Apps
Apps
Apps
TIP
If you are already familiar with how to manage applications in Configuration Manager, you can skip this topic and move on to
creating a sample application. See Create and deploy an application with System Center Configuration Manager.
What is an application?
Although application is a widely used term in computing, in Configuration Manager, it means something different.
Think of an application like a box. This box contains one or more sets of installation files for a software package
(known as a deployment type), plus instructions on how to deploy the software.
When the application is deployed to devices, requirements decide which deployment type is installed on the
device.
Of course, there are a lot more things you can do with an application, and you'll learn about these as you read
through this guide. The following table introduces some concepts you'll need to know before you start to dig
deeper. You won't need all of these in every application you create:
CONCEPT DESCRIPTION
Global conditions While requirements are used with a specific deployment type
in a single application, you can also create global conditions.
These are a library of predefined requirements that you can
use with any application and deployment type.
For details, see Link users and devices with user device affinity.
State-based applications
Configuration Manager applications use state-based monitoring, by which you can track the last application
deployment state for users and devices. The state messages display information about individual devices. For
example, if an application is deployed to a collection of users, you can view the compliance state of the deployment
and the deployment purpose in the Configuration Manager console. You can monitor the deployment of all
software by using the Monitoring workspace in the Configuration Manager console. Software deployments
include software updates, compliance settings, applications, task sequences, and packages and programs. For more
information, see Monitor applications.
Application deployments are regularly re-evaluated by Configuration Manager. For example:
A deployed application is uninstalled by the end-user. At the next evaluation cycle, Configuration Manager
detects that the application is not present, and reinstalls it.
An application was not installed on a device because it failed to meet the requirements. Later, a change is
made to the device and it now meets the requirements. Configuration Manager detects this change, and the
application is installed.
You can set the re-evaluation interval for application deployments by using the Schedule re-evaluation for
deployments client setting. For more information, see About client settings.
4. Choose Next. On the Import Information page, you'll see some information about the app and any
associated files that were imported to Configuration Manager. Once you are done, choose Next again.
5. On the General Information page, you can supply further information about the application to help you
sort and locate it in the Configuration Manager console.
Additionally, the Installation program field lets you specify the full command line that will be used to
install the application on PCs. You can edit this to add your own properties (for example /q for an
unattended installation).
TIP
Some of the fields on this page of the wizard might have been filled in automatically when you imported the
application installation files.
You'll end up with a screen that looks similar to the following screenshot:
6. Choose Next. On the Summary page, you can confirm your application settings and then complete the
wizard.
You've finished creating the app. To find it, in the Software Library workspace, expand Application
Management, and then choose Applications. For this example, you'll see:
4. Choose OK to close each property page that you opened. Then return to the Applications list in the
Configuration Manager console.
TIP
Requirements can help reduce the number of Configuration Manager collections you need. Because you just specified that
the application can only get installed on PCs that are running Windows 10, you can later deploy this to a collection that
contains PCs that run many different operating systems. But the application will only get installed on Windows 10 PCs.
TIP
To find out more about distribution points and content management in Configuration Manager, see Manage content and
content infrastructure.
TIP
Remember that only Windows 10 computers will install the application because of the requirements that you selected earlier.
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. From the list of applications, select the application that you created earlier (Contoso Application), and
then, on the Home tab in the Deployment group, choose Deploy.
3. On the General page of the Deploy Software Wizard, choose Browse to select the All Systems device
collection.
4. On the Content page, check that the distribution point from which you want PCs to install the application is
selected.
5. On the Deployment Settings page, make sure that the deployment action is set to Install, and the
deployment purpose is set to Required.
TIP
By setting the deployment purpose to Required, you make sure that the application is installed on PCs that meet
the requirements that you set. If you set this value to Available, then users can install the application on demand
from Software Center.
6. On the Scheduling page, you can configure when the application will be installed. For this example, select
As soon as possible after the available time.
7. On the User Experience page, choose Next to accept the default values.
8. Complete the wizard.
Use the information in the following Monitor the application section to see the status of your application
deployment.
TIP
There are a few ways you can monitor application deployments. For full details, see Monitor applications.
End-user experience
Users who have PCs that are managed by Configuration Manager and running Windows 10 see a message telling
them that they must install the Contoso application. Once they accept the installation, the application gets installed.
Plan for and configure application management in
System Center Configuration Manager
2/9/2017 13 min to read Edit on GitHub
Internet Information Services (IIS) is required on the site For more about this requirement, see Supported
system servers that run the Application Catalog website point, configurations.
the Application Catalog web service point, the management
point, and distribution point.
Mobile devices that are enrolled by Configuration Manager When you code-sign applications to deploy them to mobile
devices, do not use a certificate that was generated by using a
Version 3 template (Windows Server 2008, Enterprise
Edition). This certificate template creates a certificate that is
not compatible with Configuration Manager applications for
mobile devices.
Clients must be configured to audit sign-in events if you want The Configuration Manager client reads logon events of type
to automatically create user device affinities. Success from the PCs security event log to determine
automatic user device affinities. These events are enabled by
the following two audit policies:"
Audit account logon events
Audit logon events
To automatically create relationships between users and
devices, make sure that these two settings are enabled on
client computers. You can use Windows Group Policy to
configure these settings.
Distribution point Before applications can be deployed to clients, you must have
at least one distribution point in the hierarchy. By default, the
site server has a distribution point site role enabled during a
standard installation. The number and location of distribution
points will vary according to the specific requirements of your
enterprise.
Client settings Many client settings control how applications are installed on
the client and the user experience on the client. These client
settings include the following:
Computer Agent
Computer Restart
Software Deployment
User and Device Affinity
For more about these client settings, see About client settings.
For the Application Catalog: Configuration Manager must first discover users before they
can view and request applications from the Application
Discovered user accounts Catalog. For more information, see Run discovery.
App-V 4.6 SP1 or later client to run virtual applications To be able to create virtual applications in Configuration
Manager, client computers must have the App-V 4.6 SP1 or
later client installed.
You must also update the App-V client with the hotfix
described in the Knowledge Base article 2645225 before you
can deploy virtual applications.
Application Catalog web service point The Application Catalog web service point is a site system role
that provides information about available software from the
Software Library to the Application Catalog website.
For more about how to configure this site system role, see
Configure Software Center and the Application Catalog
(Windows PCs only) in this article.
Application Catalog website point The Application Catalog website point is a site system role
that provides users with a list of available software.
For more about how to configure this site system role, see
Configure Software Center and the Application Catalog
(Windows PCs only) in this article.
Reporting services point To be able to use the reports in Configuration Manager for
application management, you must first install and configure a
reporting services point.
Security permissions for application management You must have the following security permissions to manage
applications.
To deploy applications:
IMPORTANT
Although you no longer need to connect to the Application Catalog, you must still configure the Application Catalog
website point and the Application Catalog web service point as detailed in the next section.
The previous Software Center and the Application Catalog - By default, users continue to connect to
the previous version of Software Center and connect to the Application Catalog (Silverlight-enabled web
browser required) to browse available applications.
Whatever version you choose to use, Software Center is installed automatically when you install the
Configuration Manager client on Windows PCs.
TIP
The version of Software Center that users see is based on Configuration Manager client settings. This gives you the
flexibility to control the version that's used based on custom client settings that you deploy to a collection.
IMPORTANT
In the coming months, we will be removing the previous version of Software Center, and it will no longer be available
for you to use. You can configure clients to use the new Software Center by enabling the client setting Computer
Agent > Use new Software Center.
Step 1: If you will use HTTPS Deploy a web server certificate to the For more about certificate requirements,
connections, make sure that you have site system servers that will run the see PKI certificate requirements.
deployed a web server certificate to site Application Catalog website point and
system servers. the Application Catalog web service
point.
Step 2: If you will use a client PKI Although clients do not use a client PKI For more about certificate requirements,
certificate for connections to certificate to connect to the Application see PKI certificate requirements.
management points, deploy a client Catalog, they must connect to a
authentication certificate to client management point before they can use
computers. the Application Catalog. You must
deploy a client authentication certificate
to client computers in the following
scenarios:
Step 3: Install and configure the You must install both site system roles For more about site system role
Application Catalog web service point in the same site. You do not have to placement, see Plan for site system
and the Application Catalog website. install them on the same site system servers and site system roles.
server or in the same Active Directory
forest. However, the Application To configure the Application Catalog
Catalog web service point must be in web service point and the Application
the same forest as the site database. Catalog website point, see Step 3:
Install and configure the Application
Catalog site system roles.
STEPS DETAILS MORE INFORMATION
Step 4: Configure client settings for the Configure the default client settings if For more about client settings, see
Application Catalog and Software you want all users to have the same About client settings.
Center. setting. Otherwise, configure custom
client settings for specific collections. For more about how to configure these
client settings, see Step 4: Configure
the client settings for the Application
Catalog and Software Center.
Step 5: Verify that the Application You can use the Application Catalog See Step 5: Verify that the
Catalog is operational. directly from a browser or from Application Catalog is operational.
Software Center.
NOTE
The Application Catalog cannot be installed on a secondary site or on a central administration site.
To install and configure the Application Catalog site systems: New site system server
1. In the Configuration Manager console, choose Administration > Site Configuration > Servers and Site
System Roles.
2. On the Home tab, in the Create group, choose Create Site System Server.
3. On the General page, specify the general settings for the site system, and then choose Next.
TIP
If you want client computers to use the Application Catalog over the Internet, specify the Internet fully qualified
domain name (FQDN).
4. On the System Role Selection page, select Application Catalog web service point and Application
Catalog website point from the list of available roles, and then choose Next.
5. Finish the wizard.
To install and configure the Application Catalog site systems: Existing site system server
1. In the Configuration Manager console, choose Administration > Site Configuration > Servers and Site
System Roles, and then select the server to use for the Application Catalog.
2. On the Home tab, in the Server group, choose Add Site System Roles.
3. On the General page, specify the general settings for the site system, and then choose Next.
TIP
If you want client computers to use the Application Catalog over the Internet, specify the Internet fully qualified
domain name (FQDN).
4. On the System Role Selection page, select Application Catalog web service point and Application
Catalog website point from the list of available roles, and then choose Next.
5. Finish the wizard.
6. Verify the installation of these site system roles by using status messages and by reviewing the log files:
Status messages: Use the components SMS_PORTALWEB_CONTROL_MANAGER and
SMS_AWEBSVC_CONTROL_MANAGER.
For example, status ID 1015 for SMS_PORTALWEB_CONTROL_MANAGER confirms that Site Component
Manager successfully installed the Application Catalog website point.
Log files: Search for SMSAWEBSVCSetup.log and SMSPORTALWEBSetup.log.
For more information, search for the awebsvcMSI.log and portlwebMSI.log log files.
Step 4: Configure the client settings for the Application Catalog and Software Center
This procedure configures the default client settings for the Application Catalog and Software Center that will apply
to all devices in the hierarchy. If you want these settings to apply to only some devices, you can create a custom
client setting and deploy it to a collection that has the devices that will have the specific settings. For more about
how to create a custom device setting, see the How to Create and Deploy Custom Client Settings section in the
How to configure client settings in System Center Configuration Manager article.
1. In the Configuration Manager console, choose Administration > Client Settings > Default Client
Settings.
2. On the Home tab, in the Properties group, choose Properties.
3. Review and configure settings that relate to user notifications, the Application Catalog, and Software Center.
For example:
a. Computer Agent group:
Default Application Catalog website point
Add default Application Catalog website to Internet Explorer trusted sites zone
Organization name displayed in Software Center
TIP
To specify the organization name that's displayed in the Application Catalog and configure the
website theme, use the Customization tab on the Application Catalog website properties.
Use new Software Center - Set to Yes if you want to use the new Software Center, which lets
users browse for and install available apps without the need to access the Application Catalog
(which requires a Silverlight-enabled web browser).
Install permissions
Show notifications for new deployments
b. Power Management group:
Allow users to exclude their device from power management
c. Remote Tools group:
Users can change policy or notification settings in Software Center
d. User and Device Affinity group:
Allow users to define their primary devices
NOTE
For more about the client settings, see About client settings in System Center Configuration Manager.
