the deployment
On the User Experience page of the Deploy Software wizard, specify information about how users can interact
with the application installation.
When you deploy applications to Windows Embedded devices that are write-filter enabled, you can specify to
install the application on the temporary overlay and commit changes later, or to commit the changes at the
installation deadline or during a maintenance window. When you commit changes at the installation deadline or
during a maintenance window, you must restart the device. The changes persist on the device.
NOTE
When you deploy an application to a Windows Embedded device, make sure that the device is a member of a collection that
has a configured maintenance window. For more information about how maintenance windows are used when you deploy
applications to Windows Embedded devices, see Create Windows Embedded applications.
The options Software Installation and System restart (if required to complete the installation) are not used if the
deployment purpose is set to Available. You can also configure the level of notification a user sees when the application is
installed.

Specify alert options for the deployment


On the Alerts page of the Deploy Software wizard, set up how Configuration Manager and System Center
Operations Manager will generate alerts for this deployment. You can configure thresholds for reporting alerts
and turn off reporting for the duration of the deployment.
Associate the deployment with an iOS app configuration policy
On the App Configuration Policies page, click New to associate this deployment with an iOS app configuration
policy (if you have created one). For more information about this type of policy, see Configure iOS apps with app
configuration policies.
Finish up
On the Summary page of the Deploy Software wizard, review the actions that will be taken by this deployment,
and then click Next to finish the wizard.
The new deployment will be displayed in the Deployments list in the Deployments node of the Monitoring
workspace. You can edit the properties of this deployment or delete the deployment from the Deployments tab
of the application detail pane.

Delete an application deployment


1. In the Configuration Manager console, go to Software Library > Application Management >
Applications.
2. In the Applications list, select the application that includes the deployment you will delete.
3. In the Deployments tab of the list, select the application deployment to delete. Then on the Deployment
tab, in the Deployment group, click Delete.
When you delete an application deployment, any instances of the application that have already been
installed are not removed. To remove these applications, you must deploy the application to computers
with Uninstall. If you delete an application deployment, or remove a resource from the collection you are
deploying to, the application will no longer be visible in Software Center.

User notifications for required deployments


When you receive required software from the Snooze and remind me setting, you can select from the following
drop-down list of values:
Later--Specifies that notifications are scheduled based on the notification settings configured in Client Agent
settings.
Fixed time--Specifies that the notification will be scheduled to display again after the selected time. For
example, if you select 30 minutes, the notification will display again in 30 minutes.
The maximum snooze time is always based on the notification values configured in the Client Agent settings at
every time along the deployment timeline. For example, if the Deployment deadline greater than 24 hours,
remind users every (hours) setting on the Computer Agent page is configured for 10 hours, and it is more
than 24 hours before the deadline when the dialog is launched, you would be presented with a set of snooze
options up to but never greater than 10 hours. As the deadline approaches, the dialog will show fewer options,
consistent with the relevant Client Agent settings for each component of the deployment timeline.
Additionally, for a high-risk deployment, such as a task sequence that deploys an operating system, the user
notification experience is now more intrusive. Instead of a transient taskbar notification, a dialog box like the
following displays on your computer each time you are notified that critical software maintenance is required:

For more information:


Settings to manage high-risk deployments
How to configure client settings
Simulate application deployments with System
Center Configuration Manager
11/23/2016 1 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


You can use simulated deployments to test an application deployment without installing or uninstalling the
application. A simulated deployment evaluates the detection method, requirements, and dependencies for a
deployment type. It reports the results in the Deployments node of the Monitoring workspace. Use the
procedure in this topic to simulate an application deployment in System Center Configuration Manager
(Configuration Manager).

NOTE
You cannot use simulated deployments for collections of mobile devices.
You cannot deploy an application with a deployment purpose of Uninstall if a simulated deployment of the same application
is active.

Configure a simulated application deployment


1. In the Configuration Manager console, select one of the following:
A collection of users.
A collection of devices.
A Configuration Manager application.
2. On the Home tab, in the Deployment group, choose Simulate Deployment.
3. In the Simulate Application Deployment Wizard, set the following details for your simulated deployment:
Application. Choose Browse, and then select the application you want to create a simulated
deployment for.
Collection. Choose Browse, and then select the collection that you want to use for the simulated
deployment.
Action. From the drop-down list, select whether you want to simulate the installation or the
uninstallation of the selected application.
Deploy automatically with or without user login. If this option is checked, the clients evaluate
the simulated deployment whether or not the clients are logged in.
4. Click Next, review the information on the Summary page, and then finish the wizard to create the
simulated application deployment.
5. Simulated applications appear in the Deployments node of the Monitoring workspace, with a purpose of
Simulate. For more information about how to monitor application deployments, see Monitor applications
from the System Center Configuration Manager console.
Deploy App-V virtual applications with System
Center Configuration Manager
12/7/2016 15 min to read Edit on GitHub

Applies to: System Center Configuration Manager (current branch)


When you use Configuration Manager to manage virtual applications, you gain the following benefits:
A single management infrastructure
Scalability, deployment, and content distribution features, like collections and user device affinity
Advanced application management features
Operating system deployment, software and hardware inventory, software metering, and asset intelligence
to support virtual applications
For more information about how to create and sequence applications with Microsoft Application Virtualization
(App-V), see Application Virtualization in the TechNet Library.
In addition to the other System Center Configuration Manager requirements and procedures for creating an
application, you must take the following considerations into account when you create and deploy virtual
applications:
To deploy virtual applications to computers, you must have the Configuration Manager client and App-V
Client installed on your computers. Client devices can include desktop and portable computers, and Virtual
Desktop Infrastructure (VDI) clients. The Configuration Manager and App-V Client software work together to
deliver, locate, and launch virtual application packages. The Configuration Manager client manages the
delivery of virtual application packages to the App-V Client. The App-V Client runs the virtual application on
the client.
To deploy a virtual application, you must first create the virtual application by using the App-V Application
Virtualization Sequencer. The sequencer monitors the installation and setup process for an application and
records the information that is needed for the application to run in a virtual environment. You can also use
the sequencer to set which files and configurations apply to all users, and which configurations users can
customize.
When you sequence an application, you must save the package to a location that Configuration Manager can
access. You can then create an application deployment that contains this virtual application.
Configuration Manager does not support the use of the shared read-only cache feature of App-V.
Configuration Manager supports the Shared Content Store feature in App-V 5.
When you create a deployment type for a virtual application, Configuration Manager creates the deployment
type by using the contents of the application manifest file. This is an XML file that has information about the
virtual application. Additionally, Configuration Manager creates requirements for the deployment type based
on the contents of the App-V .osd file that has information about the supported operating systems for the
virtual application.
To deploy virtual applications in Configuration Manager, client computers must have at minimum the App-V
4.6 SP1 or a later version of the client installed.
Before you can successfully deploy virtual applications, you must update the App-V Client with the hotfix
described in the Knowledge Base article 2645225.
When you use connection groups in App-V 5.0, your deployed virtual applications can share the same file
system and registry on client computers. Unlike standard virtual applications, these applications can share
data with one another. Additionally, connection groups preserve user settings for the applications that they
contain. App-V virtual environments in Configuration Manager are used to set up connection groups on
client computers. Virtual environments are created or changed on client computers when the application is
installed or when clients next evaluate their installed applications. You can prioritize these applications so
that when multiple applications try to change a file system or registry value, the application that has the
highest priority takes precedence. For more information, see Create App-V virtual environments.

Supported App-V versions


Configuration Manager supports the following versions of App-V:
App-V 4.6: To use virtual applications in Configuration Manager, client computers must have the App-V 4.6
SP1, App-V 4.6 SP2, or App-V 4.6 SP3 client installed.
Before you can successfully deploy virtual applications, you must also update the App-V 4.6 SP1 client with
the hotfix that is described in the Knowledge Base article 2645225.
App-V 5, App-V 5.0 SP1, App-V 5.0 SP2, App-V 5.0 SP3, and App-V 5.1: For App-V 5.0 SP2, you must
install Hotfix Package 5 or use App-V 5.0 SP3.
App-V 5.2: This is built into Windows 10 (Anniversary Update and later).

Steps to manage App-V virtual applications


To manage App-V virtual applications, follow these steps:
1. Sequence: Sequencing is the process of converting an application into a virtual application by using the
App-V sequencer.
2. Create: Use the Create Deployment Type Wizard to import the sequenced application into a Configuration
Manager deployment type that you can then add to an application. You can also create virtual environments
that allow multiple virtual applications to share settings.
3. Distribute: Distribution is the process of making App-V applications available on Configuration Manager
distribution points.
4. Deploy: Deployment is the process of making the application available on client computers. This is called
streaming in an App-V full infrastructure.

Configuration Manager virtual application delivery methods


Configuration Manager supports two methods for delivery of virtual applications to clients: streaming delivery and
local delivery (download and execute).
When you're deciding which delivery method to use, compare the reduced disk space requirement for streaming
delivery against the guaranteed availability of App-V applications in local delivery. The increased client disk space
that is required for local delivery might be preferable to streaming delivery so that users always have the
application available from any location.
Streaming delivery
When you use Configuration Manager to manage the App-V Client, it supports the streaming of virtual applications
through HTTP or HTTPS from a distribution point. Streaming through HTTP or HTTPS is enabled by default and is
set up in the dialog box for distribution point properties. When you deploy a virtual application to client computers
and a user runs the virtual application, the Configuration Manager client contacts a management point to
determine which distribution point to use. Then, the application is streamed from the distribution point.
Use the information in this table to help you decide if streaming delivery is the best delivery method for you:

ADVANTAGES DISADVANTAGES

This method uses standard network protocols to stream Virtual applications are not streamed until the user runs the
package content from distribution points. application for the first time. In this scenario, a user might
receive program shortcuts for virtual applications and then
Program shortcuts for virtual applications invoke a connection disconnect from the network before running the virtual
to the distribution point, so the virtual application delivery is applications for the first time. If the user tries to run the virtual
on demand. application while the client is offline, the user sees an error and
can't run the virtualized application because a Configuration
This method works well for clients with high-bandwidth Manager distribution point is not available to stream the
connections to the distribution points. application. The application will be unavailable until the user
reconnects to the network and runs the application.
Updated virtual applications distributed throughout the
enterprise are available as clients receive policy that informs To avoid this, you can use the local delivery method for virtual
them that the current version is superseded and they application delivery to clients, or you can enable the Internet-
download only the changes from the previous version. based client management for streaming delivery.

