Application Catalog and Approval Runbooks - doc version 1.9 Contents Document Change Log.................................................. 1 Add Application Catalog roles to CM server...........................1 Install System Center Orchestrator...................................9 Register the Active Directory Integration Pack for System Center 2012 - Orchestrator...................................................... 24 To deploy the integration pack.....................................31 Configuring the Active Directory Connections.......................37 Installing the Application Approval Engine..........................41 Importing Runbooks.................................................45 Configure IIS settings on CMAAE Server.............................49 Configure Active Directory Delegation..............................52 Configure Exchange Server........................................... 59 Confirm all worked.................................................. 60 Document Change Log Version Revision Date Summary of Change Change Author 1.0 25/2/15 Unfinished Draft James Donnelly 1.1 27/2/15 Edits and formatting James Donnelly 1.6 4/3/201 5 Added Exchange Server info and confirmation screen captures James Donnelly Page | 1
Transcript
Application Catalog and Approval Runbooks - doc version 1.9
Confirm all worked....................................................................................................................................60
Document Change Log
Version RevisionDate
Summary of Change Change Author
1.0 25/2/15 Unfinished Draft James Donnelly1.1 27/2/15 Edits and formatting James Donnelly1.6 4/3/2015 Added Exchange Server info and confirmation screen captures James Donnelly
Add Application Catalog roles to CM server
1. Launch CM Console
Page | 1
2. Navigate to the desired site system server3. Right-click the server, click Add Site System Roles
Page | 2
4. Click Next
Page | 3
5. Fill in proxy info (if any)6. Click Next
Page | 4
7. Select the two Application Catalog roles Application Catalog web service point Application Catalog website point
Page | 5
8. Type in the IIS website name to use (Default Web Site works fine. Any site you use must already exist.)
9. Select port number. If using HTTPS, certificates will have to be issued.10. Click Next
Page | 6
11. Type your Organization name12. Select Website theme colour13. Click Next
Page | 7
14. Confirm settings15. Click Next
Page | 8
16. Click Close
Install System Center Orchestrator
Install Orchestrator on existing SCCM site server with CM console and all prerequisites will already be installed.
1. Launch SetupOrchestrator.exe
Page | 9
2. Click Install
Page | 10
3. Fill in Name, Organization and Product Key4. Click Next
Page | 11
5. Select I accept the license terms6. Click Next
Page | 12
7. Select all the features to install8. Click Next
Page | 13
9. Fill in the Username of the Orchestrator service account 10. Fill in the account Password11. Click Test and confirm credentials are accepted12. Click Next
Page | 14
13. Fill in the name of the database Server (and instance name if not using default instance)14. Click Test Database Connection and confirm connection succeeded.15. Click Next
Page | 15
16. Specify the New database name (or choose and existing one)17. Click Next
Page | 16
18. Click Next
Page | 17
19. Click Next
Page | 18
20. Click Next
Page | 19
21. Select to use Microsoft Update 22. Click Next
Page | 20
23. Select No for both options24. Click Next
Page | 21
25. Confirm installation summary26. Click Install
Page | 22
27. Wait for installation to complete
Page | 23
28. Confirm all succeeded29. Click Close
Register the Active Directory Integration Pack for System Center 2012 - Orchestrator
1. On the Orchestrator server, launch System_Center_Integration_Pack_for_Active_Directory.exe
Page | 24
2. Click Yes
3. Provide a location to extract the files4. Start the Deployment Manager.
Page | 25
5. In the navigation pane of the Deployment Manager, expand Orchestrator Management Server
6. Right-click Integration Packs
Page | 26
7. Click Register IP with the Management Server.
8. Click Next.
Page | 27
9. Click Add.
10. Locate the .OIP file that you copied locally from step 1, click Open, and then click Next.
Page | 28
11. Click Finish.
Page | 29
12. Click Accept.
Page | 30
13. The Log Entries pane displays a confirmation message when the integration pack is successfully registered.
To deploy the integration pack
1. Open Deployment Manager >Integration Packs
Page | 31
2. Right-click the newly registered Integration Pack3. Select Deploy IP to Runbook Server or Runbook Designer…
4. Click Next
Page | 32
5. Select Active Directory Integration Pack 6. Click Next.
Page | 33
7. Enter the name of the runbook Computer, or click the ellipsis (…) button to search for it8. Click Add, 9. Click Next.
Page | 34
10. Select the Schedule installation check box (or leave it unselected to install the Integration pack immediately)
11. Select the time and date to install the Integration Pack 12. Select Stop all running runbooks before installing the integration pack or Hotfixes 13. Click Next.
