This week it’s time for another, in my opinion, very cool post with the combination of Orchestrator and ConfigMgr 2012 (and MDT 2012 Update 1). In this post I want to use the user, set with User Device Affinity, to pre-provision applications, based on group membership, on a device during the initial deployment of the device. Out-of-the-box User Device Affinity can be used to pre-deploy user-targeted application to a device and it can be set during the deployment of a device. This way it will start receiving applications very quick after the deployment.
Basically I’m going to show in this post how to set User Device Affinity via a task sequence and how to use that username to install only specific applications for that user during the deployment of the device.
This post is based on one basic functional requirement and that’s, that Active Directory (AD) –groups are used to determine whether a user gets and application or not. For the rest of the post the following technical requirements are prerequisites and not further described:
- The Microsoft Deployment Toolkit 2012 Update 1 –package is created.
- The Nework Access Account is member of OrchestratorUser –group.
- Note: By default the Execute Runbook –step will use the credentials of the Network Access Account to connect with Orchestrator.
- The Active Directory Integration Pack is registered, deployed and configured.
- User device affinity is configured to Allow user device affinity with automatic approval in the PXE –tab of the Distribution Point Properties.
Let’s start with configuring the runbook that will check the group membership. The best thing about this runbook is that it doesn’t require any programming skills, just some logics which can be “clicked together”. This runbook contains five activities with the following configuration:
- Add an Initialize Data –activity and double-click it. In the Details Information click Add and a new parameter named Parameter 1 will be added. Now click Parameter 1 and change the name to GroupName. Repeat that action and rename Parameter 2 to UserName, click Ok and click Finish.
- Add a Get User –activity, link it with the previous activity and double-click it. In the Filters click Add. In the Filter Settings –popup, select as Name Sam Account Name, select as Relation Equals, right-click the field next to Value and select Subscribe > Published Data. In the Published Data –popup, select with Activity Initialize Data, select UserName and click Ok, click again Ok and then click Finish.
- Add a Get Group –activity, link it with the previous activity and double-click it. In the Filters click Add. In the Filter Settings –popup, select as Name Sam Account Name, select as Relation Equals, right-click the field next to Value and select Subscribe > Published Data. In the Published Data –popup, select with Activity Initialize Data, select GroupName and click Ok. Click another time Add. This time in the Filter Settings –popup, select as Name Member, select as Relation Equals, right-click the field next to Value and select Subscribe > Published Data. In the Published Data –popup, select with Activity Get User, select Distinguished Name, and click Ok and the click Finish.
- Add an Return Data –activity link it with the previous activity and double-click the link. In the Include click Get Group and change it to Count. Then click value and set Count equals to 1. Now double-click the new activity, set InstallApp to TRUE and click Finish. Repeat these actions, but the use for Count equals 0 and for InstallApp False.
- Note: To get the InstallApp String in the Return Data –activity go to the Properties of the runbook and add it in the Returned Data.
Now let’s start with configuring the task sequence. The task sequence needs two adjustments (five steps), one to set the User Device Affinity and one to execute the runbook. For these adjustments follow the next steps:
- Add a Set Task Sequence Variable –step, set Task Sequence Variable to SMSTSAssignUsersMode and set Value to Auto.
- Add a Set Task Sequence Variable –step, set Task Sequence Variable to SMSTSUdaUsers and set Value to <DomainName>\%PrimaryUser%.
- Note: PrimaryUser is a variable that I use to set the primary user for a device (User Device Affinity) and to find the group memberships. There are many methods to set this variable and during this testing I used a computer variable for that.
- Add an Use Microsoft Deployment Toolkit Package –step and Browse to the Microsoft Deployment Toolkit 2012 Update 1 –package.
- Add and Execute Runbook –step, fill in with Orchestrator Server <anOrchestratorServer> and Browse with Runbook to the just created runbook. Then select Specify explicit runbook parameters, fill in with GroupName <anApplicationGroupName>, fill in with UserName %PrimaryUser% and click Ok.
- Add an Install Application –step, select Install the following applications and select New (yellow start). In the Select the application to install –popup select the application that belong the <anApplicationGroupName> and click Ok. Go to the Options –tab and click Add Condition > Task Sequence Variable. In the Task Sequence Variable –popup, fill in as Variable InstallApp, set as Condition equals, fill in as Value True and click Ok.
- Note: InstallApp is a variable that is returned by the runbook of the previous step. That step is so cool that it captures that variable and turns it into a task sequence variable.
After all the configuring, it’s now time to take a look at what the results are when the task sequence is done. As always there are lot’s of place to show the success of the different actions, so I had to pick a few. I tried to pick those that tell the most information from a picture.
The first result is of setting the primary user during the task sequence. In the Edit Primary User –popup it will show that with Primary Users a user is set with the Affinity Type of OSD Defined.
The second results are of the success of finding the user in the group. It show the Output Parameters of the runbook in the Orchestrator Console and under there the Execute Runbook –step (ZTIExecuteRunbook.log) processing the variable and its value.
5 thoughts on “Pre-provision user applications, based on group membership, during OS deployment via Orchestrator and ConfigMgr 2012”
Hi Peter, what does this add extra on top of the Pre-Deploy option that is available today in the New App Model of ConfigMgr 2012? Nico
Pre-deploy deploys applications “directly” AFTER the task sequence is finished and with this pre-provisioning I deploy application DURING the task sequence.
Hi Nico, Could you elaborate on setting the %PrimaryUser% variable? Is that a built in variable, or something you are assigning thru a collection?
The PrimaryUser variable is a custom variable, which I assign on a computer level (so it’s a computer variable).