Access permissions are defined at the distribution point to


prevent users from accessing unauthorized applications or
packages.

Local delivery (download and execute )


When you use the local delivery method, the Configuration Manager client first downloads the entire virtual
application package into the Configuration Manager client cache. The Configuration Manager then instructs the
App-V Client to stream the application from the Configuration Manager cache into the App-V cache. If you deploy a
virtual application to client computers and its content is not in the App-V cache, the App-V Client streams the
application content from the Configuration Manager client cache into the App-V cache, and then runs the
application. After the application runs successfully, you can set the Configuration Manager client to delete any older
versions of the package at the next deletion cycle, or to persist them in Configuration Manager client cache.
Use the information in this table to help you decide if local delivery is the best delivery method for you:
ADVANTAGES DISADVANTAGES

The standard distribution point functionality is used to Disk space that equals up to twice the size of the virtual
download the package by using Background Intelligent application package is required on the client when the virtual
Transfer Service (BITS). application is persisted in the Configuration Manager cache.

Virtual application package contents are delivered locally to


the client. This means that users can run them when their
computer is not connected to the network.

This method is suitable for slow or unreliable network


connections and for computers that only occasionally connect
to the network.

Configuration Manager uses Remote Differential Compression


(RDC) to send to clients only the bytes within the files that
have changed when virtual application package content is
updated. The Configuration Manager client uses RDC to build
a new version of a virtual application package based on the
current version of the package and any changes sent to the
client.

This method provides application resiliency for mobile users or


disconnected users. Admins can choose to persist the package
in the Configuration Manager cache after delivery if the virtual
application was deployed with an install action. The package in
the Configuration Manager client cache serves as a local,
reliable streaming source for the App-V Client to pull the
package into its cache.

Deployment from an image


You can also preinstall virtual applications on a computer and then create an image of that computer for
deployment to other computers. But if the virtual application package was created at a different site, the binary
delta replication will not be used to download updates to the application. This option can be useful in a virtual
desktop infrastructure when you want applications to be available immediately instead of downloading the
applications after the user logs on.

Migrating from an App-V infrastructure to a Configuration Manager


and App-V infrastructure
Use the following table to help you plan a migration from an existing App-V infrastructure to virtual application
management with Configuration Manager.

STEP MORE INFORMATION

Examine your current virtual applications to choose the No additional information.


applications that you want to migrate to your Configuration
Manager infrastructure.

Evaluate the users and devices to which the virtual Create Configuration Manager collections to group together
applications will be deployed. the users and devices to which you want to deploy the virtual
applications. See Introduction to collections.

Migrate App-V 5 connection groups to Configuration See the Migrate App-V 5 connection groups to Configuration
Manager virtual environments. Manager virtual environments section in this topic.
STEP MORE INFORMATION

Investigate to find out if any of your virtual applications exist For easier management, you can add the virtual application as
as full applications in your Configuration Manager a new deployment type to the existing full application. See
infrastructure. Create applications.

Create applications to replace your existing App-V packages. See Introduction to application management and Create
applications.

Configuration Manager begins to manage virtual applications No additional information.


on a client after the first deployment of a virtual application.
After this, Configuration Manager must manage all App-V
applications on the computer.

Distribute the content to the appropriate distribution points See Manage content and content infrastructure.
to enable local delivery of applications.

Deploy the application to Configuration Manager clients. See Deploy applications.

If the App-V application was created with an earlier version of


the sequencer that does not create a manifest XML file, you
can open it and save it in a newer version of the sequencer to
create the file. This file is required to deploy virtual applications
with Configuration Manager.

App-V supports the virtual application packages that are


created with the SoftGrid 4.1 SP1 or 4.2 versions of the
sequencer.

If the applications were previously installed locally, you must


uninstall them before you deploy a virtual version of the
application.

System Center Configuration Manager no longer supports See Planning for the migration of Configuration Manager
using packages and programs that contain virtual applications. objects to System Center Configuration Manager.
When you migrate from Configuration Manager 2007 to
System Center Configuration Manager, Configuration
Manager converts these packages into applications.

Configuration Manager 2007 advertisements are converted


into the following deployment types:

- Migrating App-V packages with no advertisement: One


deployment type that uses the default deployment type
settings.

- Migrating App-V packages with one advertisement: One


deployment type that uses the same settings as the
Configuration Manager 2007 advertisement.

- Migrating App-V packages with multiple advertisements: A


deployment type, for each
Configuration Manager 2007 advertisement, that uses the
settings for that advertisement.

Migrating App-V 5 connection groups to Configuration Manager virtual


environments
App-V virtual environments in Configuration Manager allow virtual applications that you have deployed to share
the same file system and registry on client computers. This means that unlike standard virtual applications, these
applications can share data with each other. Virtual environments are created or changed on client computers when
the application is installed or when clients next evaluate their installed applications. Virtual environments are
similar to connection groups in standalone App-V 5.
When you migrate connection groups from standalone App-V 5 to Configuration Manager virtual environments,
you must ensure that Configuration Manager correctly manages the connection groups that already exist on client
computers, and that the user's environment within those connection groups is preserved.
To convert App-V 5 connection groups to Configuration Manager virtual environments:
1. Create Configuration Manager applications for all applications that existed in App-V.
2. Deploy the applications to users or devices with a deployment purpose of Required. Deployments to users
must be deployed to the same users who used the application in App-V. Deployments to computers must be
deployed to the same computers that had the application in App-V.
3. After the deployment is finished, create virtual environments that match the connection groups that are
published in standalone App-V. The virtual environment must have the same packages (specifically, App-V 5
deployment types) in the same order.
For information about how to create an App-V virtual environment, see How to create App-V virtual environments.
Alternatively, you can delete all connection groups from the App-V Client before you begin to deploy applications
with Configuration Manager. But any settings that users might have saved in App-V connection groups will be lost.

Dynamic Suite Composition in App-V 4.6


Dynamic Suite Composition is a feature that lets you define one virtual application package as having a
dependency on another virtual application package. When the application is run, the App-V Client hosts the primary
package and the dependent package in the same virtual environment for the application.
For you to use this feature with Configuration Manager, both packages must be deployed and registered with the
App-V Client. To ensure that dependent package content is hosted locally on the client computer, set up the
application deployment for local delivery (download and execute).
For more information about App-V Dynamic Suite Composition, see your App-V documentation.

Converting App-V 4.6 applications to App-V 5 applications


The application package format has changed between App-V 4.6 and App-V 5. Applications that have been
sequenced by using App-V 4.6 are no longer supported. But App-V 5 has a package converter tool that you can use
to convert applications. For more information, see your App-V 5 documentation.
Use the following steps to convert App-V 4.6 applications to App-V 5 applications:
1. Convert or resequence the App-V 4.6 packages into the App-V 5 format.
2. Deploy the App-V 5 client to computers in your hierarchy.
3. Create new applications that contain deployment types for your App-V 5 applications, and create
supersedence rules to supersede the App-V 4.6 applications.
4. Create virtual environments as required.
5. Deploy the new App-V 5 applications to computers.

User and deployment configuration files


User and deployment configuration files have settings that control how an application behaves. You can use these
files to change application settings without resequencing the application.
A typical App-V 5 application might contain the following files:
An application package (.appv) file
A user configuration file
A deployment configuration file
The user configuration file has settings that apply only to the logged-on user. You can, for example, edit the
configuration files to change the information about the application shortcut that will be deployed to users. You can
also create a Configuration Manager application with multiple deployment types. Each deployment type can
contain a different user configuration file and use requirement rules to ensure that these are installed for the
relevant users.
The deployment configuration file has settings that apply to the computer, like registry settings. The file can also
have user settings, which are applied to all users.
If you want to deploy App-V 5 virtual applications with Configuration Manager, all three files must be present in the
same folder when you create the App-V 5 deployment type. If there are multiple files in the folder, Configuration
Manager will use the most recent.
For more information, see your App-V 5 documentation.

App-V local interaction


In some application deployment scenarios, applications are installed locally on client computers, and other
applications are deployed as virtual applications to the same client computer. By default, the applications that were
locally installed cannot see or communicate directly with virtualized applications. This is the intended behavior of
the application isolation that App-V provides. Local interaction is a feature of the App-V Client that you can enable
for each application to allow locally installed applications that run on a client computer to see and communicate
with virtualized applications. Configuration Manager and App-V fully support local interaction.
For more information about the App-V local interaction feature, see your App-V documentation.

App-V 5 Shared Content Store


Configuration Manager supports the App-V 5 Shared Content Store feature. For more information, see Planning for
the App-V 5.0 Shared Content Store (SCS).

Monitoring virtual applications


Virtual application reports
You can use the following reports to monitor App-V in your Configuration Manager environment:

REPORT NAME DESCRIPTION

App-V Virtual Environment Results Shows information about a selected virtual environment that
is in a specified state for a selected collection (App-V 5 only).

App-V Virtual Environment Results For Asset Shows information about a selected virtual environment for a
specified asset and any deployment types for the selected
virtual environment (App-V 5 only).
REPORT NAME DESCRIPTION

App-V Virtual Environment Status Shows compliance information for a selected virtual
environment for a selected collection. The Retained column in
this report shows the assets in which a virtual environment
that was previously set up is no longer applicable, but it is
retained to persist user settings in applications that run in the
virtual environment (App-V 5 only).

Computers with a specific virtual application Shows a summary of computers that have the specified App-V
shortcut that the Application Virtualization Management
Sequencer created (App-V 4.6 only).

Computers with a specific virtual application package Shows a list of computers that have the specified App-V
application package installed (App-V 4.6 only).

Count all instances of virtual application packages Shows a count of all detected App-V application packages
(App-V 4.6 only).

Count all instances of virtual applications Shows a count of all detected App-V applications (App-V 4.6
only).

Log files
Configuration Manager records information about virtual application deployments in log files. For information
about the log files that virtual applications and Configuration Manager application management use, see Log files
in System Center Configuration Manager.
For Windows Vista, Windows 7, and Windows 8, you can find logs for the App-V client in
C:\ProgramData\Microsoft\Application Virtualization Client.
Monitor applications from the System Center
Configuration Manager console
11/23/2016 4 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In System Center Configuration Manager, you can monitor the deployment of all software, including software
updates, compliance settings, applications, task sequences, and packages and programs. You can monitor
deployments by using the Monitoring workspace in the Configuration Manager console or by using reports.
Applications in Configuration Manager support state-based monitoring, which enables you to track the last
application deployment state for users and devices. These state messages display information about individual
devices. For example, if an application is deployed to a collection of users, you can view the compliance state of the
deployment and the deployment purpose in the Configuration Manager console.

