Deploying Applications Using Security Groups Via SCCM

[ikkhatri]

Hello,

 

This is my first post as I just registered with W-N.

This question may have been asked before however I wasn't able to find it so I would like to apologise if I'm asking it again.

 

I have a lab setup and I have successfully deployed the OS's to various VM's in my network.

 

What I would like to do is add a security group to a computer object and have SCCM deploy it to the specified computer.

 

1. I have created an OU called " Subscriber Applications ". And in this OU I have created 2 Security Groups:

 

Security Group 1: Application - Google Chrome

Security Group 2: Application- Mozilla Firefox

 

2. In CM 2012 Console ( -> Software Library -> Overview -> Application Management -> Applications ) Under Applications I have created the 2 Applications using it's MSI installation file, then Distributed Content to DP. (Named it as: Mozilla Firefox and Google Chrome)

 

3. Under Assets and Compliance-> Overview-> Device Collections I created a new folder called Applications.

4. In that folder I created a Device collection called Google Chrome.

5. Limiting Collection was set to All Systems.

6. In Query Rule properties I named is as Google Chrome again. Then clicked Edit Query Statement.

7. In Criterion Properties, Type was set as Simple Value. Attribute Class: System Resource, Attribute: System Group Name; Value: I chose the security group.

 

Query Statement:

select * from SMS_R_System where

SMS_R_System.SystemGroupName = Domain\Application - Google Chrome.

 

Once it's created I right click and deploy it. It installs Google Chrome to all computers. instead of only on the computer that has Google chrome membership.

 

Can someone please guide me on this. I know I'm doing this all wrong.

 

Once again...Sorry for the double post.

 

And many many thanks for your assistance.

 

 

 

 

[GarthMJ]

How many computer should up within your Chrome collection? Is it right?

[ikkhatri]

Hi GarthMJ,

 

Thanks for your response. In my chrome collection there are 9 computers. When I created the collection I chose All Systems.

[g-fx]

do you actually see just the computers in the group? have you also setup AD group discovery in SCCM for these groups?

[ikkhatri]

I see the computers in the AD groups and Yes I have enabled AD group discovery in SCCM. And clicked yes to run the Discovery as soon as possible when I first enabled it. However I have again ran the discovery again.

Also: Under Software Library -> Overview -> Application Management -> Applications I right click on the Google Chrome application and click deploy it does deploy the application but to all the computers.

Is there a new collection that I may need to create and put the computers in there?

What are the steps to configure SCCM in a way where all I have to do is add the application security group membership to a computer in Active Directory and SCCM deploys it to that computer only automatically?

Example PC Names: testpc1 , testpc2 and testpc3.

In the properties of testpc1 I click member of and add the group membership for Chrome and SCCM will deploy the application to testpc1 only.

Thank you so much for helping me out. (Still new with SCCM)

[kman-dk]

Which collection are you deploying your software to? It needs to be the "Google Chrome" collection or "Mozilla Firefox"

[ikkhatri]

Thank You all for all your help. I was successfully able to achieve this using the below query:

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "Domain\\Application - Mozilla Firefox"

 

How I did this was created an OU in AD and Named it Subscriber Applications and in this OU I created application security hroups. then:

1. Created the 2 applications (Chrome and Firefox) and Distributed Content.

2. Under Device Collections I created a new folder and named it Applications.

3. In the Applications folder I created 2 Device Collections named: Application - Google Chrome and Application - Mozilla Firefox.

4. For the Limiting Collection I used " All Desktop And Server Clients "

5. On The next screen, clicked add rule and chose the query rule option

6. Name: The Application name exactly has I have it named in my AD security group (Example: Application - Google Chrome)

7.Clicked Edit Query statement then clicked Show Query Language

8. Clear everything in the box and paste the above query.

(make sure to change the last bit to "YOURDOMAINNAME\\YouApplicationSecurityGroupName")

9. Next it all the way.

10. Go to Software Library then right click the application and click deploy.

11. For the Collection on the left pane drop down, change to device collections and locate the application collection we just created. ( you will receive a popup stating that the collection doesn't not contain any members (that's ok), just hit ok.

12.Next it all the way.

 

Now in AD open up computer properties --> member of --> and add the application group in it.

Mine took about 12 minutes and it deployed it successfully to the PC which was in the Google Chrome group.

 

Hope this helps someone.

 

 

 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Next thing I would like to do is uninstall the application. Same process but this time once I remove the application security group from the computer membership I would like SCCM to uninstall the application automatically.

 

I have no clue on how to do this.

Any help would be great. The only thing I could find was a Query:

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_R_System.NetbiosName not in (Select SMS_R_System.NetBiosName from SMS_R_System where SMS_R_System.SystemGroupName = "<Domain>\\<Security Group>") and SMS_R_System.Client = 1 and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "<NAME OF APPLICATION>"

 

Can someone please help with some instructions.

 

Thanks.

[kman-dk]

I Don't know how to do automatically. I've solved it this way;

 

I have created two security groups. One called "Firefox - Install" and another "Firefox - Uninstall" Created two programs in SCCM, one that installs, and one that uninstalls. I've deployed the uninstall program to my "Firefox - Uninstall" SCCM collection. Works great, but to do it automatically would be nice. Maybe someone has a solution.

 

/kman

[ikkhatri]

Thanks kman.

I'll try that.

However to query it when creating the collection...what is to be used?

 

The bottom query?

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_R_System.NetbiosName not in (Select SMS_R_System.NetBiosName from SMS_R_System where SMS_R_System.SystemGroupName = "<Domain>\\<Security Group>") and SMS_R_System.Client = 1 and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "<NAME OF APPLICATION>"

 

Since in the query theres already a security group specified. ..do i still need to put this: and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "<NAME OF APPLICATION>"

[kman-dk]

I'm using this query for the collection to uninstall a program.

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "MYDOMAIN_NAME\\Firefox - Uninstall"