IMPORTANT
Software Center branding is synchronized with the Intune service every 14 days therefore there might be a delay before
changes you make in Intune are displayed in Configuration Manager.
NOTE
The Application Catalog requires Microsoft Silverlight, which is automatically installed as a Configuration Manager client
prerequisite. If you use the Application Catalog directly from a browser by using a computer that does not have the
Configuration Manager client installed, first verify that Microsoft Silverlight is installed on the computer.
TIP
Missing prerequisites are among the most typical reasons for the Application Catalog to operate incorrectly after installation.
Confirm the site system role prerequisites for the Application Catalog site system roles. You can do this by using the
Supported configurations article.
NOTE
If you signed in by using a Domain Administrator account, notification messages from the Configuration Manager client (for
example, messages indicating that new software is available) will not be displayed.
WARNING
After you have installed the Application Catalog site system roles, you will not immediately see the Application Catalog when
you choose the Find additional applications from the Application Catalog link from Software Center. The Application
Catalog becomes available from Software Center after the client next downloads its client policy or up to 25 hours after the
Application Catalog site system roles are installed.
Security and privacy for application management in
System Center Configuration Manager
12/7/2016 12 min to read Edit on GitHub
Configure the Application Catalog points to use HTTPS Configure the Application Catalog website point and the
connections and educate users about the dangers of malicious Application Catalog web service point to accept HTTPS
websites. connections so that the server is authenticated to users and
the data that is transmitted is protected from tampering and
viewing. Help to prevent social engineering attacks by
educating users to connect to trusted websites only.
Use role separation, and install the Application Catalog If the Application Catalog website point is compromised, install
website point and the Application Catalog service point on it on a separate server from the Application Catalog web
separate servers. service point. This will help to protect the Configuration
Manager clients and the Configuration Manager
infrastructure. This is particularly important if the Application
Catalog website point accepts client connections from the
Internet because this configuration makes the server
vulnerable to attack.
Educate users to close the browser window when they finish If users browse to an external website in the same browser
using the Application Catalog. window that they used for the Application Catalog, the
browser continues to use the security settings that are
suitable for trusted sites in the intranet.
Manually specify the user device affinity instead of letting Do not consider information that is collected from users or
users identify their primary device. Do not enable usage-based from the device to be authoritative. If you deploy software by
configuration. using user device affinity that is not specified by a trusted
administrative user, the software might be installed on
computers and to users who are not authorized to receive
that software.
SECURITY BEST PRACTICE MORE INFORMATION
Always configure deployments to download content from When you configure deployments to download content from a
distribution points rather than run from distribution points. distribution point and run locally, the Configuration Manager
client verifies the package hash after it downloads the content.
The client discards the package if the hash does not match the
hash in the policy. In comparison, if you configure the
deployment to run directly from a distribution point, the
Configuration Manager client does not verify the package
hash, which means that the Configuration Manager client can
install software that has been tampered with.
Do not let users interact with programs if the Run with When you configure a program, you can set the Allow users
administrative rights option is required. to interact with this program option so that users can
respond to any required prompts in the user interface. If the
program is also configured to Run with administrative
rights, an attacker at the computer that runs the program
could use the user interface to escalate privileges on the client
computer.
Use programs that use Windows Installer for setup and per-
user elevated privileges for software deployments that require
administrative credentials. Setup must be run in the context of
a user who does not have administrative credentials. Windows
Installer per-user elevated privileges provide the most secure
way to deploy applications that have this requirement.
Restrict whether users can install software interactively by Configure the Computer Agent client device Install
using the Installation permissions client setting. permissions setting to restrict the types of users who can
install software by using the Application Catalog or Software
Center. For example, create a custom client setting with Install
permissions set to Only administrators. Then, apply this
client setting to a collection of servers to prevent users
without administrative permissions from installing software on
those computers.
For mobile devices, deploy only applications that are signed. Deploy mobile device applications only if they are code-signed
by a certification authority (CA) that is trusted by the mobile
device. For example:
If you sign mobile device applications by using the Create To help protect against elevation of privileges and against
Application Wizard in Configuration Manager, secure the man-in-the-middle attacks, store the signing certificate file in a
location of the signing certificate file, and secure the secured folder and use IPsec or Server Message Block (SMB)
communication channel. between the following computers:
Implement access controls to protect reference computers. When an administrative user configures the detection method
in a deployment type by browsing to a reference computer,
make sure that the computer has not been compromised.
Restrict and monitor the administrative users who are granted Even when you configure role-based administration,
the role-based security roles that are related to application administrative users who create and deploy applications might
management: have more permissions than you realize. For example,
administrative users who create or change an application can
Application Administrator select dependent applications that are not in their security
Application Author scope.
Application Deployment Manager
When you configure Microsoft Application Virtualization (App- Because applications in an App-V virtual environment can
V) virtual environments, select applications that have the same share resources, like the clipboard, configure the virtual
trust level in the virtual environment. environment so that the selected applications have the same
trust level.
If you deploy applications for Mac computers, make sure that The CMAppUtil tool does not validate the signature of the
the source files are from a trustworthy source. source package, so make sure that it comes from a source that
you trust. The CMAppUtil tool cannot detect whether the files
have been tampered with.
If you deploy applications for Mac computers, secure the The .cmmac file that the CMAppUtil tool generates and that
location of the .cmmac file and secure the communication you import to Configuration Manager is not signed or
channel when you import this file to Configuration Manager. validated. To help prevent tampering with this file, store it in a
secured folder, and use IPsec or SMB between the following
computers:
If you configure a web application deployment type, use If you deploy a web application by using an HTTP link rather
HTTPS rather than HTTP to secure the connection. than an HTTPS link, the device could be redirected to a rogue
server and data that's transferred between the device and
server could be tampered with.
WARNING
When enabled, the Allow Silverlight applications to run in elevated trust mode client setting lets all Silverlight
applications that are signed by certificates in the Trusted Publishers certificate store in either the computer store or the user
store run in elevated trust mode. The client setting cannot enable elevated trust mode specifically for the Configuration
Manager Application Catalog or for the Trusted Publishers certificate store in the computer store. If malware adds a rogue
certificate in the Trusted Publishers store, for example, in the user store, malware that uses its own Silverlight application can
now also run in elevated trust mode.
If you set the Allow Silverlight applications to run in elevated trust mode client setting to No, this does not
remove the Microsoft signing certificate from clients.
For more about trusted applications in Silverlight, see Trusted Applications.
Application Catalog
The Application Catalog lets the Configuration Manager admin publish any application or program or script for
users to run. Configuration Manager has no control over the types of programs or scripts that are published in
the catalog or the type of information that they transmit.
Configuration Manager might transmit information between clients and the Application Catalog site system
roles. The information might identify the computer and sign-in accounts. The information that is transmitted
between the client and servers is not encrypted unless these site system roles are configured to require that
clients connect by using HTTPS.
The information about the application approval request is stored in the Configuration Manager database.
Requests that are canceled or denied and the corresponding request history entries are deleted by default after
30 days. The deletion behavior is configurable by setting the Delete Aged Application Request Data site
maintenance task. Application approval requests that are in approved and pending states are never deleted.
Information that is sent to and from the Application Catalog is not sent to Microsoft.
The Application Catalog is not installed by default. This installation requires several configuration steps.
Create applications with System Center
Configuration Manager
11/23/2016 27 min to read Edit on GitHub
4. On the Import Information page of the Create Application wizard, review the information that was
imported, and then choose Next. If necessary, you can choose Previous to go back and fix any errors.
5. On the General Information page of the Create Application wizard, specify the following information:
NOTE
Some of this information might already be populated if it was automatically obtained from the application
installation files. Additionally, the displayed options might be different depending on the application type that you
create.
General information about the application, like the application name, comments, version, and an
optional reference to help you find the application in the Configuration Manager console.
Installation program--Specify the installation program and any required properties that are
needed to install the application deployment type.
TIP
If the installation program does not appear, choose Browse and browse to the installation program
location.
Install behavior--Specify whether the application deployment type will be installed for only the
currently logged-on user or for all users. You can also specify that the deployment type will be
installed for all users if it is deployed to a device, or only to a specific user if it is deployed to a user.
Use an automatic VPN connection (if configured)--If a VPN profile has been deployed to the
device on which the app is launched, launch the VPN connection when the app starts (Windows 8.1
and Windows Phone 8.1 only).
On Windows Phone 8.1 devices, automatic VPN connections are not supported if more than one
VPN profile has been deployed to the device.
For more about VPN profiles, see VPN profiles.
6. Choose Next, review the application information on the Summary page, and then finish the Create
Application wizard.
The new application appears in the Applications node of the Configuration Manager console, and you have
finished creating an application. If you want to add more deployment types to the application, see Create
deployment types for the application in this topic.
Manually specify application information
1. On the General page of the Create Application wizard, select Manually specify the application
information, and then choose Next.
2. Specify general information about the application, like the application name, comments, version, and an
optional reference to help you find the application in the Configuration Manager console.
3. On the Application Catalog page of the Create Application wizard, specify the following information:
Selected language--In the drop-down list, select the language version of the application that you
want to set up. Choose Add/Remove to set up more languages for this application.
Localized application name--Specify the application name in the language that you selected in
the Selected language drop-down list.
IMPORTANT
You must specify a localized application name for each language version that you set up.
User categories--Choose Edit to specify application categories in the language that you selected
in the Selected Language drop-down list. Users of Software Center can use these selected
categories to help filter and sort the available applications.
User documentation--Choose Browse to specify the URL to, or the UNC path and file name of, a
file that users of Software Center can read to get more information about this application.
Link text--Specify the text that will appear in place of the URL to the application.
Application Privacy URL--Specify a URL that links to the privacy statement for the application.
Localized description--Enter a description for this application in the language that you selected
in the Selected Language drop-down list.
Keywords--Enter a list of keywords in the language that you selected in the Selected Language
drop-down list. These keywords will help users of Software Center search for the application.
Icon--Choose Browse to select an icon for this application from the available icons. If you do not
specify an icon, a default icon will be used for this application.
Display this as a featured app and highlight it in the company portal--Select this option to
display the app prominently in the company portal.
4. On the Deployment Types page of the Create Application wizard, choose Add to create a new
deployment type.
For more information, see Create deployment types for the application.
5. Choose Next, review the application information on the Summary page, and then finish the Create
Application wizard.
The new application appears in the Applications node of the Configuration Manager console.
TIP
You can also start the Create Deployment Type wizard from the Create Application wizard and from the Deployment
Types tab of the Properties dialog box.
NOTE
You must have access to the UNC path that has the application and any subfolders that contain the application
content.
4. On the Import Information page of the Create Deployment Type wizard, review the information that
was imported, and then choose Next. You can also choose Previous to go back and fix any errors.
5. On the General Information page of the Create Deployment Type wizard, specify the following
information:
NOTE
Some of the deployment type information might already be present if it was read from the application installation
files. Additionally, the displayed options might differ, depending on the deployment type that you are creating.
General information about the deployment type, like the name, admin comments, and available
languages.
Installation program--Specify the installation program and any properties that you require to
install the deployment type.
Install behavior-- Specify whether to install the deployment type for the current user or for all
users. You can also specify whether to install the deployment type for all users if it is deployed to a
device, or whether to install the deployment type to a user only if it is deployed to a user.
Use an automatic VPN connection (if configured)--If a VPN profile has been deployed to the
device on which the app is launched, launch the VPN connection when the app starts (Windows 8.1
and Windows Phone 8.1 only). If multiple VPN profiles have been deployed to a Windows 8.1
device, the first deployed VPN profile is used by default.
On Windows Phone 8.1 devices, automatic VPN connections are not supported if more than one
VPN profile has been deployed to the device.
For more about VPN profiles, see VPN profiles in System Center Configuration Manager.
6. Choose Next, and then continue to Specify content options for the deployment type.
Manually set up the deployment type information
1. On the General page of the Create Deployment Type wizard, select Manually specify the deployment
type information.
2. In the Type box, choose the application installation file type that you want to use to detect the
deployment type information. You can choose the same installation types that you would use when you
automatically detect the deployment type information, and you can also specify a script to install the
deployment type.