Learn about compliance states in System Center Configuration


Manager
An application deployment state has one of the following compliance states:
Success The application deployment succeeded or was found to be already installed.
In Progress The application deployment is in progress.
Unknown The state of the application deployment could not be determined. This state is not applicable
for deployments with a purpose of Available. This state is typically displayed when state messages from
the client are not yet received.
Requirements Not Met The application was not deployed because it was not compliant with a
dependency or a requirement rule, or because the operating system to which it was deployed was not
applicable.
Error The application failed to deploy because of an error.
You can view additional information for each compliance state, including subcategories within the compliance state
and the number of users and devices in this category. For example, the Error compliance state includes the
following subcategories:
Error evaluating requirements
Content related errors
Installation errors
When more than one compliance state applies for an application deployment, you can see the aggregate
state that represents the lowest compliance. For example:
If a user signs in to two devices and the application is successfully installed on one device but fails to
install on the second device, the aggregate deployment state of the application for that user displays
as Error.
If an application is deployed to all users that sign in to a computer, you receive multiple deployment
results for that computer. If one of the deployments fails, the aggregate deployment state for the
computer displays as Error.
The deployment state for package and program deployments is not aggregated.
Use these subcategories to help you to quickly identify any important issues with an application deployment. You
can also view additional information about the devices that fall into a particular subcategory of a compliance state.
Application management in Configuration Manager includes a number of built-in reports that enable you to
monitor information about applications and deployments. These reports have the report category of Software
Distribution Application Monitoring.
For more information about how to configure reporting in Configuration Manager, see Reporting in System Center
Configuration Manager.

Monitor the state of an application in the Configuration Manager


console
1. In the Configuration Manager console, choose Monitoring > Deployments.
2. To review deployment details for each compliance state and the devices in that state, select a deployment,
and then, on the Home tab, in the Deployment group, choose View Status to open the Deployment
Status pane. In this pane, you can view the assets with each compliance state. Choose any asset to view
more detailed information about the deployment status to that asset.

NOTE
The number of items that can be displayed in the Deployment Status pane is limited to 20,000. If you need to see
more items, use Configuration Manager reports to view application status data.
The status of deployment types is aggregated in the Deployment Status pane. To view more detailed information
about the deployment types, use the report Application Infrastructure Errors in the report category Software
Distribution Application Monitoring.

3. To review general status information about an application deployment, select a deployment, and then
choose the Summary tab in the Selected Deployment window.
4. To review information about the applications deployment type, select a deployment, and then choose the
Deployment Types tab in the Selected Deployment window.
The information that's shown in the Deployment Status pane after you choose View Status is live data from the
Configuration Manager database. The information that's shown in the Summary tab and the Deployment Types
tab is summarized data.
If the data that is shown in the Summary tab and the Deployment Types tab does not match the data that's
shown in the Deployment Status pane, choose Run Summarization to update the data in these tabs. You can
configure the default application deployment summarization interval as follows:
1. In the Configuration Manager console, choose Administration > Site Configuration > Sites.
2. From the Sites list, select the site for which you want to configure the summarization interval, and then in
the Home tab, in the Settings group, choose Status Summarizers.
3. In the Status Summarizers dialog box, choose Application Deployment Summarizer, and then choose
Edit.
4. In the Application Deployment Summarizer Properties dialog box, configure the required
summarization intervals, and then choose OK.
Software metering in System Center Configuration
Manager
11/23/2016 9 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


This topic contains a reference for all of the operations you might perform when using System Center
Configuration Manager software metering.

IMPORTANT
Software metering is used to monitor Windows PC desktop apps with a filename ending in .exe. Software metering does not
monitor modern Windows apps (such as those used by Windows 8).

Prerequisites for software metering


Software metering has no external dependencies, only dependencies within the product.

DEPENDENCY MORE INFORMATION

Client settings for software metering. To use software metering, the client setting Enable software
metering on clients must be enabled and deployed to
computers. You can deploy software metering settings to all
computers in the hierarchy, or you can deploy custom settings
to groups of computers. See Configure software metering
in this topic.

The reporting services point. You must configure a reporting services point before you can
view software metering reports. For more information, see
Reporting in System Center Configuration Manager.

Configure software metering


This procedure configures the default client settings for software metering and applies to all computers in your
hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and
deploy it to a collection that contains the computers on which you want to use software metering. For more
information about how to create custom device settings, see Configure client settings.
1. In the Configuration Manager console, click Administration > Client Settings > Default Client Settings.
2. On the Home tab, in the Properties group, click Properties.
3. In the Default Settings dialog box, click Software Metering.
4. In the Device Settings list, configure the following:
Enable software metering on clients: Select True to enable software metering.
Schedule data collection: Configure how often software metering data is collected from client
computers. Use the default value of every 7 days or click Schedule to specify a custom schedule.
5. Click OK to close the Default Settings dialog box.
Client computers are configured with these settings the next time they download client policy. To initiate
policy retrieval for a single client, see Manage clients.

Create software metering rules


Use the Create Software Metering Rule wizard to create a new software metering rule for your Configuration
Manager site.
1. In the Configuration Manager console, click Assets and Compliance > Software Metering.
2. On the Home tab, in the Create group, click Create Software Metering Rule.
3. On the General page of the Create Software Metering Rule wizard, specify the following information:
Name - The name of the software metering rule. This should be unique and descriptive.

NOTE
Software metering rules can share the same name if the file name contained in the rules is different.

File Name - The name of the program file that you want to meter. You can click Browse to display
the Open dialog box, in which you can select the program file to use.

NOTE
If you type the executable file name in the File name box, no checks are carried out to determine whether this
file exists or whether it contains the necessary header information. When possible, click Browse and select the
executable file to be metered.
Wildcard characters are not permitted in the file name.
This box is optional if a value for Original file name is specified.

Original File Name - The name of the executable file that you want to meter. This name matches
information in the header of the file, not the file name itself so that it can be useful in cases where the
executable file has been renamed but you want to meter it by the original name.

NOTE
Wildcard characters are not permitted in the original file name.
This box is optional if a value for File Name is specified.

Version - The version of the executable file you that want to meter. You can use the wildcard
character () to represent any string of characters or the wildcard character (?) to represent any single
character. If you want to meter for all versions of an executable file, use the default value (\).
Language - The language of the executable file to meter. The default value is the current locale of the
operating system you are using. If you select an executable file to be metered by clicking the Browse
button, this box is automatically filled if language information is present in the header of the file. To
meter all language versions of a file, select Any in the drop-down list.
Description - An optional description for the software metering rule.
Apply this software metering rule to the following clients Select whether you want to apply
the software metering rule to all clients in the hierarchy or to the clients that are assigned to the site
specified in the Site list.
4. To continue, click Next.
5. Review and confirm the settings and then complete the wizard to create the software metering rule. The new
software metering rule is displayed in the Software Metering node in the Assets and Compliance
workspace.

Configure automatic software metering rules


You can configure software metering in Configuration Manager to automatically generate disabled software
metering rules from recent usage inventory data held in the site database. You can configure this inventory data so
that only for applications that are used on a specified percentage of computers metering rules are created. You can
also specify the maximum number of automatically generated software metering rules allowed on the site.

NOTE
By default, software metering rules that are automatically created are disabled. Before you can begin to collect usage data
from these rules, you must enable them.

1. In the Configuration Manager console, click Assets and Compliance > Software Metering, and then, in
the Home tab, in the Settings group, click Software Metering Properties.
2. In the Software Metering Properties dialog box, configure the following:
Data retention (in days) - Specifies the amount of time that data generated by software metering
rules are kept in the site database. The default value is 90 days.
Enable the option Automatically create disabled metering rules from recent usage inventory
data.
Specify the percentage of computers in the hierarchy that must use a program before a
software metering rule is automatically created - The default value is 10 percent.
Specify the number of software metering rules that must be exceeded in the hierarchy
before the automatic creation of rules is disabled - The default value is 100 rules.
3. Click OK to close the Software Metering Properties dialog box.

Manage software metering rules


In the Assets and Compliance workspace, select Software Metering, select the software metering rule to
manage, and then select a management task.
Use the following table for more information about the management tasks that might require some information
before you select them.

MANAGEMENT TASK DETAILS

Enable Enables or disables a software metering rule. This setting is


downloaded to client computers according to the Client
Disable policy polling interval in the Client Policy section of client
settings (by default, every 60 minutes).

See Configure client settings .

Monitor software metering


Software metering in Configuration Manager includes a number of built-in reports which allow you to monitor
information about software metering operations. These reports have the report category of Software Metering.
For more information about how to configure reporting in Configuration Manager, see Reporting in System Center
Configuration Manager.
Additionally, you can create queries and collections based on the data stored in the Configuration Manager
database by software metering.
For more information about collections in Configuration Manager, see Introduction to collections.
For more information about queries in Configuration Manager, see Introduction to queries.

Security and privacy for software metering


Security Issues for Software Metering
An attacker could send invalid software metering information to Configuration Manager, which will be accepted by
the management point even when the software metering client setting is disabled. This might result in a large
number of metering rules that are replicated throughout the hierarchy, causing a denial of service on the network
and to Configuration Manager site servers.
Because an attacker can create invalid software metering data, do not consider software metering information to be
authoritative.
Software metering is enabled by default as a client setting.
Privacy Information for Software Metering
Software metering monitors the usage of applications on client computers. Software metering is enabled by
default. You must configure which applications to meter. Metering information is stored in the Configuration
Manager database. The information is encrypted during transfer to a management point but it is not stored in
encrypted form in the Configuration Manager database.
This information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Software
Metering Data (every five days) and Delete Aged Software Metering Summary Data (every 270 days). You
can configure the deletion interval. Metering information is not sent to Microsoft.
Before you configure software metering, consider your privacy requirements.