Page | 35
14. Click Finish.
Page | 36
15. When the integration pack is deployed, the Log Entries dialog box displays a confirmation message.
Configuring the Active Directory Connections
An Active Directory connection is a reusable link between Orchestrator and an Active Directory domain controller. You can specify as many connections as you require to create links to multiple domain controllers. You can also create multiple connections to the same domain controller to allow for differences in security permissions for different user accounts.
1. Open the Runbook Designer
Page | 37
2. Click Options, and then click Active Directory.
3. Click Add
Page | 38
4. Enter a name for the connection.5. Click the ellipsis button (...)6. Select Microsoft Active Directory Domain Configuration. 7. Click OK.
Page | 39
8. In the Configuration User Name and Configuration Password boxes, type the credentials that Orchestrator will use to log on to Active Directory. This user account must have the authority to perform the actions in any runbook where the connection is used.
9. In the Configuration Domain Controller Name (FQDN) box type the fully qualified name of the domain or domain controller for the connection.
10. In the Configuration Default Parent Container box, type the default Distinguished Name for an Organizational Unit or Common Name. This default will be used when an activity such as Create User or Create Computer does not specify the Container Distinguished Name.
Examples of Configuration Default Parent Container:
CN=Users,DC=mydomain,DC=com
or
OU=MyOU,DC=mydomain,dc=DC=com
11. Click OK12. Add additional connections if applicable.
Page | 40
13. Click Finish.
Installing the Application Approval Engine
1. Prerequisits for the server running the Configuration Manager Application Approval Engine (CMAAE) – Install the following using the command below the list:
Web Server (IIS) Role.o Windows Authentication.o Management Tools
1. Copy the contents of the “C:\inetpub\wwwroot\CMAAE\Automation Samples” folder from the CMAAE server to the Orchestrator server (JDLab-SCCM) “C:\CMAAE\Runbooks” directory
2. Open the System Center 2012 R2 Orchestrator Runbook Designer
Page | 45
3. Right-click Runbooks and click Import
Page | 46
4. Click the ellipsis (…) button and browse for the CMAAE_DetectionAndNotification runbook
5. Deselect Import global configurations6. Click Finish
7. Click OK8. Navigate to Variables > CMAAE Detection and Notification
9. Edit the highlighted variables
Base URL = http://<name of server running CMAAE>/cmaae
http://JDLab-App/cmaae
CM Site Server = name of the SCCM 2012 site server
JDLab-SCCM
Page | 47
User Name = <domain>\<user> (user who has permissions for PowerShell remoting
sandbox\administrator
Password = above user’s password (recommend you also select to encrypt this) To Email Address = email address of the group responsible for application
10. Import the CMAAE Post Approval Notification runbook
11. Right-click Runbooks and click Import
Page | 48
12. Select the ellipsis (…) button and browse for the CMAAE_PostExecutionSampleAutomation runbook
13. Deselect Import global configurations14. Click Finish
15. Click OK16. Navigate to Variables > CMAAE Post Approval Notification
Page | 49
17. Edit the variables
From Email Address = the address you want to send the notices from SMTP server = your SMTP server
Configure IIS settings on CMAAE Server
1. Log onto the server running CMAAE (JDLab-App)2. Open IIS Manager
3. Navigate to CMAAE virtual directory and double-click to open the Authentication feature.
Page | 50
4. Configure Authentication as shown above
Anonymous – Disabled ASP.NET – Enabled Forms Authentication - Disabled Windows Authentication - Enabled
