How to Configure and Approve User Application Requests in SCCM

SCCM allows application deployment in way that it goes through approval process. Users requests the application in Software Center, and then an administrator review and approve user application requests. The feature is named Approve application requests for user per device and it’s not enabled by default in Configuration Manager.

We will explore this feature and steps required to deploy application which goes through approval process.

Enable Optional Features

The feature to approve user application requests is not enabled by default in ConfigMgr. You need to enable the feature if you want to use the same. Follow the below process to enable the option.

  • In the ConfigMgr console, navigates to Administration / Updates and Servicing / Features
  • Right click on Approve application requests for user per device and select Turn On

SCCM | Approve application requests for users per device

Configure Email Notifications for Alerts in SCCM

SCCM has an ability to sent an email for triggered alerts. The email notification can also configured for subscribing SCCM reports periodically.

An admin needs to approve the application requested by the user. A SCCM administrator can approve the application request from ConfigMgr console. However this method may not be convenient if you want to delegate the approval of an application to application owner or someone from business / Helpdesk rather than SCCM team own the approval task.

We have an option to configure the email notification for each application. Once user request an application, email will be sent to respective email address to approve or deny the request. The email recipient can approve or deny the application by clicking on Approve / Deny button in the email. The person must have necessary access in SCCM to approve / deny application requests. Please refer to custom RBAC role section of this article.

To receive an email from SCCM you must configured email notifications. If you are using report subscriptions then this must be in place already.

Follow the below steps if this is not configured.

  • In the SCCM console, navigates to Monitoring / Alerts / Subscription
  • Click on Configure Email Notification in ribbon

SCCM | Configure Email Notification
  • Configure the following options the Email Notification Components Properties window. You can get in touch with your Exchange / Mail server team to get necessary details.
    • Enable email notification for alerts : Provide outgoing SMTP server details to send email
    • Sender address for email alerts: Provider sender email address for email alerts

SCCM | Configure Alert Notification

Create Custom RBAC Role

In Configuration Manager, role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. An administrative scope includes the objects that an administrative user can view in the Configuration Manager console and the tasks related to those objects that they have permission to do.

This step is required if you want to delegate the application approval tasks to Application Owner or someone else who is not a Configuration Manager administrator. You can assign this role to an Active Directory Group for better management.

  • To create a custom RBAC role for application approval:
    • navigates to Administration / Security / Security Roles
    • Right click on Read only Analyst role and select Copy

SCCM | Custom RBAC Role

  • Provide a name for new security role, Expand Application in Permissions list and select Approve.
  • Click on Ok to close the Window.

Security Role

The new security role is now created. Now, we need to assign the administrative user’s / groups to newly created security role.

Navigates to Administrative Users node, right click on the desired user / group and select properties.

SCCM | Administrative Roles

In the Security Roles tab, click on Add, Select newly created security role and click on Ok to assign the role to administrative user.

SCCM Security Roles

Setup Application Deployment

The next step is to setup an application deployment. We will setup a deployment as ‘Available’ to user’s collection. The user’s can see the application in Software Center and request application installation from there.  If the administrator approves the request, the user is only able to install the application on that device. The user must submit another request to install the application on another device.

Let’s understand how we can setup a deployment and configure approval requirements. We will not discuss the steps to create an application. We assume that you are well familiar with SCCM application creation and deployment process.

Create User Collection

Since the application need to be deployed on User collection, let’s create user collection first.

  • In the Configuration Manager console, navigates for Assets and Compliance / User Collection
  • Right Click on User Collections and select Create User Collection

SCCM User Collection
  • In the Create User Collection Wizard, General page, enter Collection Name, Limiting collection and click on Next.

SCCM User Collection
  • Click on Add Rule and select Direct Rule. We will add a test user directly in this collection. You can also user Query Rule, Device Category Rule, Include and Exclude collection Rule to populate collection membership dynamically.

SCCM User Collection Wizard
  • In the Search for Resources page, enter the user name which you want to search and click on Next.

SCCM User Collection
  • In the Select Resource page, select the user’s which you want to add to collection and click on Next.
  • Click on Next few more times to go through Summary, progress and Completion page.

SCCM User Collection Wizard

You can now see that collection created and membership populated.

Deploy Application to User Collection

Now we need to deploy the application to user collection. We will deploy 7 Zip application to the user collection we created in previous steps.

  • Right click on the Application which you want to deploy and select Deploy from context menu.
  • In the Deploy Software Wizard General page, select the Software and Collection. Click on Next.

SCCM Deploy Software Wizard
  • In the Deployment Settings, make sure following settings are configured:
    • Action : Install
    • Purpose : Available
    • Select An administrator must approve a request for this application on the device
    • Enter Approver email address
  • Click on Next and configure Scheduling, User Experience options as per your requirements.
  • Click on Next few more times to go through Summary, Progress and Completion page to complete deployment setup process.

Please note that you must select An administrator must approve a request for this application on the device check box. Otherwise the approval process will not enforced for the deployment.

SCCM Software Deployment Settings

The deployment setup is now completed and application will be visible to user’s in Software Center.

Request an Application from Software Center (End User)

User can now see the application in Software Center. Once user click on the application, they see will below screen. User can click on Request button to submit application installation request.

SCCM Approve User application request software center 7 zip

If user submitted the request in error, they will also have an option to cancel the request.

SCCM Approve User application request software center 7 zip

Approve User Application Requests from SCCM Console

The Configuration Manager administrators can see the application requests in SCCM console. To view all requests, you need to navigates to Software Library / Application Management / Application Requests

To approve or deny an application request, simply select the application and click on Approve / Deny button from ribbon.

Approve User Application Requests from SCCM Console

Approve User Application Request from Email Notification

If you have configured the SCCM environment for email notification alerts and provided an approver’s email address while creating the deployment, then approver’s will receive below email notification to approve or deny the request.

The below link will work from internal network only and SCCM server should be accessible from approver’s machine.

If you have Cloud Management Gateway (CMG) configured in your SCCM environment, then you can also configure approval from Internet. Check out this Microsoft article for more details.

Approve User Application Request from Email Notification

Once approver click on the Approve / Deny link, he / she can see a confirmation message whether approval or rejection was succeeded.

Approve User Application Request from Email Notification

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top