Example scenario for using software metering


In this section, you'll create an example software metering rule that can help you solve the following business
requirements:
Determine how many copies of a particular app are in your company
Discover any unused copies of an app
Determine which users regularly use a particular app
Woodgrove Bank has deployed Microsoft Office 2010 as its standard office productivity suite. However, to
support a legacy application, some computers must continue to run Microsoft Office Word 2003. The IT
department wants to reduce support and licensing costs by removing these copies of Word 2003 if the
legacy application is no longer used. The help desk also wants to identify which users use the legacy
application.
John is Woodgrove Bank's IT Systems Manager who uses software metering in Configuration Manager to
achieve these business objectives. He performs the following actions:
John checks the prerequisites for software metering and confirms that the reporting services point is
installed and operational.
John configures the default client settings for software metering:
He enables software metering and uses the default data collection schedule of once every seven days.
He configures software inventory to inventory files that have the extension .exe by configuring the software
inventory client setting Inventory these file types.
He adds a new software metering rule, named woodgrove.exe, to monitor the legacy application.
John waits for seven days, after which the client computers begin to report usage data for the woodgrove.exe
executable.
John uses the Configuration Manager report Install base for all metered software programs to see which
computers have the application woodgrove.exe loaded.
After six months, John runs the report Computers that have a metered program installed, but have not
run the program since a specified date, specifying the software metering rule and a date six months in the
past. This report identifies 120 computers that have not run the program in the past six months.
John makes some further checks to confirm that the legacy application is not required on the identified
computers. He then uninstalls the legacy application and the copy of Word 2003 from these computers.
John runs the report Users that have run a specific metered software program to provide the help desk
with a list of users who continue to use the legacy application.
John continues to check the software metering reports weekly and takes remedial action if necessary.
As a result of this course of action, IT support and licensing costs are reduced by removing the applications
that are no longer required. In addition, the help desk now has the list that it wanted of the users who run
the legacy application.
Management tasks for System Center Configuration
Manager applications
11/23/2016 4 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


Use the information in this article to help you manage System Center Configuration Manager applications and
deployment types.
For help creating applications and deployment types, see Create applications.

IMPORTANT
Depending on the type of application or deployment type, some management options might not be available.

Manage applications
In the Software Library workspace, expand Application Management > Applications, choose the application
to manage, and then choose a management task.

TASK DETAILS

Manage Access Accounts Opens the Manage Access Accounts dialog box where you
can specify the level of access that is allowed for the content
that is associated with the selected application.

Create Prestage Content File Opens the Create Prestaged Content File Wizard that
helps you to manage the distribution of content to remote
distribution points. When the scheduling and throttling does
not provide a valid solution for the remote distribution point,
you can prestage the content on the distribution point

See Manage content and content infrastructure.

Revision History Opens the Application Revision History dialog box that lets
you view the properties of revisions that were made to this
application, delete old application revisions, and restore old
versions of this application.

See How to revise and supersede applications.

Create Deployment Type Opens the Create Deployment Type Wizard that lets you
add a new deployment type to the selected application.

See Create applications.

Update Statistics Updates the information that is displayed in the


Deployments node of the Monitoring workspace about the
deployments of this application.

See Monitor applications from the System Center


Configuration Manager console.
TASK DETAILS

Reinstate Reinstates an application that was retired by using the Retire


management task.

Retire When you retire an application, it is no longer available for


deployment, but the application and deployments of the
application are not deleted. Existing copies of this application
that were installed on client computers will not be removed.
Any revisions to the application will be deleted from
Configuration Manager after 60 days. But, installed copies of
the application are not removed.

To delete an application, you must first retire the application,


delete all deployments, remove references to the application
by other deployments, and then delete all of the application's
revisions.

See Revise and supersede applications.

Export Opens the Export Application Wizard that lets you export
the selected applications to a .zip file that you can then archive
or install on another site. If you choose to export application
content, a folder that has the content will be created.

You can also export application dependencies, supersedence


relationships and conditions, and content for the application
and its dependencies.

The Windows PowerShell cmdlet, Export-CMApplication,


does the same function. For more information, see Export-
CMApplication in the Microsoft System Center 2012
Configuration Manager SP1 cmdlet reference documentation.

Delete Deletes the currently selected application.

You cannot delete an application if other applications are


dependent on it, if it has an active deployment, or if it has
dependent task sequences.

Simulate Deployment Opens the Simulate Application Deployment Wizard


where you can test the results of an application deployment
to computers without installing or uninstalling the application.

See Simulate application deployments.

Deploy Opens the Deploy Software Wizard where you can deploy
the selected application to collections of computers in your
hierarchy.

See Deploy applications.

Distribute Content Opens the Distribute Content Wizard where you can copy
the content for the selected application to distribution points
in your hierarchy.

See Manage content and content infrastructure.


TASK DETAILS

View Relationships Shows a graphical diagram of the relationships of the selected


applications to other applications. Choose from one of the
following:

Dependency Shows applications that are dependent


on the selected application and the applications that
the selected application depends on.
Supersedence Shows applications that the selected
application supersedes and applications that the
selected application is superseded by.
Global Conditions Shows the global conditions that
are referenced by this application.

See Revise and supersede applications and Create global


conditions.

Manage deployment types


In the Software Library workspace, expand Application Management, choose Applications, and then choose
the application that has the deployment type that you want to manage. In the details pane, choose the
Deployment Types tab, choose the deployment type that you want to manage, and then choose a management
task.

TASK DETAILS

Increase Priority Increases the priority of the selected deployment type.


Deployment types are evaluated in order. When a deployment
type meets the specified requirements, it will be run, and then
no further deployment types on the priority list will be
evaluated.

Decrease Priority Decreases the priority of the selected deployment type.

Delete Deletes the selected deployment type.

You cannot delete a deployment type if it is referenced by a


deployment type in another application.
To delete a deployment type, you must remove all
dependencies to the deployment type that are in other
deployment types.
Additionally, you must also remove previous revisions of all
applications that have a deployment type that references the
deployment type that you want to delete.

Update Content Refreshes the content for the selected deployment type.

When you start this wizard for a deployment type that has a
virtual application, the Update Content Wizard is started.
This wizard lets you change publishing options and
requirement rules for the selected virtual application. For more
information, see Create applications.

When you refresh the content of a deployment type, a new


revision of the application is created. This might cause client
devices to be updated with the new application.
Link users and devices with user device affinity in
System Center Configuration Manager
11/23/2016 6 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


User device affinity in System Center Configuration Manager (Configuration Manager) associates a user with one
or more devices. This can eliminate the need to know the names of a users devices to deploy an application to the
user. Instead of deploying the application to each of the users devices, you deploy the application to the user. Then,
user device affinity automatically ensures that the application installs on all devices that are associated with that
user.
You can define primary devices that typically are the devices that users use on a daily basis to perform their work.
When you create an affinity between a user and a device, you gain more app deployment options. For example, if a
user requires Microsoft Visio, you can install it on the users primary device by using a Windows Installer
deployment. However, on a device that's not a primary device, you might deploy Visio as a virtual application. You
also can use user device affinity to predeploy software on a users device when the user isn't logged on so that,
when the user logs on, the app is already installed and ready to run.
You must manage user device affinity information for computers. Configuration Manager automatically manages
user device affinities for the mobile devices that it enrolls.

Manually set up user device affinity


1. In the Configuration Manager console, choose Assets and Compliance > Devices.
2. In the list, select a device. Then, on the Home tab, in the Device group, choose Edit Primary Users.
3. In the Edit Primary Users dialog box, search for and then select the users to add as primary users for the
selected device. Choose Add.

NOTE
The Primary Users list shows users who are already primary users of this device, and the method by which each
user-device relationship was assigned.

Set up primary devices for a user


1. In the Configuration Manager console, choose Assets and Compliance > Users.
2. In the list, select a user. Then, on the Device tab, choose Edit Primary Devices.
3. In the Edit Primary Devices dialog box, search for and then select the devices to add as primary devices for
the selected user. Choose Add.

NOTE
The Primary Devices list shows devices that are already set up as primary devices for this user, and the method by
which each user-device relationship was assigned.
Automatically create user device affinities (Windows PCs only)
Configuration Manager reads data about user logons from the Windows Event log. To automatically create user
device affinities, you must turn on these two options in the local security policy on client computers to store logon
events in the Windows Event log:
Audit account logon events
Audit logon events
To configure these settings, use Windows Group Policy.

IMPORTANT
If an error causes the Windows event log to generate a high number of entries, a new event log might be created. If this
occurs, existing logon events might be no longer be available to Configuration Manager.
Be careful when you turn on the Audit account logon events and Audit logon events settings in Windows XP. By default,
the retention policy is 7 days, and it is very likely that these events will fill up the security event log. Standard users won't be
able to log on if the event log is full. To prevent this, for the security event log, set the policy Retention Method value to
Overwrite events as needed. For sufficient data for user device affinity, also set the policy maximum security event log size
to a reasonable value, such as 5-20 MB.

Set up the site to automatically create user device affinities


1. In the Configuration Manager console, choose Administration > Client Settings.
2. To modify the default client settings, select Default Client Settings, and then, on the Home tab, in the
Properties group, choose Properties. To create custom client agent settings, select the Client Settings
node, and then, on the Home tab, in the Create group, choose Create Custom Client Device Settings.

NOTE
If you modify the default client settings, they will be deployed to all computers in the hierarchy. For more information
about configuring client settings, see How to configure client settings in System Center Configuration Manager.

3. For User and Device Affinity, set the following:


User device affinity threshold (minutes). Set the number of minutes of device usage before a user
device affinity is created.
User device affinity threshold (days). Set the number of days over which the usage-based affinity
threshold is measured.
Automatically configure user device affinity from usage data. To let the site automatically
create user device affinities, from the drop-down list, select True. If you select False, you must
approve all user device affinity assignments.

TIP
Example: If you set User device affinity threshold (minutes) to 60 minutes and you set User device affinity
threshold (days) to5 days, the user must use the device for at least 60 minutes over a period of 5 days to
automatically create a user device affinity.

After an automatic user device affinity is created, Configuration Manager continues to monitor the user device
affinity thresholds. If the users activity for the device falls below the thresholds you've set, the user device affinity
is removed. Set User device affinity threshold (days) to a value of at least 7 days to avoid situations in which an
automatically configured user device affinity might be lost while the user is not logged on, for example, during the
weekend.