3. On the General Information page of the Create Deployment Type wizard, specify a name for the
deployment type, an optional description, and the languages in which you want to make this deployment
type available, and then choose Next.
4. Continue to Specify content options for the deployment type.
IMPORTANT
The System account of the site server computer must have permissions to the content location that you
specify.
Persist content in the client cache--Select this option to specify whether the content should be
retained in the cache on the client computer indefinitely, even if it has already been run. Although
this option can be useful with some deployments, like Windows Installerbased software that
requires a local source copy to be available for applying updates, it will reduce the available cache
space. If you select this option, it might cause a large deployment to fail at a later point if the cache
does not have sufficient available space.
Allow clients to share content with other clients on the same subnet--Select this option to
reduce load on the network by allowing clients to download content from other local clients on the
network that have already downloaded and cached the content. This option utilizes Windows
BranchCache technology.
Installation program--Specify the name of the installation program and any required installation
parameters, or choose Browse to locate the installation file.
Installation start in--Optionally, specify the folder that has the installation program for the
deployment type. This folder can be an absolute path on the client or a path to the distribution
point folder that has the installation files.
Uninstall program--Optionally, specify the name of the uninstall program and any required
parameters, or choose Browse to locate it.
Uninstall start in--Optionally, specify the folder that has the uninstall program for the
deployment type. This folder can be an absolute path on the client or a path that is relative to the
distribution point folder that has the package.
Run installation and uninstall program as 32-bit process on 64-bit clients--Use the 32-bit
file and registry locations on Windows-based computers to run the installation program for the
deployment type.
2. Choose Next.
NOTE
You can also select Use a custom script to detect the presence of this deployment type. For more
information, see Use a custom script to check for the presence of a deployment type.
2. In the Detection Rule dialog box, in the Setting type drop-down list, select the method that you want to
use to detect the presence of the deployment type. You can choose from the following available methods:
File System--Use this method to detect whether a specified file or folder exists on a client device,
thus indicating that the application is installed.
NOTE
The File system setting type does not support specifying a UNC path to a network share in the Path field.
You can only specify a local path on the client device.
To check 32-bit file locations for the specified file or folder, select the option This file or folder is
associated with a 32-bit application on 64-bit systems first. If the file or folder is not found, 64-bit
locations will be searched.
Registry--Use this method to detect whether a specified registry key or registry value exists on a
client device, thus indicating that the application is installed.
NOTE
To check 32-bit registry locations for the specified registry key, select the option This registry key is
associated with a 32-bit application on 64-bit systems first. If the registry key is not found, 64-bit
locations will be searched.
Windows Installer--Use this method to detect whether a specified Windows Installer file exists on
a client device, thus indicating that the application is installed.
3. Specify details about the item that you want to use to detect whether this deployment type is installed. For
example, you can use a file, folder, registry key, registry value, or a Windows Installer product code.
4. Specify details about the value that you want to assess against the item that you use to detect whether the
deployment type is installed. For example, if you use a file to check whether the deployment type is
installed, you can select The file system setting must exist on the target system to indicate
presence of this application.
5. Choose Next to close the Detection Rule dialog box.
Use a custom script to check for the presence of a deployment type
1. On the Detection Method page of the Create Deployment Type wizard, select the Use a custom script
to detect the presence of this deployment type box, and then choose Edit.
2. In the Script Editor dialog box, in the Script type drop-down list, select the script language that you
want to use to detect the deployment type.
3. In the Script contents box, enter the script that you want to use. You can also paste the contents of an
existing script in this field, or choose Open to browse to an existing saved script. Configuration Manager
checks the results from the script by reading the values that are written to the Standard Out (STDOUT)
output stream, the Standard Error (STDERR) output stream, and the exit code from the script. If the exit
code is a nonzero value, the script has failed and the application detection status is unknown. If the exit
code is zero and STDOUT has data, the application detection status is Installed.
Use the following table to see how to use the output from a script to check whether an application is
installed.
Script result--Success
Script result--Failure
Script result--Success
Script result--Success
Script result--Failure
Script result--Failure
Script result--Failure
Script result--Failure
The following table has Microsoft Visual Basic (VB) sample scripts that you can use to write your own application
detection scripts.
WScript.Quit(1) The script returns an exit code that is not zero, which
indicates that it failed to run successfully. In this case, the
application detection state is unknown.
WScript.StdErr.Write "Script failed" The script returns an exit code of zero, but the value of
STDERR is not empty, which indicates that the script failed to
WScript.Quit(0) run successfully. In this case, the application detection state
is unknown.
WScript.Quit(0) The script returns an exit code of zero, which indicates that it
ran successfully. However, the value for STDOUT is empty,
which indicates that the application is not installed.
WScript.StdOut.Write "The application is installed" The script returns an exit code of zero, which indicates that it
ran successfully. The value for STDOUT is not empty, which
WScript.Quit(0) indicates that the application is installed.
VISUAL BASIC SAMPLE SCRIPT DESCRIPTION
WScript.StdOut.Write "The application is installed" The script returns an exit code of zero, which indicates that it
ran successfully. The values for STDOUT and STDERR are not
WScript.StdErr.Write "Completed" empty, which indicates that the application is installed.
WScript.Quit(0)
NOTE
The maximum size that you can use for a script is 32 kilobytes (KB).
NOTE
This option defaults to Only when a user is logged on, and it cannot be changed if you selected Install
for user in the Installation behavior drop-down list.
Installation program visibility--Specify the mode in which the deployment type will run on
client devices. The following options are available:
Maximized--The deployment type runs maximized on client devices. Users will see all
installation activity.
Normal--The deployment type runs in the normal mode based on system and program
defaults. This is the default mode.
Minimized--The deployment type runs minimized on client devices. Users might see the
installation activity in the notification area or taskbar.
Hidden--The deployment type runs hidden on client devices, and users will see no
installation activity.
Allow users to view and interact with the program installation--Specify whether a user can
interact with the deployment type installation to set up the installation options.
NOTE
This option is enabled by default if you selected the Install for user option in the Installation behavior
drop-down list.
Maximum allowed run time (minutes)--Specify the maximum time that the program is
expected to run on the client computer. You can specify this setting as a whole number greater
than zero. The default setting is 120 minutes.
This value is used to:
Monitor the results from the deployment type.
Check whether a deployment type will be installed when maintenance windows are defined
on client devices. When a maintenance window is in place, a program will start only if
enough time is available in the maintenance window to accommodate the Maximum
Allowed Run Time setting.
IMPORTANT
A conflict might occur if the Maximum allowed run time is longer than the scheduled maintenance
window. If the user sets the maximum run time to a period that exceeds the length of any available
maintenance window, that deployment type will not be run.
2. Estimated installation time (minutes)--Specify the estimated time that installation of the deployment
type will take. This is displayed to users of Software Center.
NOTE
You can also add new requirements on the Requirements tab of the Properties dialog box.
2. In the Category drop-down list, select whether this requirement is for a device or a user, or select
Custom to use a previously created global condition. When you select Custom, you can also choose
Create to create a new global condition. For more about global conditions, see How to create global
conditions.
IMPORTANT
Any requirement of the category User and the condition Primary Device will be ignored if you deploy the
application to a device collection.
If you created a Windows package and program or task sequence that has Windows 10 as a requirement using
System Center 2012 R2 Configuration Manager SP1 and then upgrade to System Center Configuration Manager,
the requirements for Windows 10 might be removed. To fix this problem, specify the requirements again. Note
that although the requirement has been removed from the requirements display, it is still processed correctly on
devices.
3. In the Condition drop-down list, select the condition that you want to use to assess whether the user or
device meets the installation requirements. The contents of this list will vary depending on the selected
category.
4. In the Operator drop-down list, select the operator that will be used to compare the selected condition to
the specified value to assess whether the user or device meets the installation requirements. The available
operators will vary depending on the selected condition.
IMPORTANT
The available requirements will differ depending on the device type that the deployment type uses.
5. In the Value box, specify the values that will be used with the selected condition and operator to evaluate
whether the user or device meets the installation requirements. The available values will vary depending
on the selected condition and the selected operator.
6. Choose OK to save the requirement and close the Create Requirement dialog box.
IMPORTANT
In some cases, a deployment type is dependent on a deployment type that also has dependencies. The maximum number
of supported dependencies in the chain is five.
1. On the Dependencies page of the Create Deployment Type wizard, choose Add if you want to specify
the deployment types that must be installed before this deployment type can be installed.
IMPORTANT
You can also add new dependencies on the Dependencies tab of the Properties dialog box.
NOTE
A dependent application does not need to be deployed to be automatically installed.
6. In the Add Dependency dialog box under Dependency group name, enter a name to refer to this
group of application dependencies.
7. Optionally, use the Increase Priority and Decrease Priority buttons to change the order in which each
dependency is evaluated.
8. Choose OK to close the Add Dependency dialog box.
Import an application
Use the following procedure to import an application into Configuration Manager. For information about how to
export an application, see Management tasks for System Center Configuration Manager applications.
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. On the Home tab, in the Create group, choose Import Application.
3. On the General page of the Import Application wizard, choose Browse, and then specify a UNC path
to the .zip file that has the application you want to import.
4. On the File Content page, select the action that will be taken if the application that you are trying to
import is a duplicate of an existing application. You can create a new application or ignore the duplicate
and add a new revision to the existing application.
5. On the Summary page, review the actions to be taken, and then finish the wizard.
The new application appears in the Applications node.
TIP
The Windows PowerShell cmdlet Import-CMApplication has the same function as this procedure. For more information,
see Import-CMApplication in Microsoft System Center 2012 Configuration Manager SP1 Cmdlet Reference.
Windows Installer (*.msi file) Creates a deployment type from a Windows Installer file.
Windows app package (*.appx, *.appxbundle) Creates a deployment type for the Windows 8, Windows RT,
or later from a Windows app package file or Windows app
bundle package.
DEPLOYMENT TYPE NAME MORE INFORMATION
Windows app package (in the Windows Store) Creates a deployment type for Windows 8, Windows RT, or
later by specifying a link to the app in the Windows Store or
by browsing the store to select the app you require.
Script Installer Creates a deployment type that specifies a script that runs
on client devices to install content or to do an action.
Windows Phone app package (*.xap file) Creates a deployment type from a Windows Phone app
package file.
Windows Phone app package (in the Windows Phone Creates a deployment type by specifying a link to the app in
Store) the Windows Phone store.
Windows Mobile Cabinet Creates a deployment type for Windows Mobile devices from
a Windows Mobile Cabinet (CAB) file.
App Package for iOS (*.ipa file) Creates a deployment type from an iOS app package file.
App Package for iOS from App Store Creates a deployment type by specifying a link to the iOS
app in the App Store.
App Package for Android (*.apk file) Creates a deployment type from an Android app package
file.
App Package for Android on Google Play Creates a deployment type by specifying a link to the app on
Google Play.
- http-intunemam://
- https-intunemam://
Windows Installer through MDM (*.msi) This installer type lets you create and deploy Windows
Installer-based apps to PCs that run Windows 10.
- You can only upload a single file with the extension .msi.
- The file's product code and product version are used for
app detection.
General considerations
Configuration Manager supports the deployment of the following app types:
iOS *.ipa
IMPORTANT
Currently, end-users cannot install corporate apps from the Microsoft Intune Company Portal app for iOS. This is because
there are restrictions that are placed on apps that are published in the iOS App Store (see App Store Review Guidelines,
Section 2). Users can install corporate apps (including managed App Store apps and line-of-business app packages) by
browsing to the Intune Web Portal on their device (portal.manage.microsoft.com). For more information about the mobile
management capabilities that are enabled by the Intune Company Portal app, see Enrolled device management capabilities in
Microsoft Intune.
Create Mac computer applications with System
Center Configuration Manager
12/29/2016 9 min to read Edit on GitHub
IMPORTANT
The procedures in this topic cover information about deploying applications to Mac computers on which you installed the
Configuration Manager client. Mac computers that you enrolled with Microsoft Intune do not support application
deployment.