5. Edit the CMAAE ASP.NET Application Settings
6. On the CMAAE virtual directory, double-click to open the Application Settings feature
Page | 51
7. Open each of the highlighted items and edit the values for those of your Configuration Manager installation.
RB: “True” - this enables post approval Orchestrator Runbook automation (required)
RB_SCOWS: Address to the Orchestrator Web Service (required if RB = True)
Example: If JDLab-SCCM is the name of the server running the Orchestrator Web Service on port 81 “http://JDLab-SCCM:81/Orchestrator2012/Orchestrator.svc”
RB_UID: Unique ID of the Post Approval Runbook (required if RB = True)
To get the ID of the Post Approval Runbook, Copy GetRunbookGUIDs.ps1 to the Orchestrator runbook server
(JDLab-SCCM) Edit GetRunbookGUIDs.ps1 so that line 20 is:
$RunbookName = "CM AAE Post Approval Notification"
Launch PowerShell with elevated privileges Run the GetRunbookGUIDs.ps1 script
Page | 52
Output shows the runbook GUID at the top as well as the parameters included in the runbook to use to configure IIS on the CMAAE server (see below)
RB_User: “User:” RBAppAproveDeny: “Approval:” RBAppComments: “Comments:” RBApplication: “Application:” RBUserComments: “Comments:” SiteCode: The SCCM site code SiteServer: The SCCM site server name siteTitle: The name to display on the approval dialog boxes
2. Restart IIS on the server running CMAAE (JDLab-App) Open cmd prompt with elevated privileges and run:
iisreset
Configure Active Directory Delegation
1. Log onto the Domain Controller2. Open Active Directory Users and computers
Page | 53
3. Go to the Delegation tab on the properties of the computer running CMAAE
Page | 54
4. Select Trust this computer for delegation to specified services only5. Select Use any authentication protocol6. Click Add…
Page | 55
7. Click Users or Computers
Page | 56
8. Enter the name of the Orchestrator server (JDLab-SCCM)9. Click Check Names10. Click OK
Page | 57
11. Select both the HOST and the rpcss Service Type (screen shot only shows HOST, scroll down to see rpcss – use Ctrl key to select both)
12. Click OK
Page | 58
13. Click Apply14. Click OK15. Reboot the server running CMAAE (JDLab-App)16. Once that server comes back up log onto the Orchestrator server and launch Runbook
Designer
Page | 59
17. Start both runbooks1. Select the runbook, click the Run button
Confirm email is working
1. Log onto a workstation in the domain using an administrative account (screen shots are from Windows 7 workstation)
2. Right-click Computer
Page | 60
3. Click Properties
4. Click Remote settings5. Select Allow connections from computers running any version of Remote Desktop6. Click Select Users…7. Click Add…8. Type RunBkService9. Provide the Administrator name and password10. Click OK, OK, and OK11. Close any open windows and log off12. Log onto that same workstation using the RunBkService account13. Open https://JDLab-Exchange/owa
1. If you get a certificate error just click Continue to this website…(no screenshot)2. You may be prompted to select your time zone (no screenshot)3. If Exchange is configured properly, (it is in the sandbox lab) your Inbox should
9. Confirm the test message from RunBkService has arrived.
NOTE: This confirms the Exchange server can send and receive emails, the RunBkService account has a valid exchange mailbox, the Notifications distribution list is configured correctly, the administrator account is a member of the Notifications distribution list, and the administrator account can receive emails. All this is required for CMAAE to work as configured.
Page | 63
Confirm CMAAE is working
1. Deploy a package, and in the deployment wizard mark it as Requires administrator approval if users request this application
2. Log onto a workstation and launch the application catalog3. http://jdlab-sccm/CMApplicationCatalog
5. Fill in your Reason for application request6. Click SUBMIT
7. Confirm request was submitted8. Log onto the machine running Orchestrator (JDLab-SCCM)9. Open the Runbook Designer
Page | 65
10.11. Select the CM AAE Detection and Notification runbook12. Select Log History13. Wait for entry (could be 15 minutes)14. Double-click the entry and confirm all success15. Log onto workstation with administrator account (an account that is a member of
the Notifications distribution list)16. Open Outlook Web access (https://JDLab-Exchange/owa)