Import user device affinities from a file


To create many relationships at one time, you can import a file that has the details for multiple user device
affinities. For this procedure, the subject devices must have been discovered and exist as resources in the
Configuration Manager database, or the procedure will fail.
1. In the Configuration Manager console, choose Assets and Compliance > Users or Devices.
2. On the Home tab, in the Create group, choose Import User Device Affinity.
3. In the Import User Device Affinity Wizard, on the Choose Mapping page, set this information:
File name. Specify a comma-separated values (CSV) file that has a list of users and devices between
which you want to create an affinity. In this file, each user-and-device pair must be on its own row,
with values separated by a comma. Use this format: <Domain>\<user name>,<device NetBIOS
name>.
This file has column headings for reference purposes. If the .csv file has a top-row header, select
this option and the header row is ignored during the import.
4. If the file you are importing has more than two items in each row, you can use Column and Assign to
specify which columns represent users and devices, and which columns to ignore during import.
5. Choose Next, and then finish the Import User Device Affinity Wizard.

Let users create their own device affinities


With the next procedures, you can set up a user to create their own user device affinity in the Software Center app.
Set up the site to allow user-created user device affinity requests
1. In the Configuration Manager console, choose Administration > Client Settings.
2. To modify the default client settings, select Default Client Settings, and then, on the Home tab, in the
Properties group, choose Properties. To create custom client agent settings, select the Client Settings
node, and then, on the Home tab, in the Create group, choose Create Custom Client User Settings.

NOTE
If you modify the default client settings, they will be deployed to all computers in the hierarchy. For more information
about configuring client settings, see Configure client settings.

3. Select the client setting User and Device Affinity and then, in the Allow user to define their primary
devices drop-down list, select True.
Set up a user device affinity
1. In the Application Catalog, choose My Systems.
2. Select the option I regularly use this computer to do my work.

Manage user device affinity requests from users


When the client setting Automatically configure user device affinity from usage data is set to False, you
must approve all user device affinity assignments.
Approve or reject a user device affinity request
1. In the Configuration Manager console, choose Assets and Compliance.
2. In the Assets and Compliance workspace, select the user or device collection for which you want to
manage affinity requests.
3. On the Home tab, in the Collection group, choose Manage Affinity Requests.
4. In the Manage User Device Affinity Requests dialog box, select an affinity request, and then choose
Approve or Reject.
Apply settings to iOS apps with app configuration
policies in System Center Configuration Manager
11/23/2016 4 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


You can use app configuration policies in System Center Configuration Manager (Configuration Manager) to
distribute settings that might be required when a user runs an app. For example, an app might require a user to
specify these details:
A custom port number
Language settings
Security settings
Branding settings, like a company logo
If the user enters the settings incorrectly, the burden to fix them falls on your help desk, and app deployment is
slow. To help you prevent these problems, you can use app configuration policies to deploy required settings to
users before they run the app. The settings are associated with a user automatically. The user doesn't need to take
any action. To use an app configuration policy in Configuration Manager, instead of deploying the configuration
policies directly to users and devices, you associate a policy with a deployment type when you deploy the app. The
policy settings are applied whenever the app checks for them (typically, the first time the app runs).
Currently, app configuration policies are available only on devices running iOS 8 and later, and for these
application types:
app package for iOS (*.ipa file)
app package for iOS from App Store
For more information about app installation types, see the introduction to application management.

Create an app configuration policy


1. In the Configuration Manager console, choose Software Library > Application Management > App
Configuration Policies.
2. On the Home tab, in the App Configuration Policies group, choose Create new Application Configuration
Policy.
3. In the Create App Configuration Policy Wizard, on the General page, set this policy information:
Name. Enter a unique name for the policy.
Description. (Optional) To make it easier to identify the policy, you can add a description.
Assigned categories to improve searching and filtering. (Optional) To create and assign categories
to the policy, choose Categories. Categories make it easier for you to sort and find items in the
Configuration Manager console.
4. On the iOS Policy page, choose how to set the configuration policy information:
Specify name and value pairs. You can use this option for property list files that do not use nesting.
To specify a name and value pair
a. To add a new pair, choose New.
b. In the Add Name/Value Pair dialog box, specify the following:
Type. From the list, select the type of value that you want to specify.
Name. Enter the name of the property list key for which you want to specify a value.
Value. Enter the value that will be applied to the key you entered.
Browse to a property list file. Use this option if you already have an app configuration XML file, or
for more complex files that use nesting.
To browse to a property list file
a. In the App configuration policy field, enter the property list information in the correct XML
format.
To find out more about XML property lists, see Understanding XML Property Lists in the iOS
Developer Library.
The format of the XML property list varies depending on the app you are configuring. Contact
the app supplier for details about the format to use. Intune supports the following data types
in a property list:

<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />

For more information about data types, see About Property Lists in the iOS Developer Library.
Intune also supports the following token types in the property list:

{{userprincipalname}} - (Example: [email protected])


{{mail}} - (Example: [email protected])
{{partialupn}} - (Example: John)
{{accountid}} - (Example: fc0dc142-71d8-4b12-bbea-bae2a8514c81)
{{deviceid}} - (Example: b9841cd9-9843-405f-be28-b2265c59ef97)
{{userid}} - (Example: 3ec2c00f-b125-4519-acf0-302ac3761822)
{{username}} - (Example: John Doe)
{{serialnumber}} - (Example: F4KN99ZUG5V2) for iOS devices
{{serialnumberlast4digits}} - (Example: G5V2) for iOS devices

The {{ and }} characters are used by token types only and must not be used for other
purposes.

b. To import an XML file that you created earlier, choose Select file.
5. Choose Next. If there are errors in the XML code, you'll have to correct them before you continue.
6. Finish the steps shown in the wizard.
The new app configuration policy is shown in the Software Library workspace, in the App Configuration
Policies node.

Associate an app configuration policy with a Configuration Manager


application
To associate an app configuration policy with the deployment of an iOS app, deploy the application as you
normally would by using the procedure in the Deploy applications topic.
In the Deploy Software Wizard, on the App Configuration Policies page, choose New. In the Select App
Configuration Policy dialog box, choose an application deployment type, and the app configuration policy that
you want to associate it with. When the deployment type is installed, the app configuration policy settings is
automatically applied.

Example format for the mobile app configuration XML file


When you create a mobile app configuration file, you can use this format to specify one or more of the following
values:

<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
</dict>
Manage volume-purchased iOS apps with System
Center Configuration Manager
2/8/2017 4 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


The iOS app store lets you buy multiple licenses for an app that you want to run in your company. This helps you
reduce the administrative overhead of tracking multiple copies of apps that you bought.
System Center Configuration Manager helps you deploy and manage iOS apps that you bought through the
program by importing the license information from the app store and tracking the number of the licenses that you
have used.

Manage volume-purchased apps for iOS devices


You buy multiple licenses for iOS apps through the Apple Volume Purchase Program (VPP). This involves setting up
an Apple VPP account from the Apple web site and uploading the Apple VPP token to Configuration Manager,
which provides the following capabilities:
Sync your volume purchase information with Configuration Manager.
Apps that you bought are displayed in the Configuration Manager console.
You can deploy apps, monitor these apps, and track the number of licenses for each app that has been used.
Configuration Manager can help you reclaim licenses when required by uninstalling volume-purchased apps
that you deployed to users.

Before you start


Before you begin, you'll need to get a VPP token from Apple and upload this to Configuration Manager.
IMPORTANT
Currently, each organization can have only one VPP account and token.
Only the Apple Volume Purchase Program for Business is supported.
After you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For
this reason, make sure that more than one person has the details of the account that you use.
If you previously used a VPP token with a different MDM product in your existing Apple VPP account, you must
generate a new one to use with Configuration Manager.
Each token is valid for one year.
By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are
synced with Configuration Manager.
Only changes to your licenses are synced. But, once every seven days, a full sync will be performed.
When you choose Sync to do a manual sync, this will always do a full sync.
If you need to recover or restore you Configuration Manager database, we recommend that you do a manual sync
afterwards to ensure that your synced license data is up to date.
Although you can deploy iOS volume-purchased apps to user or device collections, VPP apps that you deploy to a
device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment
Program (DEP) or Apple Configurator) will not be installed.

Additionally, you must have imported a valid Apple Push Notification service (APNs) certificate from Apple to let
you to manage iOS devices, including app deployment. For more information, see Set up iOS hybrid device
management.

Step 1 - To get and upload an Apple VPP token


1. In the Configuration Manager console, choose Administration > Cloud Services > Apple Volume
Purchase Program Tokens.
2. On the Home tab, in the Apple Volume Purchase Program Tokens group, choose Add Apple Volume
Purchase Program Token.
3. On the General page of the Add Apple Volume Purchase Program Token wizard, configure the
following:
Name - Enter a name for this token as it will be displayed in the Configuration Manager console.
Token - Choose Browse, and then choose the VPP token that you downloaded from the Apple web
site.
Choose the See Apple VPP account link, and if you haven't already, sign up for the business or
education volume purchase program. After you are signed up, download the Apple VPP token for
your account.
Description - Optionally, enter a description that will help you identify this VPP token in the
Configuration Manager console.
Assigned categories to improve searching and filtering - Optionally, you can assign categories
to the VPP token to make it easier to search for in the Configuration Manager console.
4. Choose Next, and then finish the wizard.
From the Apple Volume Purchase Program Tokens node, you can now view information about the Apple VPP
token including when it was last updated, when it will expire, and when it was last synced.
You can fully sync the data held by Apple with Configuration Manager at any time by choosing Sync on the Home
tab in the Sync group.

Step 2 - Deploy a volume-purchased app


1. In the Configuration Manager console, choose Software Library > Application Management > License
Information for Store Apps.
2. Choose the app that you want to deploy, and then, in the Home tab, in the Create group, choose Create
Application. The Configuration Manager application that is created contains the iOS app you purchased.
You can then deploy and monitor this application as you would any other Configuration Manager
application.

IMPORTANT
You must choose a deployment purpose of Required. Available installations are not currently supported.

When you deploy the app, a license is used by each user who installs the app.
To reclaim a license, you must change the deployment action to Uninstall. The license will be reclaimed
after the app uninstalls.

Step 3 - Monitor iOS VPP apps


The License Information for Store Apps node of the Software Library workspace displays information about
your volume-purchased iOS apps. The information includes the total number of licenses that you own for each app
and the number that have been deployed.
You can also monitor the license usage of all VPP apps that you bought by using the Apple Volume Purchase
Program apps for iOS with license counts report.
This report shows the name of each application together with the total number of licenses that you bought, the
number of licenses available, and more.
For help with running Configuration Manager reports, see Reporting in System Center Configuration Manager.
Manage apps from the Windows Store for Business
with System Center Configuration Manager
11/29/2016 7 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


The Windows Store for Business is where you can find and buy Windows apps for your organization, individually or
in volume. By connecting the store to Configuration Manager, you can synch the list of apps you've bought with
Configuration Manager, view them in the Configuration Manager console, and deploy them like you would any
other app.