General considerations
You can use System Center Configuration Manager to deploy applications to Mac computers that run the
Configuration Manager Mac client. The steps to deploy software to Mac computers are similar to the steps to
deploy software to Windows computers. However, before you create and deploy applications for Mac computers
that are managed by Configuration Manager, consider the following:
Before you can deploy Mac application packages to Mac computers, you must use the CMAppUtil tool on a
Mac computer to convert these applications into a format that can be read by Configuration Manager.
Configuration Manager does not support the deployment of Mac applications to users. Instead, these
deployments must be made to a device. Similarly, for Mac application deployments, Configuration Manager
does not support the Pre-deploy software to the users primary device option on the Deployment
Settings page of the Deploy Software Wizard.
Mac applications support simulated deployments.
You cannot deploy applications to Mac computers that have a purpose of Available.
The option to send wake-up packets when you deploy software is not supported for Mac computers.
Mac computers do not support Background Intelligent Transfer Service (BITS) for downloading application
content. If an application download fails, it is restarted from the beginning.
Configuration Manager does not support global conditions when you create deployment types for Mac
computers.
STEP DETAILS
STEP DETAILS
Step 1: Prepare Mac applications for Configuration Manager Before you can create Configuration Manager applications
from Mac software packages, you must use the CMAppUtil
tool on a Mac computer to convert the Mac software into a
Configuration Manager.cmmac file.
Step 2: Create a Configuration Manager application that Use the Create Application Wizard to create an application
contains the Mac software for the Mac software.
Step 3: Create a deployment type for the Mac application This step is required only if you did not automatically import
this information from the application.
Step 4: Deploy the Mac application Use the Deploy Software Wizard to deploy the application
to Mac computers.
Step 5: Monitor the deployment of the Mac application Monitor the success of application deployments to Mac
computers.
NOTE
The application name can't be more than 128 characters.
To configure options for CMAppUtil, use the command-line properties in the following table:
4. Ensure that the .cmmac file has been created in the output folder that you specified.
Create a Configuration Manager application that contains the Mac software
Use the following procedure to help you create an application for Mac computers that are managed by
Configuration Manager.
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. On the Home tab, in the Create group, choose Create Application.
3. On the General page of the Create Application Wizard, select Automatically detect information
about this application from installation files.
NOTE
If you want to specify information about the application yourself, select Manually specify the application
information. For more information about how to manually specify the information, see How to create applications
with System Center Configuration Manager.
4. In the Type drop-down list, select Mac OS X.
5. In the Location field, specify the UNC path in the form \\\\ to the Mac application installation file (.cmmac
file) that will detect application information. Alternatively, choose Browse to browse to and specify the
installation file location.
NOTE
You must have access to the UNC path that contains the application.
6. Choose Next.
7. On the Import Information page of the Create Application Wizard, review the information that was
imported. If necessary, you can choose Previous to go back and correct any errors. Choose Next to
proceed.
8. On the General Information page of the Create Application Wizard, specify information about the
application such as the application name, comments, version, and an optional reference to help you
reference the application in the Configuration Manager console.
NOTE
Some of the application information might already be on this page if it was previously obtained from the application
installation files.
9. Choose Next, review the application information on the Summary page, and then complete the Create
Application Wizard.
10. The new application is displayed in the Applications node of the Configuration Manager console.
Step 3: Create a deployment type for the Mac application
Use the following procedure to help you create a deployment type for Mac computers that are managed by
Configuration Manager.
NOTE
If you automatically imported information about the application in the Create Application Wizard, a deployment type for
the application might already have been created.
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. Select an application. Then, on the Home tab, in the Application group, choose Create Deployment Type
to create a new deployment type for this application.
NOTE
You can also start the Create Deployment Type Wizard from the Create Application Wizard and from the
Deployment Types tab of the Properties dialog box.
3. On the General page of the Create Deployment Type Wizard, in the Type drop-down list, select Mac OS
X.
4. In the Location field, specify the UNC path in the form \\\\ to the application installation file (.cmmac file).
Alternatively, choose Browse to browse to and specify the installation file location.
NOTE
You must have access to the UNC path that contains the application.
5. Choose Next.
6. On the Import Information page of the Create Deployment Type Wizard, review the information that
was imported. If necessary, choose Previous to go back and correct any errors. Choose Next to continue.
7. On the General Information page of the Create Deployment Type Wizard, specify information about
the application such as the application name, comments, and the languages in which the deployment type is
available.
NOTE
Some of the deployment type information might already be on this page if it was previously obtained from the
application installation files.
8. Choose Next.
9. On the Requirements page of the Create Deployment Type Wizard, you can specify the conditions that
must be met before the deployment type can be installed on Mac computers.
10. Choose Add to open the Create Requirement dialog box and add a new requirement.
NOTE
You can also add new requirements on the Requirements tab of the Properties dialog box.
11. From the Category drop-down list, select that this requirement is for a device.
12. From the Condition drop-down list, select the condition that you want to use to assess whether the Mac
computer meets the installation requirements. The contents of this list varies depending on the category that
you select.
13. From the Operator drop-down list, choose the operator to use to compare the selected condition to the
specified value to assess whether the user or device meets the installation requirements. The available
operators vary depending on the selected condition.
14. In the Value field, specify the values to use with the selected condition and operator to assess whether the
user or device meets in the installation requirement. The available values vary depending on the condition
and operator that you select.
15. Choose OK to save the requirement rule and exit the Create Requirement dialog box.
16. On the Requirements page of the Create Deployment Type Wizard, choose Next.
17. On the Summary page of the Create Deployment Type Wizard, review the actions for the wizard to take.
If necessary, choose Previous to go back and change deployment type settings. Choose Next to create the
deployment type.
18. After the Progress page finishes, review the actions that have been taken, and then choose Close to
complete the Create Deployment Type Wizard.
19. If you started this wizard from the Create Application Wizard, you will return to the Deployment Types
page.
Deploy the Mac application
The steps to deploy an application to Mac computers are the same as the steps to deploy an application to
Windows computers, except for the following differences:
The deployment of applications to users is not supported.
Deployments that have a purpose of Available are not supported.
The Pre-deploy software to the users primary device option on the Deployment Settings page of the
Deploy Software Wizard is not supported.
Because Mac computers do not support Software Center, the setting User notifications on the User
Experience page of the Deploy Software Wizard is ignored.
The option to send wake-up packets when you deploy software is not supported for Mac computers.
NOTE
You can build a collection that contains only Mac computers. To do so, create a collection that uses a query rule and use the
example WQL query in the How to create queries topic.
General considerations
Configuration Manager supports deploying the following app file types:
General considerations
Configuration Manager supports deploying the following app file types:
Windows Phone 8, Windows Phone 8.1, and Windows 10 Available, Required, Uninstall
Mobile
Steps to deploy the latest Windows Phone company portal app with
supersedence
The following table provides the steps, details, and more information for creating and deploying the latest
Windows Phone 8 company portal app.
Step 1: Get the latest company portal app. Download the Windows Phone 8 company portal app.
Step 2: Sign the company portal app with your Symantec For information on how to sign the company portal app, see
certificate. Set up Windows Phone and Windows 10 Mobile hybrid device
management with System Center Configuration Manager and
Microsoft Intune.
Step 3: Create a new application with the latest version of the For more information, see Create applications and Revise and
company portal app, and specify a supersedence relationship. supersede applications.
STEP MORE INFORMATION
Step 4: Add the application to the Microsoft Intune For more information, see Set up Windows Phone and
Subscription Wizard. Windows 10 Mobile hybrid device management with System
Center Configuration Manager and Microsoft Intune.
Step 5: Delete the deployment that is automatically created The Microsoft Intune subscription has created an automatic
when you added the company portal app to the Microsoft deployment of this app, as this deployment will not support
Intune Subscription Wizard. supersedence.
Step 6: Create a new deployment of the application. On the Create a new deployment with supersedence using the
Deployment Settings page of the Deploy Software application you created with the supersedence relationship.
Wizard, check Automatically upgrade any superceded
versions of this application.
If you set this value to a lower value than the default, it might
negatively affect the performance of your network and client
computers.
Create Linux and UNIX server applications with
System Center Configuration Manager
12/6/2016 11 min to read Edit on GitHub
General considerations
The Configuration Manager client for Linux and UNIX supports software deployments that use packages and
programs. You cannot deploy Configuration Manager applications to computers that run Linux and UNIX.
The capabilities of Linux and UNIX software deployment includes:
Software installation for Linux and UNIX servers, including the following:
New software deployment
Software updates for programs that are already on a computer
Operating system patches
Native Linux and UNIX commands, and scripts that are located on Linux and UNIX servers
Deployments that are limited to the operating systems that you specify when you select the program option
Only on specified client platforms
Maintenance windows to control when software installs
Deployment status messages to monitor deployments
The option for the client to throttle network usage when it's downloading software from a distribution point
Differences between deploying to Linux and UNIX computers and deploying to Windows devices
The main differences between deploying packages and programs to Linux and UNIX computers and deploying
packages and programs to Windows devices are as follows:
CONFIGURATION DETAILS
Use only configurations that are intended for computers, and The Configuration Manager client for Linux and UNIX does
don't use configurations that are intended for users. not support configurations that are intended for users.
CONFIGURATION DETAILS
Configure programs to download software from the The Configuration Manager client for Linux and UNIX does
distribution point and run the programs from the local client not support running software from the distribution point.
cache. Instead, you must configure the software to download to the
client and then get installed.
By default, after the client for Linux and UNIX installs software,
that software is deleted from the clients cache. However,
packages that are configured with Persist content in the
client cache are not deleted from the client and remain in the
clients cache after the software installs.
The client for Linux and UNIX does not support configurations
for the client cache, and the maximum size of the client cache
is limited only by the free disk space on the client computer.
Configure the Network Access Account for distribution point Linux and UNIX computers are designed to be workgroup
access computers. To access packages from the distribution point in
the Configuration Manager site server domain, you must
configure the Network Access Account for the site. You must
specify this account as a software distribution component
property and configure the account before you deploy
software.
You can deploy packages and programs to collections that contain only Linux or UNIX clients, or you can deploy
them to collections that contain a mix of client types, such as the All Systems Collection. However, non-Linux and
non-UNIX clients won't install the software or report failure.
When the Configuration Manager client for Linux and UNIX receives and runs a deployment, it generates status
messages. You can view these status messages in the Configuration Manager console, or by using reports to
monitor the deployment status.
For information about how to use packages and programs, see Packages and programs.
Package share settings: An error is generated and the software The client does not support this
installation fails configuration. Instead, the client must
- All options download the software by using HTTP
or HTTPS, and then run the command
line from its local cache.
Package update settings: Settings are ignored The client does not support this
configuration.
- Disconnect users from distribution
points
Operating system deployment settings: Settings are ignored The client does not support this
configuration.
- All options
Reporting: Settings are ignored The client does not support the use of
status MIF files.
- Use package properties for status MIF
matching
Run: Settings are ignored The client always runs packages with no
user interface.
- All options
The client ignores all configuration
options for Run.
After running: An error is generated and the software The system restart setting and user-
installation fails specific settings are not supported.
- Configuration Manager restarts
computer When any setting other than the No
action required setting is in use, the
- Program controls restart client generates an error and continues
the software installation, with no action
- Configuration Manager signs the user taken.
out
Program can run: An error is generated and the software User-specific settings are not
installation fails supported.
- Only when a user is signed in
When this option is configured, the
client generates an error and fails the
installation of the software.
Allow users to view and interact with Settings are ignored User-specific settings are not
the program installation supported.
Drive mode: Settings are ignored This setting is not supported because
content is always downloaded to the
- All options client and run locally.
Run another program first An error is generated and the software Recursive program installation is not
installation fails supported.
When this program is assigned to a Settings are ignored User-specific settings are not
computer: supported.
- Run once for every user who signs in However, the client supports the
configuration running once for the
computer.
Suppress program notifications Settings are ignored The client does not implement a user
interface.
Disable this program on computers Settings are ignored This setting is not supported and does
where it is deployed not affect the installation of software.
Allow this program to be installed from The client does not support task
the Install Package task sequence sequences.
without being deployed
This setting is not supported and does
not affect the installation of software.
Windows Installer: Settings are ignored The client does not support Windows
Installer files or settings.
