Preventing user-targeted applications and policies on specific systems with ConfigMgr 2012

This week I want to devote a small post to something very nice and, in some situations, very easy. Think about a situation where, in general, applications are user-targeted and only a few exceptions are system-targeted. Usually these targeted systems are then used specifically for that application. So these systems shouldn’t get all the applications (and settings) of every user that logs on, as it might screw-up the specific application. The nice thing is that ConfigMgr 2012, and especially SP1, has a solution for this! The solution is the new setting Enable user policy on clients.

Configuration

NoUserPoliciesNow lets start with the configuration, which is actually very easy. Like always it’s all about knowing that the possibility exists. This is another new Client Setting in ConfigMgr 2012, of which the values are renamed in SP1, named Enable user policy on clients. This setting can be used to enable or disable user policies. To configure this, follow the next steps:

  • In the Configuration Manager Console navigate to Administration > Overview > Client Settings.
  • On the Home tab, in the Create group, select Create Custom Client Device Settings and the Create Custom Client Device Settings –popup will show.
  • On the General page, fill in with Name <aName> and select Client Policy.
  • On the Client Policy page, select next to Enable user policy on client No and click Ok.
    • Note: In ConfigMgr 2012 RTM the possible values are True or False.
  • Select the new policy <aName> and on the Home tab, in the Client Settings group, select Deploy.
  • Select <aDeviceCollection> and click Ok.

Result

After the deployment of the new Client Settings it is time to take a look at the impact on targeted client(s). The best places to look at this are the log files. During a User Policy Retrieval & Evaluation Cycle the PolicyAgent.log will show that it will skip the request for user policy (see picture). PolicyAgent

Since ConfigMgr 2012 SP1 this will also disable the ability to install an application from the Application Catalog. In case somebody tries it anyway, the application installation will not start and the PolicySdk.log will show that the user policy is disabled (see picture).PolicySdk

Share

Leave a Comment