Online and offline apps


The Windows Store for Business supports two types of app:
Online--This license type requires users and devices to connect to the store to get an app and its license.
Windows 10 devices must be Azure Active Directory domain-joined.
Offline--Organizations can cache apps and licenses to deploy directly within their on-premises networks,
without connecting to the store or having a connection to the Internet.
Read more about the Windows Store for Business.
Configuration Manager supports managing Windows Store for Business apps on Windows 10 devices running the
Configuration Manager client and on Windows 10 devices that are enrolled with Microsoft Intune (hybrid
configuration). Configuration Manager offers the following capabilities for online and offline apps.

IMPORTANT
To use these capabilities, Windows 10 devices must be running the November 2015 (1511) release or later.

CAPABILITY OFFLINE APPS ONLINE APPS

Synch app data to Configuration Yes Yes


Manager
(Synchronization occurs every 24 hours,
or you can initiate an immediate
synchronization,)

Create Configuration Manager Yes Yes


applications from store apps

Support for free apps from the store Yes Yes1

Support for paid apps from the store No Yes1

Support required deployments to user Yes Yes1


or device collections

Support available deployments to user Yes2 No


or device collections

1
1Support is only fordevices managed by Intune. You are not blocked from creating an online application in the
Configuration Manager console and deploying this to a device managed by the Configuration Manager client, but
the deployment will not work. Your users will be directed to the relevant page in the app store to install the app
manually.
2Support is only for devices managed by the Configuration Manager client.

Set up Windows Store for Business synchronization


IMPORTANT
When you set up a connection between Configuration Manager and the Windows Store for Business, you must provide a
folder where app content synchronized from the store will be kept. To ensure that this folder is secure and that its content
can be deployed to devices, make sure the following permissions are in place:
The computer on which you install the service connection point site system role (the top-level site in the hierarchy) must
have read and write permissions to the folder you specified when using the Computer$ account.
The app author must have read permissions to the folder you specified.
The Computer$ account of each computer that hosts an instance of the SMS Provider must be able to use the folder you
specified.

In Azure Active Directory, register Configuration Manager as a Web Application or Web API management tool. This
will give you a client ID that you will need later.
1. In the Active Directory node https://manage.windowsazure.com, select your Azure Active Directory, and then
choose Applications > Add.
2. Choose Add an application my organization is developing.
3. Enter a name for the application, select Web application and/or Web API, and then choose Next.
4. Enter the same URL for both the Sign-on URL and App ID URI. The URL can be anything and does not need to
resolve to a real address. For example, you can enter https://yourdomain/sccm.
5. Finish the wizard.
In Azure Active Directory, create a client key for the registered management tool.
1. Highlight the application you just created and choose Configure.
2. Under Keys, select a duration from the list, and then choose Save. This will create a new client key. Do not leave
this page until you have successfully onboarded the Windows Store for Business to Configuration Manager.
In the Windows Store for Business, set up Configuration Manager as the store management tool.
1. Open https://businessstore.microsoft.com/en-us/managementtools and sign in if prompted.
2. Accept the terms of use if requested.
3. Under Management Tools, choose Add a management tool.
4. In Search for the tool by name, type the name of the application you created in Azure Active Directory
previously, then choose Add.
5. Choose Activate next to the application you just imported.
6. On the Manage > Account Information page, select Show Offline-Licensed Apps if you want to allow
offline-licensed apps to be purchased.
Add the store account to Configuration Manager.
1. Ensure that you have bought at least one app from the Windows Store for Business. In the Administration
workspace of the Configuration Manager console, expand Cloud Services, and then choose Windows Store
for Business.
2. On the Home tab, in the Windows Store for Business group, choose Add Windows Store for Business
Account.
3. Add your tenant ID, client id, and client secret key from Azure Active Directory, and then finish the wizard.
4. Once you're done, you will see the account you set up in the Windows Store for Business list in the
Configuration Manager console.
Change the app languages that will be shown in the Application Catalog for users to download.
1. In the Administration workspace of the Configuration Manager console, choose Cloud Services > Updates
and Servicing > Windows Store for Business.
2. Select your Windows Store for Business account, and then choose Properties.
3. Select the Language tab.
4. Add or remove the languages that will be shown in the Application Catalog. Select the default application
catalog language that will be made available to users.

IMPORTANT
In this release, if you change the languages that will be synchronized, you must restart the SMS Executive service on the site
server before the language settings take effect.

Modify the client secret key from Azure Active Directory.


1. In the Administration workspace of the Configuration Manager console, choose Cloud Services > Updates
and Servicing > Windows Store for Business.
2. Select your Windows Store for Business account, and then choose Properties.
3. In the Windows Store for Business Account Properties dialog box, enter a new key in the Client secret key
field, and then choose Verify. Once verified, choose Apply, and then close the dialog box.

Synch apps from the store with Configuration Manager


Synchronization occurs every 24 hours, or you can initiate an immediate synchronization using this procedure:
1. In the Administration workspace of the Configuration Manager console, choose Cloud Services > Updates
and Servicing > Windows Store for Business.
2. On the Home tab, in the Sync group, choose Sync Now.
3. The app you bought will appear in the License Information for Store Apps node of the Application
Management workspace.

Create and deploy a Configuration Manager application from a


Windows Store for Business app
This procedure assumes you have acquired at least one free app, or bought at least one paid online licensed app
from the Windows Store for Business.
1. In the Software Library workspace of the Configuration Manager console, expand Application Management,
and then choose License Information for Store Apps.
2. Choose the app you want to deploy, and then in the Home tab, in the Create group, choose Create
Application. A Configuration Manager application is created containing the Windows Store for Business app.
You can then deploy and monitor this application as you would any other Configuration Manager application.
IMPORTANT
For devices enrolled with Intune, deployed apps are only available to the user who originally enrolled the device. No other
users can use the app.

Monitor Windows Store for Business Apps


In the Software Library workspace, expand Application Management, and then choose License Information
for Store Apps.
For each store app you manage, you can view information about the app including its name, platform, the number
of licenses for the app that you own, and the number of licenses you have available.
Create App-V virtual environments in System Center
Configuration Manager
11/23/2016 1 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In a Microsoft Application Virtualization (App-V) virtual environment in System Center Configuration Manager
(Configuration Manager), deployed virtual applications can share the same file system and registry on client
Windows PCs. Unlike standard virtual applications, these applications can share data with each other. Virtual
environments are created or modified on client PCs when the application is installed or when clients next evaluate
their installed applications. You can order these applications so that when multiple applications try to modify a file
system or registry value, the application with the highest order takes priority.

IMPORTANT
Do not rely on App-V virtual environments to provide security protection, such as from malware.

Use the following procedure to create an App-V virtual environment in Configuration Manager.

Create an App-V virtual environment


1. In the Configuration Manager console, choose Software Library > Application Management > App-V
Virtual Environments.
2. On the Home tab, in the Create group, choose Create Virtual Environment.
3. In the Create Virtual Environment dialog box, enter the following information:
Name. Enter a unique name for the virtual environment (maximum 128 characters).
Description. (Optional) Enter a description for the virtual environment.
4. To add a new deployment type to the virtual environment, choose Add. You must add at least one
deployment type.
5. In the Add Applications dialog box, specify a Group name (maximum 128 characters). You'll use this
name to refer to the group of applications that you add to the virtual environment.
6. Choose Add, select the App-V 5 applications and deployment types that you want to add to the group, and
then choose OK.
7. In the Add Applications dialog box, you can select Increase Order or Decrease Order to set the
application that takes priority if multiple applications attempt to modify file system or registry settings in
the same virtual environment.
8. To return to the Create Virtual Environment dialog box, choose OK.
9. When you're done adding groups, choose OK to create the virtual environment. The new virtual
environment is displayed in the App-V Virtual Environments node of the Configuration Manager console.
You can monitor the status of your virtual environments by using the App-V Virtual Environment Status
report.
NOTE
The virtual environment is added or modified on client PCs when the application is installed or when the client next
evaluates installed applications.
Protect apps using mobile application management
policies in System Center Configuration Manager
11/23/2016 11 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


System Center Configuration Manager application management policies let you modify the functionality of apps
that you deploy to help bring them in line with your company compliance and security policies. For example, you
can restrict cut, copy, and paste operations within a restricted app, or configure an app to open all URLs inside a
managed browser. App management policies support:
Devices that run Android 4 and later
Devices that run iOS 7 and later
You can also use mobile app management policies to protect apps on devices that are not managed by Intune.
Using this new capability, you can apply mobile app management policies to apps that connect to Office 365
services. This is not supported for apps that connect to on-premises Exchange or SharePoint.
To use this new capability, you need to use the Azure preview portal. The following topics can help you get started:
Get started with mobile app management policies in the Azure portal
Create and deploy mobile app management policies with Microsoft Intune
You don't deploy an application management policy directly as you do with configuration items and
baselines in Configuration Manager. Instead, you associate the policy with the application deployment type
that you want to restrict. When the app deployment type is deployed and installed on devices, the settings
you specify take effect.
To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software Development Kit
(SDK). There are two methods of obtaining this type of app:
Use a policy managed app (Android and iOS): These apps have the App SDK built in. To add this type of
app, you specify a link to the app from an app store such as the iTunes store or Google Play. No further
processing is required for this type of app. For a list of the policy managed apps that are available for iOS
and Android devices, see Managed apps for Microsoft Intune mobile application management policies.
Use a "wrapped" app (Android and iOS): These apps are repackaged to include the App SDK by using the
Microsoft Intune App Wrapping Tool. This tool is typically used to process company apps that were
created in-house. It cannot be used to process apps that were downloaded from the app store. See the
following articles for more information:
Prepare iOS apps for mobile application management with the Microsoft Intune App Wrapping Tool
Prepare Android apps for mobile application management with the Microsoft Intune App Wrapping
Tool

Create and deploy an app with a mobile application management


policy
Step 1: Obtain the link to a policy managed app or create a wrapped
app
To obtain a link to a policy managed app: From the app store, find, and note the URL of the policy
managed app you want to deploy.
For example, the URL of the Microsoft Word for iPad app is https://itunes.apple.com/us/app/microsoft-
word-for-ipad/id586447913?mt=8
To create a wrapped app: Use the information in the topics Prepare iOS apps for mobile application
management with the Microsoft Intune App Wrapping Tool and Prepare Android apps for mobile
application management with the Microsoft Intune App Wrapping Tool to create a wrapped app.
The tool creates a processed app and an associated manifest file. You use these files when you create a
Configuration Manager application that contains the app.