- All options
OpsMgr Maintenance Mode: Settings are ignored The client does not support this
configuration.
- All options
Deployment settings purpose: Settings are ignored User-specific settings are not
supported.
- Available
However, the client supports the setting
- Required Required, which enforces the
scheduled installation time, but does
not support manual installation prior to
that scheduled time.
Send wake-up packets Settings are ignored The client does not support this
configuration.
Assignment schedule: An error is generated and the software User-specific settings are not
installation fails supported.
- logon
However, the client supports the setting
- logoff As soon as possible.
DEPLOYMENT PROPERTY BEHAVIOR MORE INFORMATION
Notification settings: Settings are ignored The client does not implement a user
interface.
- Allow users to run the program
independently of assignments
When the scheduled assignment time is An error is generated The client does not support a system
reached, allow the following activity to restart.
be performed outside the maintenance
window:
Deployment option for fast (LAN) An error is generated and the software The client cannot run software from the
networks: installation fails distribution point and instead must
download the program before it can
- Run program from distribution point run.
Deployment option for a slow or Settings are ignored The client does not support sharing
unreliable network boundary, or a content between peers.
fallback source location for content:
For more information about content location, see Manage content and content infrastructure for System Center
Configuration Manager.
For more information about how to create a deployment, see Deploy applications.
TIP
If the software that you want to deploy is located on a Network File System (NFS) share that the Linux or UNIX server can
access, you do not need to use a distribution point to download the package. Instead, when you create the package, do not
select the check box for This package contains source files. Then, when you configure the program, specify the appropriate
command line to directly access the package on the NFS mount point.
Create Android applications with System Center
Configuration Manager
12/5/2016 1 min to read Edit on GitHub
General considerations
Configuration Manager supports the deployment of the following app types for Android:
Android .apk
General considerations
When you deploy applications to Windows Embedded devices that are enabled for write filtering, you can
specify whether to disable the write filter on the device during the app deployment. You can then choose to
restart the write filter after the app deployment. If the write filter is not disabled, the software is deployed to
a temporary overlay. This means that unless another deployment forces changes to persist, the software will
no longer be installed when the device restarts.
When you deploy an application to a Windows Embedded device, make sure that the device is a member of
a collection that has a configured maintenance window. This lets you manage when the write filter is
disabled and enabled, and when the device restarts.
The setting that controls the write filter behavior is a check box named Commit changes at deadline or
during a maintenance window (requires restarts).
NOTE
You can edit global conditions only from the site where they were created.
NOTE
An assembly is a piece of code that can be shared between applications. Assemblies can have the .dll or .exe
file name extension. The Global Assembly Cache is a folder named %systemroot%\assembly on client
computers in which all shared assemblies are stored.
File system
Type From the drop-down list, choose whether you want to search for a File or a Folder.
Path - Specify the path to the specified file or folder on client computers. You can specify
system environment variables and the %USERPROFILE% environment variable in the path.
NOTE
If you use the %USERPROFILE% environment variable in the Path or File or folder name fields, all
user profiles on the client computer will be searched. This could result in the discovery of multiple
instances of the file or folder.
File or folder name - Specify the name of the file or folder object that will be searched for.
You can specify system environment variables and the %USERPROFILE% environment variable
in the file or folder name. You can also use the * and ? wildcards in the file name.
NOTE
If you specify a file or folder name and use wildcards, this might produce a high numbers of results.
This could result in high resource use on the client computer and high network traffic when reporting
results to Configuration Manager.
Include subfolders Enable this option if you also want to search any subfolders under the
specified path.
This file or folder is associated with a 64-bit application - Choose whether the 64-bit
system file location (%windir%\system32) should be searched in addition to the 32-bit system
file location (%windir%\syswow64) on Configuration Manager clients that run a 64-bit version
of Windows.
NOTE
If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit
computer, multiple files will be discovered by the global condition.
The File system setting type does not support specifying a UNC path to a network share in
the Path field.
IIS metabase
Metabase path - Specify a valid path to the IIS Metabase.
Property ID - Specify the numeric property of the IIS Metabase setting.
Registry key
Hive From the drop-down list, choose the registry hive that you want to search in.
Key - Specify the registry key name that you want to search for. The format used should be
key\subkey.
This registry key is associated with a 64-bit application - Specifies whether the 64-bit
registry keys should be searched in addition to the 32-bit registry keys on clients that run a
64-bit version of Windows.
NOTE
If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit
computer, both registry keys will be discovered by the global condition.
Registry value
Hive - From the drop-down list, select the registry hive that you want to search in.
Key - Specify the registry key name that you want to search for. The format used should be
key\subkey.
Value Specify the value that must be contained within the specified registry key.
This registry key is associated with a 64-bit application - Specifies whether the 64-bit
registry keys should be searched in addition to the 32-bit registry keys on clients that run a
64-bit version of Windows.
NOTE
If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit
computer, both registry keys will be discovered by the global condition.
Script
Discovery script Choose Add to enter, or browse to the script to use. You can use Windows
PowerShell, VBScript, or JScript scripts.
Run scripts by using the logged on user credentials If you enable this option, the script
will run on client computers by using the credentials of the user who is signed in.
NOTE
The value returned by the script will be used to assess the compliance of the global condition. For
example, when you use VBScript, you could use the WScript.Echo Result command to return the
Result variable value to the global condition.
If your script returns multiple values, these values must be on a single line and separated with a semi-
colon. If each value is on a separate line, the evaluation will fail.
SQL query
SQL Server instance Choose whether you want the SQL query to run on the default
instance, all instances, or a specified database instance name.
NOTE
The instance name must refer to a local instance of SQL Server. To refer to a clustered SQL server
instance, you should use a script setting.
Database - Specify the name of the Microsoft SQL Server database for which the SQL query
will be run.
Column - Specify the column name returned by the Transact-SQL statement to use to assess
the compliance of the global condition.
Transact-SQL statement Specify the full SQL query to use for the global condition. You can
also choose Open to open an existing SQL query.
WQL query
Namespace - Specify the WMI namespace that will be used to build a WQL query that will be
assessed for compliance on client computers. The default value is Root\cimv2.
Class - Specifies the WMI class that will be used to build a WQL query that will be assessed for
compliance on client computers.
Property - Specifies the WMI property that will be used to build a WQL query that will be
assessed for compliance on client computers.
WQL query WHERE clause - You can use the WQL query WHERE clause item to specify a
WHERE clause to be applied to the specified namespace, class, and property on client
computers.
XPath query
Path - Specify the path to the XML file on client computers that will be used to assess
compliance. Configuration Manager supports the use of all Windows system environment
variables and the %USERPROFILE% user variable in the path name.
XML file name - Specify the file name that contains the XML query to use to assess
compliance on client computers.
Include subfolders - Enable this option if you also want to search any subfolders under the
specified path.
This file is associated with a 64-bit application - Choose whether the 64-bit system file
location (%windir%\system32) should be searched in addition to the 32-bit system file
location (%windir%\syswow64) on Configuration Manager clients that run a 64-bit version of
Windows.
XPath query - Specify a valid full XML path language (XPath) query to use to assess
compliance on client computers.
Namespaces - Opens the XML Namespaces dialog box to identify namespaces and prefixes
to use during the XPath query.
3. In the Data type drop-down list, choose the format in which data will be returned by the condition before it
is used to check requirements.
NOTE
The Data type drop-down list is not shown for all setting types.
4. Set up further details about this setting below the Setting type drop-down list. The items you can set up
will vary depending on the setting type you have selected.
5. Choose OK to save the rule and to close the Create Global Condition dialog box.
Set up an expression for the global condition
1. In the Condition Type drop-down list, choose Expression.
2. Choose Add Clause to open the Add Clause dialog box.
3. From the Select category drop-down list, select whether this expression is for a device or a user.
Alternatively, select Custom to use a previously configured global condition.
4. From the Select a condition drop-down list, select the condition to use to assess whether the user or
device meets the rule requirements. The contents of this list will vary depending on the selected category.
5. From the Choose operator drop-down list, choose the operator that will be used to compare the selected
condition to the specified value to assess whether the user or device meets the rule requirements. The
available operators will vary depending on the selected condition.
6. In the Value field, specify the values that will be used with the selected condition and operator to assess
whether the user or device meets the rule requirements. The available values will vary depending on the
selected condition and the selected operator.
7. Choose OK to save the expression and to close the Add Clause dialog box.
8. When you have finished adding clauses to the global condition, choose OK to close the Create Global
Condition dialog box and to save the global condition.
Packages and programs in System Center
Configuration Manager
11/29/2016 22 min to read Edit on GitHub
NOTE
You can use Microsoft System Center Configuration Manager Package Conversion Manager to convert packages and
programs into Configuration Manager applications.
For more information, see Configuration Manager Package Conversion Manager.
Packages can use some new features of Configuration Manager, including distribution point groups and
monitoring. Microsoft Application Virtualization (App-V) applications cannot be distributed by using packages and
programs in Configuration Manager. To distribute virtual applications, you must create them as Configuration
Manager applications.
NOTE
The computer account of the site server must have read access permissions to the source folder that you
specify.
4. On the Program Type page of the Create Package and Program Wizard, select the type of program to
create, and then choose Next. You can create a program for a computer or device, or you can skip this step
and create a program later.
TIP
To create a new program for an existing package, first select the package. Then, in the Home tab, in the Package
group, choose Create Program to open the Create Program Wizard.
5. Use one of the following procedures to create a standard program or a device program.
Create a standard program
a. On the Program Type page of the Create Package and Program Wizard, choose Standard
Program, and then choose Next.
b. On the Standard Program page, specify the following information:
Name: Specify a name for the program with a maximum of 50 characters.
NOTE
The program name must be unique within a package. After you create a program, you cannot modify
its name.
Command Line: Enter the command line to use to start this program, or choose Browse to
browse to the file location.
If a file name does not have an extension that's specified, Configuration Manager attempts to
use .com, .exe, and .bat as possible extensions.
When the program is run on a client, Configuration Manager first searches for the command-
line file name within the package, searches next in the local Windows folder, and then searches
in local %path%. If the file cannot be found, the program fails.
Startup folder (optional): Specify the folder from which the program runs, up to 127
characters. This folder can be an absolute path on the client or a path that's relative to the
distribution point folder that contains the package.
Run: Specify the mode in which the program runs on client computers. Select one of the
following:
Normal: The program runs in the normal mode based on system and program
defaults. This is the default mode.
Minimized: The program runs minimized on client devices. Users might see
installation activity in the notification area or on the taskbar.
Maximized: The program runs maximized on client devices. Users see all installation
activity.
Hidden: The program runs hidden on client devices. Users don't see any installation
activity.
Program can run: Specify whether the program runs only when a user is signed in, only
when no user is signed in, or regardless of whether a user is signed in to the client computer.
Run mode: Specify whether the program runs with administrative permissions or with the
permissions of the user who's currently signed in.
Allow users to view and interact with the program installation: Use this setting, if
available, to specify whether to allow users to interact with the program installation. This check
box is available only when Only when no user is logged on or Whether or not a user is
logged on is selected for Program can run and when Run with administrative rights is
selected for Run mode.
Drive mode: Specify information about how this program runs on the network. Choose one
of the following:
Runs with UNC name: Specify that the program runs with a Universal Naming
Convention (UNC) name. This is the default setting.
Requires drive letter: Specify that the program requires a drive letter to fully qualify
its location. For this setting, Configuration Manager can use any available drive letter on
the client.
Requires specific drive letter : Specify that the program requires a specific drive
letter that you specify to fully qualify its location (for example, Z:). If the specified drive
letter is already used on a client, the program does not run.
Reconnect to distribution point at log on: Use this check box to indicate whether the client
computer reconnects to the distribution point when the user signs in. By default, this check
box is cleared.
c. On the Requirements page of the Create Package and Program Wizard, specify the following
information:
Run another program first: Use this setting to identify a package and program that runs
before this package and program runs.
Platform requirements: Select This program can run on any platform or This program
can run only on specified platforms, and then choose the operating systems that clients
must be running to be able to install the package and program.
Estimated disk space: Specify the amount of disk space that the software program requires
to run on the computer. This can be specified as Unknown (the default setting) or as a whole
number greater than or equal to zero. If a value is specified, units for the value must also be
specified.
