Preventing initiation of available deployments on specific systems with ConfigMgr 2012

This week I want to devote a small post to a question that I read on windows-noob.com. The question came to the point whether, or not, it is possible to deploy applications via a task sequence, but only allow administrators to actually run it. This question triggered me to look a bit better into the different Client Settings and then specifically the setting of Install permissions. This setting gives us the possibility to prevent the initiation of available deployments via the Software Center and the Application Catalog on specific systems. So in this post I will show that setting by only allowing administrators to initiate available deployments.

Configuration

CompAgenInstPermNow lets start with the configuration, which is actually very easy, but like always it’s all about knowing that the possibility exists. The Install permissions –setting is another new (Computer) Client Setting under Computer Agent. This setting can be used to allow All users (default), Only administrators, Only administrators and primary users or No users to initiate available deployments on a specific system. To configure this, follow the next steps:

  • In the Configuration Manager Console navigate to Administration > Overview > Client Settings.
  • On the Home tab, in the Create group, select Create Custom Client Device Settings and the Create Custom Client Device Settings –popup will show.
  • On the General page, fill in with Name <aName> and select Computer Agent.
  • On the Computer Agent page, select next to Install permissions Only Administrators and click Ok.
  • Select the new policy <aName> and on the Home tab, in the Client Settings group, select Deploy.
  • Select <aDeviceCollection> and click Ok.

Result

After the deployment of the new Client Settings it is time to take a look at the impact on targeted system(s). Normally I’m a huge fan of looking at the client logs for the results, but in this case the log files don’t “speak” as much as the real error messages. When a normal users now logs on to the system and tries to initiate an available deployment, the following error messages will appear.

Software Center Application Portal
SoftCentInstErro PortInstErro

5 thoughts on “Preventing initiation of available deployments on specific systems with ConfigMgr 2012

  1. Hi Peter,

    thanks for sharing this!

    I would have liked this to mean that users with insufficient rights are unable to see the deployment. Seeing but being unable to execute results in unneccessary help desk calls.

    David

  2. Hi David,

    Thanks for your reaction.

    Yes, you’re right it would have been even better when a user, with insufficient rights, just didn’t see deployments. But look at it from the bright sight, we’re now able to easily configure this and it gives a messages stating that the it’s a rights issue.

    Peter

  3. What does “Only Administrators” mean? Can RBAC be used to give Desktop Support the rights without making them a full admin? Can the Admin/Desktop Support person run “Software Center” as their user account so they don’t have to log off and back on as themselves. In scenarios where the Desktop Admin is taking a call from a user needing software, they might remote into the desktop using something such as Lync and logging off and back on is not the best scenario. I haven’t tried these scenarios yet…but more wanting to start the conversation.

  4. Found the answer:

    http://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_ComputerAgentDeviceSettings

    Configure how users can initiate the installation of software, software updates, and task sequences:

    All Users: Users logged on to a client computer with any permission except Guest can initiate the installation of software, software updates, and task sequences.

    Only Administrators: Users logged on to a client computer must be a member of the local Administrators group to initiate the installation of software, software updates, and task sequences.

    Only Administrators and primary users: Users logged on to a client computer must be a member of the local Administrators group or a primary user of the computer to initiate the installation of software, software updates, and task sequences.

    No Users: No users logged on to a client computer can initiate the installation of software, software updates, and task sequences. Required deployments for the computer are always installed at the deadline and users cannot initiate the installation of software from the Application Catalog or Software Center.

  5. Good to hear that you already found your own answer! Small addition to your initial question(s), RBAC cannot be used to give a user rights on a desktop. RBAC is only for configuring rights within ConfigMgr.

Leave a Comment