Step 2: Create a Configuration Manager application that contains an


app
The procedure to create the Configuration Manager application differs depending on whether you are using a
policy managed app (external link), or an app that was created by using the Microsoft Intune App Wrapping Tool
for iOS (App package for iOS). Use one of the following procedures to create the Configuration Manager
application.
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. In the Home tab, in the Create group, choose Create Application to open the Create Application Wizard.
3. On the General page, select Automatically detect information about this application from
installation files.
4. In the Type drop-down list, select App package for iOS (*.ipa file).
5. Choose Browse to select the app package you want to import, and then choose Next.
6. On the General Information page, enter the descriptive text and category information that you want users
to see in the company portal.
7. Complete the wizard.
The new application is displayed in the Applications node of the Software Library workspace.
Create an application that contains a link to a policy managed app
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. In the Home tab, in the Create group, choose Create Application to open the Create Application Wizard.
3. On the General page, select Automatically detect information about this application from
installation files.
4. In the Type drop-down, select one of the following:
For iOS: App Package for iOS from App Store
For Android: App Package for Android on Google Play
5. Enter the URL for the app (from step 1), and then choose Next.
6. On the General Information page, enter the descriptive text and category information that you want users
to see in the company portal.
7. Complete the wizard.
The new application is displayed in the Applications node of the Software Library workspace.

Step 3: Create an application management policy


Next, create an application management policy that you associate with the application. You can create a general or
managed browser policy.
1) In the Configuration Manager console, choose Software Library > Application Management > Application
Management Policies.
2) In the Home tab, in the Create group, choose Create Application Management Policy.
3) On the General page, enter the name and description for the policy, and then choose Next.
4) On the Policy Type page, select the platform and the policy type for this policy, and then choose Next. The
following policy types are available:
General: The General policy type lets you modify the functionality of apps that you deploy to help bring
them in line with your company compliance and security policies. For example, you can restrict cut, copy,
and paste operations within a restricted app.
Managed Browser: The Managed Browser policy lets you decide whether to allow or block the managed
browser from opening a list of URLs. The Managed Browser policy type lets you modify the functionality of
the Intune Managed Browser app. This is a web browser that lets you manage the actions that users can
perform, including the sites they can visit, and how links to content within the browser are opened. Learn
more about the Intune Managed Browser app for iOS and the Intune Managed Browser app for Android.
5) On the iOS Policy or Android Policy page, configure the following values as required, and then choose Next.
The options might differ depending on the device type for which you are configuring the policy.

VALUE MORE INFORMATION

Restrict web content to display in a corporate managed Enables all links in the app to open in the Managed Browser.
browser You must have deployed this app to devices in order for this
option to work.

Prevent Android backups or Prevent iTunes and iCloud Disables the backup of any information from the app.
backups

Allow app to transfer data to other apps Specifies the apps that this app can send data to. You can
choose to not allow data transfer to any app, to only allow
transfer to other restricted apps, or to allow transfer to any
app.

For iOS devices, to prevent document transfer between


managed and unmanaged apps, you must also configure and
deploy a mobile device security policy that disables the setting
Allow managed documents in other unmanaged apps.

If you select to only allow transfer to other restricted apps, the


Intune PDF and image viewers (if deployed) are used to open
content of the respective types.
VALUE MORE INFORMATION

Allow app to receive data from other apps Specifies the apps that this app can receive data from. You can
choose to not allow data transfer from any app, to only allow
transfer from other restricted apps, or to allow transfer from
any app.

Prevent Save As Disables the use of the Save As option in any app that uses
this policy.

Restrict cut, copy and paste with other apps Specifies how cut, copy, and paste operations can be used
with the app. Choose from:

Blocked Doesn't allow cut, copy, and paste operations


between this app and other apps.

Policy Managed Apps Allows cut, copy, and paste


operations between only this app and other restricted apps.

Policy Managed Apps with Paste In Allows data that's cut


or copied from this app only to be pasted into other restricted
apps. Allows data that is cut or copied from any app to be
pasted into this app.

Any App No restrictions to cut, copy, and paste operations


to or from this app.

Require simple PIN for access Requires the user to enter a PIN that they specify to use this
app. The user is asked to set this up the first time they run the
app.

Number of attempts before PIN reset Specifies the number of PIN entry attempts that can be made
before the user must reset the PIN.

Require corporate credentials for access Requires that the user must enter their corporate sign-in
information before they can access the app.

Require device compliance with corporate policy for Allows the app to be used only when the device is not
access jailbroken or rooted.

Recheck the access requirements after (minutes) Specifies the time period before the access requirements for
the app are rechecked after the app is launched (in the
Timeout field).

In the Offline grace period field, if the device is offline,


specifies the time period before the access requirements for
the app are rechecked.
VALUE MORE INFORMATION

Encrypt app data Specifies that all data that is associated with this app is
encrypted, including data that's stored externally, such as data
stored on SD cards.

Encryption for iOS

For apps that are associated with a Configuration Manager


mobile application management policy, data is encrypted at
rest using device-level encryption that's provided by the OS.
This is enabled through a device PIN policy that must be set
by the IT admin. When a PIN is required, the data is encrypted
per the settings in the mobile application management policy.
As stated in Apple documentation, the modules that are used
by iOS 7 are FIPS 140-2 certified.

Encryption for Android

For apps that are associated with a Configuration Manager


mobile application management policy, encryption is provided
by Microsoft. Data is encrypted synchronously during file I/O
operations according to the setting in the mobile application
management policy. Managed apps on Android use AES-128
encryption in CBC mode utilizing the platform cryptography
libraries. The encryption method is not FIPS 140-2 certified.
Content on the device storage is always encrypted.

Block screen capture (Android devices only) Specifies that the screen capture capabilities of the device are
blocked when using this app.

6) On the Managed Browser page, select whether the managed browser is allowed to open only URLs in the list
or to block the managed browser from opening the URLs in the list, and then choose Next.
For more information, see Manage Internet access using managed browser policies.
7) Complete the wizard.
The new policy is displayed in the Application Management Policies node of the Software Library workspace.

Step 4: Associate the application management policy with a


deployment type
When a deployment type is created for an app that requires an application management policy, Configuration
Manager recognizes this and prompts you to associate an app management policy. For the Managed Browser, you
are required to associate both a General and Managed Browser policy. For more information, see Create
applications.

IMPORTANT
If the application is already deployed, then the deployment for the new deployment type fails until this association is made.
You can make the association in Properties for the application, on the Application Management tab.
IMPORTANT
For devices that run operating systems earlier than iOS 7.1, associated policies aren't removed when the app is uninstalled.
If the device is unenrolled from Configuration Manager, polices are not removed from the apps. Apps that had policies
applied retain the policy settings even after the app is uninstalled and reinstalled.

Step 5: Monitor the app deployment


Once you have created and deployed an app that's associated with a mobile application management policy, you
can monitor the app and resolve any policy conflicts.
1. In the Configuration Manager console, choose Software Library > Overview > Deployments.
2. Select the deployment that you created. Then, on the Home tab, choose Properties.
3. In the details pane for the deployment, under Related Objects, choose Application Management
Policies.
For more information about monitoring applications, see Monitor applications.

Learn how policy conflicts are resolved


When there is a mobile application management policy conflict on the first deployment to the user or device, the
specific setting value that's in conflict is removed from the policy that's deployed to the app. Then the app uses a
built-in conflict value.
When there is a mobile app management policy conflict on later deployments to the app or user, the specific
setting value that's in conflict is not updated on the mobile app management policy that's deployed to the app, and
the app uses the existing value for that setting.
In cases where the device or user receives two conflicting policies, the following behavior applies:
If a policy has yet been deployed to the device, the existing policy settings are not overwritten.
If no policy has already been deployed to the device, and two conflicting settings are deployed, the default
setting that's built into the device is used.

See a list of available policy managed apps


For a list of the policy managed apps that are available for iOS and Android devices, see Microsoft Intune
application partners.
Manage Internet access using managed browser
policies with System Center Configuration Manager
11/23/2016 5 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In System Center Configuration Manager, you can deploy the Intune Managed Browser (a web browsing
application) and associate the application with a managed browser policy. The managed browser policy sets up an
allow list or a block list that restricts the websites that users of the managed browser can go to.
Because this app is a managed app, you can also apply mobile application management policies to it, like
controlling the use of cut, copy, and paste. This prevents screen captures and also ensures that links to content only
open in other managed apps. For details, see Protect apps using mobile application management policies.

IMPORTANT
If users install the managed browser themselves, it will not be managed by any policies you specify. To ensure that the
browser is managed by Configuration Manager, they must uninstall the app before you can deploy it to them as a managed
app.

You can create managed browser policies for the following device types:
Devices that run Android 4 and later
Devices that run iOS 7 and later

NOTE
For more information and to download the Intune Managed Browser app, see iTunes for iOS and Google Play for Android.

Create a managed browser policy


1. In the Configuration Manager console, choose Software Library > Application Management >
Application Management Policies.
2. On the Home tab, in the Create group, choose Create Application Management Policy.
3. On the General page, enter the name and description for the policy, and then choose Next.
4. On the Policy Type page, select the platform, select Managed Browser for the policy type, and then
choose Next.
On the Managed Browser page, select one of the following options:
Allow the managed browser to open only the URLs listed belowSpecify a list of URLs that the
managed browser can open.
Block the managed browser from opening the URLs listed belowSpecify a list of URLs that the
managed browser will be blocked from opening.
NOTE
You cannot include both allowed and blocked URLs in the same managed browser policy.

For more about the URL formats you can specify, see URL format for allowed and blocked URLs in this
article.

NOTE
The General policy type lets you change the functionality of apps that you deploy to help bring them into line with
your company compliance and security policies. For example, you can restrict cut, copy, and paste operations within a
restricted app. For more about the General policy type, see Protect apps using mobile application management
policies.

5. Finish the wizard.


The new policy is displayed in the Application Management Policies node of the Software Library workspace.

Create a software deployment for the managed browser app


After you have created the managed browser policy, you can then create a software deployment type for the
managed browser app. You must associate both a general and managed browser policy for the managed browser
app.
For more information, see Create applications.