Maximum allowed run time (minutes): Specify the maximum time that the program is
expected to run on the client computer. This can be specified as Unknown (the default setting)
or as a whole number greater than zero.
By default, this value is set to 120 minutes.
IMPORTANT
If you are using maintenance windows for the collection on which this program is run, a conflict could
occur if the Maximum allowed run time is longer than the scheduled maintenance window.
However, if the maximum run time is set to Unknown, the program starts to run during the
maintenance window and continues to run as needed after the maintenance window is closed. If the
user sets the maximum run time to a specific period that exceeds the length of any available
maintenance window, then the program doesn't run.
If the value is set to Unknown, Configuration Manager sets the maximum allowed run time as
12 hours (720 minutes).
NOTE
If the maximum run time (whether set by the user or as the default value) is exceeded, Configuration
Manager stops the program if run with administrative rights is selected and Allow users to view
and interact with the program installation is not selected.
d. Choose Next.
Create a device program
a. On the Program Type page of the Create Package and Program Wizard, select Program for
device, and then choose Next.
b. On the Program for Device page, specify the following:
Name: Specify a name for the program with a maximum of 50 characters.
NOTE
The program name must be unique within a package. After you create a program, you cannot modify
its name.
Comment (optional): Specify a comment for this device program with a maximum of 127
characters.
Download folder: Specify the name of the folder on the Windows CE device in which the
package source files will be stored. The default value is \Temp\.
Command Line: Enter the command line to use to start this program, or choose Browse to
browse to the file location.
Run command line in download folder: Select this option to run the program from the
previously specified download folder.
Run command line from this folder: Select this option to specify a different folder from
which to run the program.
c. On the Requirements page, specify the following:
Estimated disk space: Specify the amount of disk space that's required for the software. This
is displayed to users of mobile devices before they install the program.
Download program: Specify information regarding when this program can be downloaded
to mobile devices. You can specify As soon as possible, Only over a fast network, or Only
when the device is docked.
Additional requirements: Specify any additional requirements for this program. These are
displayed to users before they install the software. For example, you could notify users that
they need to close all other applications before running the program.
d. Choose Next.
e. On the Summary page, review the actions that will be taken, and then complete the wizard.
Verify that the new package and program are displayed in the Packages node of the Software Library
workspace.
NOTE
The Pre-deploy software to the user's primary device option is not available when you deploy a package and
program.
6. On the Scheduling page, configure when this package and program will be deployed or made available to
client devices.
The options on this page vary depending on whether the deployment action is set to Available or
Required.
7. If the deployment purpose is set to Required, configure the rerun behavior for the program from the
Rerun behavior drop-down menu. Choose from the following options:
Never rerun deployed program The program won't be rerun on the client, even if the
program originally failed or if the program files are
changed.
Always rerun program The program is always rerun on the client when the
deployment is scheduled, even if the program has already
successfully run. This can be useful when you use recurring
deployments in which the program is updated, for
example with antivirus software.
Rerun if failed previous attempt The program is rerun when the deployment is scheduled
only if it failed on the previous run attempt.
RERUN BEHAVIOR MORE INFORMATION
Rerun if succeeded on previous attempt The program is rerun only if it previously ran successfully
on the client. This is useful when you use recurring
advertisements in which the program is routinely updated,
and in which each update requires the previous update to
be successfully installed.
NOTE
When you deploy a package or program to a Windows Embedded device, make sure that the device is a
member of a collection that has a configured maintenance window. For more information about how
maintenance windows are used when you deploy packages and programs to Windows Embedded devices,
see Creating Windows Embedded applications.
IMPORTANT
If you configured the option Run program from distribution point on the Distribution Points page of the Deploy
Software Wizard, do not clear the option Copy the content in this package to a package share on distribution points
because this makes the package unavailable to run from distribution points.
Create Prestage Content File Opens the Create Prestaged Content File Wizard, which
enables you to create a file that contains the package content
that can be manually imported to another site. This is useful in
situations where you have low network bandwidth between
the site server and the distribution point.
Create Program Opens the Create Program Wizard, which enables you to
create a new program for this package.
Distribute Content Opens the Distribute Content Wizard, which enables you to
send the content that is associated with the package and
program to selected distribution points or distribution point
groups.
Update Distribution Points Updates distribution points with the latest content for the
selected package and program.
About the package definition file format
Package definition files are scripts that you can use to help automate package and program creation with
Configuration Manager. They provide all of the information that Configuration Manager needs to create a package
and program, except for the location of package source files. Each package definition file is an ASCII or UTF-8 text
file that uses the .ini file format and that contains the following sections:
[PDF ]
This section identifies the file as a package definition file. It contains the following information:
Version: Specify the version of the package definition file format that is used by the file. This corresponds to the
version of System Management Server (SMS) or Configuration Manager for which it was written. This entry is
required.
[Package Definition]
Specify the properties of the package and program. It provides the following information:
Name: The name of the package, up to 50 characters.
Version (optional): The version of the package, up to 32 characters.
Icon (optional): The file that contains the icon to use for this package. If specified, this icon replaces the
default package icon in the Configuration Manager console.
Publisher: The publisher of the package, up to 32 characters.
Language: The language version of the package, up to 32 characters.
Comment (optional): A comment about the package, up to 127 characters.
ContainsNoFiles: This entry indicates whether or not a source is associated with the package.
Programs: The programs that are defined for this package. Each program name corresponds to a
[Program] section in this package definition file.
Example:
Programs=Typical, Custom, Uninstall
MIFFileName: The name of the Management Information Format (MIF) file that contains the package
status, up to 50 characters.
MIFName: The name of the package (for MIF matching), up to 50 characters.
MIFVersion: The version number of the package (for MIF matching), up to 32 characters.
MIFPublisher: The software publisher of the package (for MIF matching), up to 32 characters.
[Program]
For each program that's specified in the Programs entry in the [Package Definition] section, the package
definition file must include a [Program] section that defines that program. Each Program section provides the
following information:
Name: The name of the program, up to 50 characters. This entry must be unique within a package. This
name is used when defining advertisements. On client computers, the name of the program is shown in
Run Advertised Programs in Control Panel.
Icon (optional): Specify the file that contains the icon to use for this program. If specified, this icon replaces
the default program icon in the Configuration Manager console and is displayed on client computers when
the program is advertised.
Comment (optional): A comment about the program, up to 127 characters.
CommandLine: Specify the command line for the program, up to 127 characters. The command is relative
to the package source folder.
StartIn: Specify the working folder for the program, up to 127 characters. This entry can be an absolute
path on the client computer or a path that's relative to the package source folder.
Run: Specify the program mode in which the program runs. You can specify Minimized, Maximized, or
Hidden. If this entry is not included, the program runs in normal mode.
AfterRunning: Specify any special action that occurs after the program is successfully completed. Options
available are SMSRestart, ProgramRestart, or SMSLogoff. If this entry is not included, the program
doesn't run a special action.
EstimatedDiskSpace: Specify the amount of disk space that the software program requires to run on the
computer. This can be specified as Unknown (the default setting) or as a whole number greater than or
equal to zero. If a value is specified, the units for the value must also be specified.
Example:
EstimatedDiskSpace=38MB
EstimatedRunTime: Specify the estimated duration (in minutes) that the program is expected to run on the
client computer. This can be specified as Unknown (the default setting) or as a whole number greater than
zero.
Example:
EstimatedRunTime=25
SupportedClients: Specify the processors and operating systems on which this program runs. The
specified platforms must be separated by commas. If this entry is not included, supported platform checking
is disabled for this program.
SupportedClientMinVersionX, SupportedClientMaxVersionX: Specify the beginning-to-ending range
for version numbers for the operating systems that are specified in the SupportedClients entry.
Example:
IMPORTANT
You can deploy (install or uninstall) required applications, but not packages or software updates. MDM-enrolled devices also
do not support simulated deployments, user experience, or scheduling settings.
Deploy an application
1. In the Configuration Manager console, go to Software Library > Application Management >
Applications.
2. In the Applications list, select the application that you want to deploy. Then, on the Home tab, in the
Deployment group, click Deploy.
Specify general information about the deployment
On the General page of the Deploy Software wizard, specify the following information:
Software--This displays the application to deploy. You can click Browse to select a different application.
Collection--Click Browse to select the collection to deploy the application to.
Use default distribution point groups associated to this collection--Select this option if you want to
store the application content on the collection's default distribution point group. If you have not associated the
selected collection with a distribution point group, this option is grayed out.
Automatically distribute content for dependencies--If this is enabled and if any of the deployment
types in the application contain dependencies, then the dependent application content will be also sent to
distribution points.
IMPORTANT
If you update the dependent application after the primary application has been deployed, any new content for the
dependency will not be automatically distributed.
NOTE
If an application is deployed twice to a device, once with an action of Install and once with an action of Uninstall,
the application deployment with an action of Install will take priority.
You cannot change the action of a deployment after it has been created.
Purpose--From the drop-down list, choose one of the following options:
Available--If the application is deployed to a user, the user sees the published application in Software
Center and can install it on demand.
Required--The application is deployed automatically according to the schedule. If the application
deployment status is not hidden, anyone using the application can track its deployment status and
install the application from Software Center before the deadline.
NOTE
When the deployment action is set to Uninstall, the deployment purpose is automatically set to Required
and cannot be changed.
Deploy automatically according to schedule whether or not a user is logged on--If the deployment
is to a user, select this option to deploy the application to the users primary devices. This setting does not
require the user to log on before the deployment runs. Do not select this option if the user must provide
input to complete the installation. This option is only available when the deployment has a purpose of
Required.
Send wake-up packets--If the deployment purpose is set to Required and this option is selected, a wake-
up packet is sent to computers before the deployment is installed. This packet wakes the computers at the
installation deadline time. Before you can use this option, computers and networks must be configured for
Wake On LAN.
Allow clients on a metered Internet connection to download content after the installation deadline,
which might incur additional costs--This option is only available for deployments with a purpose of
Required.
Require administrator approval if users request this application--If this option is selected, the
administrator must approve any user requests for the application before it can be installed. This option is
grayed out when the deployment purpose is Required or when the application is deployed to a device
collection.
NOTE
Application approval requests are displayed in the Approval Requests node, under Application Management in
the Software Library workspace. If a request is not approved within 45 days, it will be removed. Additionally,
reinstalling the Configuration Manager client might cancel any pending approval requests. After you have approved
an application for installation, you can subsequently choose to deny the request by clicking Deny in the
Configuration Manager console (previously, this button was grayed out after approval). This action does not cause
the application to be uninstalled from any devices, but it does stop users from installing new copies of the
application from Software Center.
Automatically upgrade any superseded version of this application--If this option is selected, any
superseded versions of the application will be upgraded with the superseding application.
Specify scheduling settings for the deployment
On the Scheduling page of the Deploy Software wizard, set the time when this application will be deployed or
made available to client devices. The options on this page will differ depending on whether the deployment action
is set to Available or Required.
In some cases, you might want to give users more time to install required application deployments or software
updates beyond any deadlines you set up. This is typically be required when a computer has been turned off for
an extended period of time and needs to install a large number of updates or application deployments. For
example, if a user has just returned from vacation, they might have to wait for a long time as overdue application
deployments are installed. To help solve this problem, you can now define an enforcement grace period by
deploying Configuration Manager client settings to a collection.
To configure the grace period, take the following actions:
On the Computer Agent page of client settings, configure the new property Grace period for enforcement
after deployment deadline (hours) with a value between 1 and 120 hours.
On the Scheduling page in a new required application deployment, or in the properties of an existing
deployment, select the box Delay enforcement of this deployment according to user preferences, up to
the grace period defined in client settings. The enforcement grace period is used by all deployments that
have this box selected and are targeted to devices to which you also deployed the client setting.
After the application install deadline is reached, the application will be installed in the first non-business window
that the user configured up to that grace period. However, the user can still open Software Center and install the
application at any time they want. Once the grace period expires, enforcement reverts to normal behavior for
overdue deployments.
If the application you are deploying supersedes another application, you can set the installation deadline when
users will receive the new application. Do this by using the setting Installation Deadline to upgrade users with
the superseded application.