Security and privacy for the managed browser


On iOS devices, websites that have expired or untrusted certificates cannot be opened.
Settings that users make for the built-in browser on their devices are not used by the managed browser.
The managed browser does not have access to these settings.
If you set up the options Require simple PIN for access or Require corporate credentials for access in
a mobile application management policy associated with the managed browser, a user can click Help on the
authentication page and then go to any site--even one added to a block list in the managed browser policy.
The managed browser can only block access to sites when they are accessed directly. It cannot block access
when intermediate services (such as a translation service) are used to access the site.

Reference information
URL format for allowed and blocked URLs
Use the following information to learn about the allowed formats and wildcards you can use when specifying URLs
in the allowed and blocked lists.
You can use the wildcard symbol \* according to the rules in the permitted patterns list below.
Ensure that you prefix all URLs with http or https when entering them into the list.
You can specify port numbers in the address. If you do not specify a port number, the values used will be:
Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported, for example, http://www.contoso.com:\*
and http://www.contoso.com: /\*
Use the following table to learn about the permitted patterns you can use when you specify URLs:

URL MATCHES DOES NOT MATCH

http://www.contoso.com www.contoso.com host.contoso.com

Matches a single page www.contoso.com/images

contoso.com/

http://contoso.com contoso.com/ host.contoso.com

Matches a single page www.contoso.com/images

www.contoso.com

http://www.contoso.com/* www.contoso.com host.contoso.com

Matches all URLs beginning with www.contoso.com/images host.contoso.com/images


www.contoso.com
www.contoso.com/videos/tvshows

http://.contoso.com/\ developer.contoso.com/resources contoso.host.com

Matches all sub-domains under news.contoso.com/images


contoso.com
news.contoso.com/videos

http://www.contoso.com/images www.contoso.com/images www.contoso.com/images/dogs

Matches a single folder

http://www.contoso.com:80 http://www.contoso.com:80

Matches a single page, using a port


number

https://www.contoso.com https://www.contoso.com http://www.contoso.com

Matches a single, secure page

http://www.contoso.com/images/* www.contoso.com/images/dogs www.contoso.com/videos

Matches a single folder and all www.contoso.com/images/cats


subfolders

The following are examples of some of the inputs you cannot specify:
*.com
.contoso/\
www.contoso.com/*images
www.contoso.com/images\pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*

NOTE
*.microsoft.com is always allowed.

How conflicts between the allow and block list are resolved
If multiple managed browser policies are deployed to a device and the settings conflict, both the mode (allow or
block) and the URL lists are evaluated for conflicts. In case of a conflict, the following behavior applies:
If the modes in each policy are the same but the URL lists are different, the URLs will not be enforced on the
device.
If the modes in each policy are different but the URL lists are the same, the URLs will not be enforced on the
device.
If a device is receiving managed browser policies for the first time and two policies conflict, the URLs will
not be enforced on the device. Use the Policy Conflicts node of the Policy workspace to view the conflicts.
If a device has already received a managed browser policy and a second policy is deployed with conflicting
settings, the original settings remain on the device. Use the Policy Conflicts node of the Policy workspace
to view the conflicts.
Update and retire applications with System Center
Configuration Manager
11/23/2016 1 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


It's likely that eventually you'll want to make changes to an application, uninstall an application, or replace an
already deployed application with a new application. System Center Configuration Manager gives you these
capabilities, to help you update and retire applications:
Revise applications. When you make changes to an application or deployment type, Configuration
Manager maintains a history of the changes. You can revert the application to a previous revision at any
time. You also can view its properties, restore a previous revision of an application, or delete an old revision.
For more information, see Application revisions.
Supersede applications. You can upgrade or replace existing applications by using a supersedence
relationship. When you supersede an application, you can specify a new deployment type to replace the
deployment type of the superseded application. Also, you can set whether to upgrade or uninstall the
superseded application before the superseding application is installed.
For more information, see Application supersedence.
Uninstall applications. Configuration Manager makes uninstalling an application easy. This can be
accomplished silently, without any intervention from the application or device user.
For more information, see Uninstall applications.
Revise and supersede applications in System Center
Configuration Manager
12/5/2016 4 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


In this topic, you'll learn how to work with System Center Configuration Manager application versions and how to
supersede applications with a new version.

Application revisions
When you make revisions to an application or to a deployment type that is contained in an application,
Configuration Manager creates a new revision of the application. You can display the history of each application
revision. You can also view its properties, restore a previous revision of an application, or delete an old revision.
To display an application revision history
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications, and then choose the application that you want.
2. On the Home tab, in the Application group, choose Revision History to open the Application Revision
History dialog box.
To view an application revision
1. In the Application Revision History dialog box, select an application revision, and then choose View.
2. In the Properties dialog box, examine the properties of the selected application.

NOTE
The application properties that are displayed are read-only.

3. Close the Properties dialog box.


To restore an application revision
1. In the Application Revision History dialog box, select an application revision, and then choose Restore.
2. In the Confirm Revision Restore dialog box, choose Yes to restore the selected application revision.
To delete an application revision
1. In the Application Revision History dialog box, select an application revision, and then choose Delete.
2. In the Delete Application Revision dialog box, choose Yes.

IMPORTANT
You can only delete the current application revision if the application is retired and has no references.

Application supersedence
Application management in Configuration Manager lets you upgrade or replace existing applications by using a
supersedence relationship. When you supersede an application, you can specify a new deployment type to replace
the deployment type of the superseded application and also decide whether to upgrade or uninstall the
superseded application before the superseding application is installed.

IMPORTANT
When the option to uninstall the superseded deployment type is selected, a deployment type cannot be superseded by a
deployment type that was deployed to a different collection type. For example, a deployment type that was deployed to a
device collection cannot be superseded by a deployment type that was deployed to a user collection if the option to
uninstall the superseded deployment type is selected.

Decide whether to upgrade or replace an application


You specify whether to replace or upgrade an app in the Specify Supersedence Relationship dialog box of the
application properties dialog box. The type of supersedence depends on whether you check the Uninstall option
in this dialog box:
If you want to update to a newer version of the same application (with the same application ID), do not
check Uninstall.
If you want to change to a different application (with a different application ID), check Uninstall. You need
to remove the superseded version of the application.
Supersede dependent applications
In this example, master application refers to the app that you are deploying that has the dependencies.
You can create a supersedence relationship that updates the dependent application to a new version.
1. Ensure that the new dependent application and the original dependent application are in the same
dependency group of the master application.
2. Create a supersedence relationship that supersedes the original dependent application with the new
dependent application.
During new installations of the master application, the new dependent application is installed. Existing
installations of the master application are updated with the new dependent application.
The end result is that all deployments of the master application use the new dependent application.
Further considerations
You can specify multiple supersedence relationships for dependent applications. The highest dependent
application in the supersedence chain gets installed.
Dependent applications must be deployed to the device where the master application is installed or the
dependent application won't get installed.
For new installations of the master application, when you have multiple dependencies, the dependency
order determines which version of the dependent application gets installed.
To specify a supersedence relationship
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications, and then choose the application that supersedes another application.
2. On the Home tab, in the Properties group, choose Properties to open the application name Properties
dialog box.
3. On the Supersedence tab of the Properties dialog box, choose Add.
4. In the Specify Supersedence Relationship dialog box, click Browse.
5. In the Choose Application dialog box, choose the application that you want to supersede, and then choose
OK.
6. In the Specify Supersedence Relationship dialog box, select the deployment type that replaces the
deployment type of the superseded application.

NOTE
By default, the new deployment type doesn't uninstall the deployment type of the superseded application. This
scenario is commonly used when you want to deploy an upgrade to an existing application. Select Uninstall to
remove the existing deployment type before the new deployment type is installed. If you decide to upgrade an
application, make sure that you test this in a lab environment first.

7. Choose OK to close the Specify Supersedence Relationship dialog box.


8. Choose OK to close the Properties dialog box.
To display applications that supersede the current application
1. In the Configuration Manager console, choose Software Library.
2. In the Software Library workspace, expand Application Management, choose Applications, and then
choose the application that you want.
3. On the Home tab, in the Properties group, choose Properties to open the Properties dialog box.
4. On the References tab of the Properties dialog box, choose Applications that supersede this
application from the Relationship type drop-down list.
5. Review the list of applications that supersede the selected application, and then choose OK to close the
Properties dialog box.
Uninstall applications with System Center
Configuration Manager
11/23/2016 2 min to read Edit on GitHub

Applies to: System Center Configuration Manager (Current Branch)


Take the following actions to uninstall an application you previously deployed.
Specify the command line to uninstall the deployment type content on the Content page of the Create
Deployment Type Wizard.
Deploy the application by using a deployment action of Uninstall.

IMPORTANT
Some application types do not support uninstallation.

This list gives you more information about how application uninstall works:
When you uninstall a System Center Configuration Manager (Configuration Manager) application, any
dependent applications are not automatically uninstalled.
If you deploy an application that uses an action of Uninstall to a user, and the application was installed for
all users of the computer, the uninstall might fail if the users account does not have permissions to uninstall
the application.
If you remove a user or a device from a collection that has an application deployed to it, the application is
not automatically removed from the device.
A deployment with the deployment purpose of Uninstall does not check requirement rules. If the
application is installed on the computer on which the deployment runs, it will be uninstalled.

IMPORTANT
You must delete any existing deployments or simulated deployments of an application to a collection before you can deploy
the application with a deployment action of Uninstall.

For more information about how to create a deployment type, see Create applications.
For more information about how to deploy an application, see Deploy applications.

Uninstall an application
1. Configure the application deployment type with the uninstall command line by using one of the following
methods:
On the General page of the Create Deployment Wizard, select the option Automatically identify
information about this deployment type from installation files. If the information is available in
the installation files, the uninstall command line is automatically added to the deployment type
properties.
On the Content page of the Create Deployment Type Wizard, in the Uninstall program field, specify
the command line to uninstall the application.

NOTE
The Content page is displayed only if you select the option Manually specify the deployment type
information on the General page of the Create Deployment Type Wizard.

On the Programs tab of the <deployment type name> Properties dialog box, specify the
command line to uninstall the application in the Uninstall program field.
2. Deploy the application, and then select the deployment action Uninstall on the Deployment Settings
page of the Deploy Software Wizard.

NOTE
When you select a deployment action of Uninstall, the deployment purpose is automatically configured as Required.

You might also like