Specify user experience settings for the deployment
On the User Experience page of the Deploy Software wizard, specify information about how users can interact
with the application installation.
When you deploy applications to Windows Embedded devices that are write-filter enabled, you can specify to
install the application on the temporary overlay and commit changes later, or to commit the changes at the
installation deadline or during a maintenance window. When you commit changes at the installation deadline or
during a maintenance window, you must restart the device. The changes persist on the device.
NOTE
When you deploy an application to a Windows Embedded device, make sure that the device is a member of a collection that
has a configured maintenance window. For more information about how maintenance windows are used when you deploy
applications to Windows Embedded devices, see Create Windows Embedded applications.
The options Software Installation and System restart (if required to complete the installation) are not used if the
deployment purpose is set to Available. You can also configure the level of notification a user sees when the application is
installed.
NOTE
You cannot use simulated deployments for collections of mobile devices.
You cannot deploy an application with a deployment purpose of Uninstall if a simulated deployment of the same application
is active.
ADVANTAGES DISADVANTAGES
This method uses standard network protocols to stream Virtual applications are not streamed until the user runs the
package content from distribution points. application for the first time. In this scenario, a user might
receive program shortcuts for virtual applications and then
Program shortcuts for virtual applications invoke a connection disconnect from the network before running the virtual
to the distribution point, so the virtual application delivery is applications for the first time. If the user tries to run the virtual
on demand. application while the client is offline, the user sees an error and
can't run the virtualized application because a Configuration
This method works well for clients with high-bandwidth Manager distribution point is not available to stream the
connections to the distribution points. application. The application will be unavailable until the user
reconnects to the network and runs the application.
Updated virtual applications distributed throughout the
enterprise are available as clients receive policy that informs To avoid this, you can use the local delivery method for virtual
them that the current version is superseded and they application delivery to clients, or you can enable the Internet-
download only the changes from the previous version. based client management for streaming delivery.
The standard distribution point functionality is used to Disk space that equals up to twice the size of the virtual
download the package by using Background Intelligent application package is required on the client when the virtual
Transfer Service (BITS). application is persisted in the Configuration Manager cache.
Evaluate the users and devices to which the virtual Create Configuration Manager collections to group together
applications will be deployed. the users and devices to which you want to deploy the virtual
applications. See Introduction to collections.
Migrate App-V 5 connection groups to Configuration See the Migrate App-V 5 connection groups to Configuration
Manager virtual environments. Manager virtual environments section in this topic.
STEP MORE INFORMATION
Investigate to find out if any of your virtual applications exist For easier management, you can add the virtual application as
as full applications in your Configuration Manager a new deployment type to the existing full application. See
infrastructure. Create applications.
Create applications to replace your existing App-V packages. See Introduction to application management and Create
applications.
Distribute the content to the appropriate distribution points See Manage content and content infrastructure.
to enable local delivery of applications.
System Center Configuration Manager no longer supports See Planning for the migration of Configuration Manager
using packages and programs that contain virtual applications. objects to System Center Configuration Manager.
When you migrate from Configuration Manager 2007 to
System Center Configuration Manager, Configuration
Manager converts these packages into applications.
App-V Virtual Environment Results Shows information about a selected virtual environment that
is in a specified state for a selected collection (App-V 5 only).
App-V Virtual Environment Results For Asset Shows information about a selected virtual environment for a
specified asset and any deployment types for the selected
virtual environment (App-V 5 only).
REPORT NAME DESCRIPTION
App-V Virtual Environment Status Shows compliance information for a selected virtual
environment for a selected collection. The Retained column in
this report shows the assets in which a virtual environment
that was previously set up is no longer applicable, but it is
retained to persist user settings in applications that run in the
virtual environment (App-V 5 only).
Computers with a specific virtual application Shows a summary of computers that have the specified App-V
shortcut that the Application Virtualization Management
Sequencer created (App-V 4.6 only).
Computers with a specific virtual application package Shows a list of computers that have the specified App-V
application package installed (App-V 4.6 only).
Count all instances of virtual application packages Shows a count of all detected App-V application packages
(App-V 4.6 only).
Count all instances of virtual applications Shows a count of all detected App-V applications (App-V 4.6
only).
Log files
Configuration Manager records information about virtual application deployments in log files. For information
about the log files that virtual applications and Configuration Manager application management use, see Log files
in System Center Configuration Manager.
For Windows Vista, Windows 7, and Windows 8, you can find logs for the App-V client in
C:\ProgramData\Microsoft\Application Virtualization Client.
Monitor applications from the System Center
Configuration Manager console
11/23/2016 4 min to read Edit on GitHub
NOTE
The number of items that can be displayed in the Deployment Status pane is limited to 20,000. If you need to see
more items, use Configuration Manager reports to view application status data.
The status of deployment types is aggregated in the Deployment Status pane. To view more detailed information
about the deployment types, use the report Application Infrastructure Errors in the report category Software
Distribution Application Monitoring.
3. To review general status information about an application deployment, select a deployment, and then
choose the Summary tab in the Selected Deployment window.
4. To review information about the applications deployment type, select a deployment, and then choose the
Deployment Types tab in the Selected Deployment window.
The information that's shown in the Deployment Status pane after you choose View Status is live data from the
Configuration Manager database. The information that's shown in the Summary tab and the Deployment Types
tab is summarized data.
If the data that is shown in the Summary tab and the Deployment Types tab does not match the data that's
shown in the Deployment Status pane, choose Run Summarization to update the data in these tabs. You can
configure the default application deployment summarization interval as follows:
1. In the Configuration Manager console, choose Administration > Site Configuration > Sites.
2. From the Sites list, select the site for which you want to configure the summarization interval, and then in
the Home tab, in the Settings group, choose Status Summarizers.
3. In the Status Summarizers dialog box, choose Application Deployment Summarizer, and then choose
Edit.
4. In the Application Deployment Summarizer Properties dialog box, configure the required
summarization intervals, and then choose OK.
Software metering in System Center Configuration
Manager
11/23/2016 9 min to read Edit on GitHub
IMPORTANT
Software metering is used to monitor Windows PC desktop apps with a filename ending in .exe. Software metering does not
monitor modern Windows apps (such as those used by Windows 8).
Client settings for software metering. To use software metering, the client setting Enable software
metering on clients must be enabled and deployed to
computers. You can deploy software metering settings to all
computers in the hierarchy, or you can deploy custom settings
to groups of computers. See Configure software metering
in this topic.
The reporting services point. You must configure a reporting services point before you can
view software metering reports. For more information, see
Reporting in System Center Configuration Manager.
NOTE
Software metering rules can share the same name if the file name contained in the rules is different.
File Name - The name of the program file that you want to meter. You can click Browse to display
the Open dialog box, in which you can select the program file to use.
NOTE
If you type the executable file name in the File name box, no checks are carried out to determine whether this
file exists or whether it contains the necessary header information. When possible, click Browse and select the
executable file to be metered.
Wildcard characters are not permitted in the file name.
This box is optional if a value for Original file name is specified.
Original File Name - The name of the executable file that you want to meter. This name matches
information in the header of the file, not the file name itself so that it can be useful in cases where the
executable file has been renamed but you want to meter it by the original name.
NOTE
Wildcard characters are not permitted in the original file name.
This box is optional if a value for File Name is specified.
Version - The version of the executable file you that want to meter. You can use the wildcard
character () to represent any string of characters or the wildcard character (?) to represent any single
character. If you want to meter for all versions of an executable file, use the default value (\).
Language - The language of the executable file to meter. The default value is the current locale of the
operating system you are using. If you select an executable file to be metered by clicking the Browse
button, this box is automatically filled if language information is present in the header of the file. To
meter all language versions of a file, select Any in the drop-down list.
Description - An optional description for the software metering rule.
Apply this software metering rule to the following clients Select whether you want to apply
the software metering rule to all clients in the hierarchy or to the clients that are assigned to the site
specified in the Site list.
4. To continue, click Next.
5. Review and confirm the settings and then complete the wizard to create the software metering rule. The new
software metering rule is displayed in the Software Metering node in the Assets and Compliance
workspace.
NOTE
By default, software metering rules that are automatically created are disabled. Before you can begin to collect usage data
from these rules, you must enable them.
1. In the Configuration Manager console, click Assets and Compliance > Software Metering, and then, in
the Home tab, in the Settings group, click Software Metering Properties.
2. In the Software Metering Properties dialog box, configure the following:
Data retention (in days) - Specifies the amount of time that data generated by software metering
rules are kept in the site database. The default value is 90 days.
Enable the option Automatically create disabled metering rules from recent usage inventory
data.
Specify the percentage of computers in the hierarchy that must use a program before a
software metering rule is automatically created - The default value is 10 percent.
Specify the number of software metering rules that must be exceeded in the hierarchy
before the automatic creation of rules is disabled - The default value is 100 rules.
3. Click OK to close the Software Metering Properties dialog box.
IMPORTANT
Depending on the type of application or deployment type, some management options might not be available.
Manage applications
In the Software Library workspace, expand Application Management > Applications, choose the application
to manage, and then choose a management task.
TASK DETAILS
Manage Access Accounts Opens the Manage Access Accounts dialog box where you
can specify the level of access that is allowed for the content
that is associated with the selected application.
Create Prestage Content File Opens the Create Prestaged Content File Wizard that
helps you to manage the distribution of content to remote
distribution points. When the scheduling and throttling does
not provide a valid solution for the remote distribution point,
you can prestage the content on the distribution point
Revision History Opens the Application Revision History dialog box that lets
you view the properties of revisions that were made to this
application, delete old application revisions, and restore old
versions of this application.
Create Deployment Type Opens the Create Deployment Type Wizard that lets you
add a new deployment type to the selected application.
Export Opens the Export Application Wizard that lets you export
the selected applications to a .zip file that you can then archive
or install on another site. If you choose to export application
content, a folder that has the content will be created.
Deploy Opens the Deploy Software Wizard where you can deploy
the selected application to collections of computers in your
hierarchy.
Distribute Content Opens the Distribute Content Wizard where you can copy
the content for the selected application to distribution points
in your hierarchy.
TASK DETAILS
Update Content Refreshes the content for the selected deployment type.
When you start this wizard for a deployment type that has a
virtual application, the Update Content Wizard is started.
This wizard lets you change publishing options and
requirement rules for the selected virtual application. For more
information, see Create applications.
NOTE
The Primary Users list shows users who are already primary users of this device, and the method by which each
user-device relationship was assigned.
NOTE
The Primary Devices list shows devices that are already set up as primary devices for this user, and the method by
which each user-device relationship was assigned.
Automatically create user device affinities (Windows PCs only)
Configuration Manager reads data about user logons from the Windows Event log. To automatically create user
device affinities, you must turn on these two options in the local security policy on client computers to store logon
events in the Windows Event log:
Audit account logon events
Audit logon events
To configure these settings, use Windows Group Policy.
IMPORTANT
If an error causes the Windows event log to generate a high number of entries, a new event log might be created. If this
occurs, existing logon events might be no longer be available to Configuration Manager.
Be careful when you turn on the Audit account logon events and Audit logon events settings in Windows XP. By default,
the retention policy is 7 days, and it is very likely that these events will fill up the security event log. Standard users won't be
able to log on if the event log is full. To prevent this, for the security event log, set the policy Retention Method value to
Overwrite events as needed. For sufficient data for user device affinity, also set the policy maximum security event log size
to a reasonable value, such as 5-20 MB.
NOTE
If you modify the default client settings, they will be deployed to all computers in the hierarchy. For more information
about configuring client settings, see How to configure client settings in System Center Configuration Manager.
TIP
Example: If you set User device affinity threshold (minutes) to 60 minutes and you set User device affinity
threshold (days) to5 days, the user must use the device for at least 60 minutes over a period of 5 days to
automatically create a user device affinity.
After an automatic user device affinity is created, Configuration Manager continues to monitor the user device
affinity thresholds. If the users activity for the device falls below the thresholds you've set, the user device affinity
is removed. Set User device affinity threshold (days) to a value of at least 7 days to avoid situations in which an
automatically configured user device affinity might be lost while the user is not logged on, for example, during the
weekend.
NOTE
If you modify the default client settings, they will be deployed to all computers in the hierarchy. For more information
about configuring client settings, see Configure client settings.
3. Select the client setting User and Device Affinity and then, in the Allow user to define their primary
devices drop-down list, select True.
Set up a user device affinity
1. In the Application Catalog, choose My Systems.
2. Select the option I regularly use this computer to do my work.
<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />
For more information about data types, see About Property Lists in the iOS Developer Library.
Intune also supports the following token types in the property list:
The {{ and }} characters are used by token types only and must not be used for other
purposes.
b. To import an XML file that you created earlier, choose Select file.
5. Choose Next. If there are errors in the XML code, you'll have to correct them before you continue.
6. Finish the steps shown in the wizard.
The new app configuration policy is shown in the Software Library workspace, in the App Configuration
Policies node.
<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
</dict>
Manage volume-purchased iOS apps with System
Center Configuration Manager
2/8/2017 4 min to read Edit on GitHub
Additionally, you must have imported a valid Apple Push Notification service (APNs) certificate from Apple to let
you to manage iOS devices, including app deployment. For more information, see Set up iOS hybrid device
management.
IMPORTANT
You must choose a deployment purpose of Required. Available installations are not currently supported.
When you deploy the app, a license is used by each user who installs the app.
To reclaim a license, you must change the deployment action to Uninstall. The license will be reclaimed
after the app uninstalls.
IMPORTANT
To use these capabilities, Windows 10 devices must be running the November 2015 (1511) release or later.
1
1Support is only fordevices managed by Intune. You are not blocked from creating an online application in the
Configuration Manager console and deploying this to a device managed by the Configuration Manager client, but
the deployment will not work. Your users will be directed to the relevant page in the app store to install the app
manually.
2Support is only for devices managed by the Configuration Manager client.
In Azure Active Directory, register Configuration Manager as a Web Application or Web API management tool. This
will give you a client ID that you will need later.
1. In the Active Directory node https://manage.windowsazure.com, select your Azure Active Directory, and then
choose Applications > Add.
2. Choose Add an application my organization is developing.
3. Enter a name for the application, select Web application and/or Web API, and then choose Next.
4. Enter the same URL for both the Sign-on URL and App ID URI. The URL can be anything and does not need to
resolve to a real address. For example, you can enter https://yourdomain/sccm.
5. Finish the wizard.
In Azure Active Directory, create a client key for the registered management tool.
1. Highlight the application you just created and choose Configure.
2. Under Keys, select a duration from the list, and then choose Save. This will create a new client key. Do not leave
this page until you have successfully onboarded the Windows Store for Business to Configuration Manager.
In the Windows Store for Business, set up Configuration Manager as the store management tool.
1. Open https://businessstore.microsoft.com/en-us/managementtools and sign in if prompted.
2. Accept the terms of use if requested.
3. Under Management Tools, choose Add a management tool.
4. In Search for the tool by name, type the name of the application you created in Azure Active Directory
previously, then choose Add.
5. Choose Activate next to the application you just imported.
6. On the Manage > Account Information page, select Show Offline-Licensed Apps if you want to allow
offline-licensed apps to be purchased.
Add the store account to Configuration Manager.
1. Ensure that you have bought at least one app from the Windows Store for Business. In the Administration
workspace of the Configuration Manager console, expand Cloud Services, and then choose Windows Store
for Business.
2. On the Home tab, in the Windows Store for Business group, choose Add Windows Store for Business
Account.
3. Add your tenant ID, client id, and client secret key from Azure Active Directory, and then finish the wizard.
4. Once you're done, you will see the account you set up in the Windows Store for Business list in the
Configuration Manager console.
Change the app languages that will be shown in the Application Catalog for users to download.
1. In the Administration workspace of the Configuration Manager console, choose Cloud Services > Updates
and Servicing > Windows Store for Business.
2. Select your Windows Store for Business account, and then choose Properties.
3. Select the Language tab.
4. Add or remove the languages that will be shown in the Application Catalog. Select the default application
catalog language that will be made available to users.
IMPORTANT
In this release, if you change the languages that will be synchronized, you must restart the SMS Executive service on the site
server before the language settings take effect.
IMPORTANT
Do not rely on App-V virtual environments to provide security protection, such as from malware.
Use the following procedure to create an App-V virtual environment in Configuration Manager.
Restrict web content to display in a corporate managed Enables all links in the app to open in the Managed Browser.
browser You must have deployed this app to devices in order for this
option to work.
Prevent Android backups or Prevent iTunes and iCloud Disables the backup of any information from the app.
backups
Allow app to transfer data to other apps Specifies the apps that this app can send data to. You can
choose to not allow data transfer to any app, to only allow
transfer to other restricted apps, or to allow transfer to any
app.
Allow app to receive data from other apps Specifies the apps that this app can receive data from. You can
choose to not allow data transfer from any app, to only allow
transfer from other restricted apps, or to allow transfer from
any app.
Prevent Save As Disables the use of the Save As option in any app that uses
this policy.
Restrict cut, copy and paste with other apps Specifies how cut, copy, and paste operations can be used
with the app. Choose from:
Require simple PIN for access Requires the user to enter a PIN that they specify to use this
app. The user is asked to set this up the first time they run the
app.
Number of attempts before PIN reset Specifies the number of PIN entry attempts that can be made
before the user must reset the PIN.
Require corporate credentials for access Requires that the user must enter their corporate sign-in
information before they can access the app.
Require device compliance with corporate policy for Allows the app to be used only when the device is not
access jailbroken or rooted.
Recheck the access requirements after (minutes) Specifies the time period before the access requirements for
the app are rechecked after the app is launched (in the
Timeout field).
Encrypt app data Specifies that all data that is associated with this app is
encrypted, including data that's stored externally, such as data
stored on SD cards.
Block screen capture (Android devices only) Specifies that the screen capture capabilities of the device are
blocked when using this app.
6) On the Managed Browser page, select whether the managed browser is allowed to open only URLs in the list
or to block the managed browser from opening the URLs in the list, and then choose Next.
For more information, see Manage Internet access using managed browser policies.
7) Complete the wizard.
The new policy is displayed in the Application Management Policies node of the Software Library workspace.
IMPORTANT
If the application is already deployed, then the deployment for the new deployment type fails until this association is made.
You can make the association in Properties for the application, on the Application Management tab.
IMPORTANT
For devices that run operating systems earlier than iOS 7.1, associated policies aren't removed when the app is uninstalled.
If the device is unenrolled from Configuration Manager, polices are not removed from the apps. Apps that had policies
applied retain the policy settings even after the app is uninstalled and reinstalled.
IMPORTANT
If users install the managed browser themselves, it will not be managed by any policies you specify. To ensure that the
browser is managed by Configuration Manager, they must uninstall the app before you can deploy it to them as a managed
app.
You can create managed browser policies for the following device types:
Devices that run Android 4 and later
Devices that run iOS 7 and later
NOTE
For more information and to download the Intune Managed Browser app, see iTunes for iOS and Google Play for Android.
For more about the URL formats you can specify, see URL format for allowed and blocked URLs in this
article.
NOTE
The General policy type lets you change the functionality of apps that you deploy to help bring them into line with
your company compliance and security policies. For example, you can restrict cut, copy, and paste operations within a
restricted app. For more about the General policy type, see Protect apps using mobile application management
policies.
Reference information
URL format for allowed and blocked URLs
Use the following information to learn about the allowed formats and wildcards you can use when specifying URLs
in the allowed and blocked lists.
You can use the wildcard symbol \* according to the rules in the permitted patterns list below.
Ensure that you prefix all URLs with http or https when entering them into the list.
You can specify port numbers in the address. If you do not specify a port number, the values used will be:
Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported, for example, http://www.contoso.com:\*
and http://www.contoso.com: /\*
Use the following table to learn about the permitted patterns you can use when you specify URLs:
contoso.com/
www.contoso.com
http://www.contoso.com:80 http://www.contoso.com:80
The following are examples of some of the inputs you cannot specify:
*.com
.contoso/\
www.contoso.com/*images
www.contoso.com/images\pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*
NOTE
*.microsoft.com is always allowed.
How conflicts between the allow and block list are resolved
If multiple managed browser policies are deployed to a device and the settings conflict, both the mode (allow or
block) and the URL lists are evaluated for conflicts. In case of a conflict, the following behavior applies:
If the modes in each policy are the same but the URL lists are different, the URLs will not be enforced on the
device.
If the modes in each policy are different but the URL lists are the same, the URLs will not be enforced on the
device.
If a device is receiving managed browser policies for the first time and two policies conflict, the URLs will
not be enforced on the device. Use the Policy Conflicts node of the Policy workspace to view the conflicts.
If a device has already received a managed browser policy and a second policy is deployed with conflicting
settings, the original settings remain on the device. Use the Policy Conflicts node of the Policy workspace
to view the conflicts.
Update and retire applications with System Center
Configuration Manager
11/23/2016 1 min to read Edit on GitHub
Application revisions
When you make revisions to an application or to a deployment type that is contained in an application,
Configuration Manager creates a new revision of the application. You can display the history of each application
revision. You can also view its properties, restore a previous revision of an application, or delete an old revision.
To display an application revision history
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications, and then choose the application that you want.
2. On the Home tab, in the Application group, choose Revision History to open the Application Revision
History dialog box.
To view an application revision
1. In the Application Revision History dialog box, select an application revision, and then choose View.
2. In the Properties dialog box, examine the properties of the selected application.
NOTE
The application properties that are displayed are read-only.
IMPORTANT
You can only delete the current application revision if the application is retired and has no references.
Application supersedence
Application management in Configuration Manager lets you upgrade or replace existing applications by using a
supersedence relationship. When you supersede an application, you can specify a new deployment type to replace
the deployment type of the superseded application and also decide whether to upgrade or uninstall the
superseded application before the superseding application is installed.
IMPORTANT
When the option to uninstall the superseded deployment type is selected, a deployment type cannot be superseded by a
deployment type that was deployed to a different collection type. For example, a deployment type that was deployed to a
device collection cannot be superseded by a deployment type that was deployed to a user collection if the option to
uninstall the superseded deployment type is selected.
NOTE
By default, the new deployment type doesn't uninstall the deployment type of the superseded application. This
scenario is commonly used when you want to deploy an upgrade to an existing application. Select Uninstall to
remove the existing deployment type before the new deployment type is installed. If you decide to upgrade an
application, make sure that you test this in a lab environment first.
IMPORTANT
Some application types do not support uninstallation.
This list gives you more information about how application uninstall works:
When you uninstall a System Center Configuration Manager (Configuration Manager) application, any
dependent applications are not automatically uninstalled.
If you deploy an application that uses an action of Uninstall to a user, and the application was installed for
all users of the computer, the uninstall might fail if the users account does not have permissions to uninstall
the application.
If you remove a user or a device from a collection that has an application deployed to it, the application is
not automatically removed from the device.
A deployment with the deployment purpose of Uninstall does not check requirement rules. If the
application is installed on the computer on which the deployment runs, it will be uninstalled.
IMPORTANT
You must delete any existing deployments or simulated deployments of an application to a collection before you can deploy
the application with a deployment action of Uninstall.
For more information about how to create a deployment type, see Create applications.
For more information about how to deploy an application, see Deploy applications.
Uninstall an application
1. Configure the application deployment type with the uninstall command line by using one of the following
methods:
On the General page of the Create Deployment Wizard, select the option Automatically identify
information about this deployment type from installation files. If the information is available in
the installation files, the uninstall command line is automatically added to the deployment type
properties.
On the Content page of the Create Deployment Type Wizard, in the Uninstall program field, specify
the command line to uninstall the application.
NOTE
The Content page is displayed only if you select the option Manually specify the deployment type
information on the General page of the Create Deployment Type Wizard.
On the Programs tab of the <deployment type name> Properties dialog box, specify the
command line to uninstall the application in the Uninstall program field.
2. Deploy the application, and then select the deployment action Uninstall on the Deployment Settings
page of the Deploy Software Wizard.
NOTE
When you select a deployment action of Uninstall, the deployment purpose is automatically configured as Required.