Introduction
Microsoft Endpoint Manager: Enhancing Modern Application Management – Part 4
We have now reached a pivotal point where we have gone through all of the foundations of how we will make applications available as well as the type of priorities that they will have whether that be for required purposes, before a device can be initialized on the network as well as available.
Now we are ready to touch base on areas around application approval workflows. This is basically how we will deal with applications which may have very limited licensing, or perhaps just licensing in general. The key element is to really have a workflow where we can easily track and monitor who has this installed but most importantly there is an intermediary which provides an approval to whether that individual or machine should receive the application based on its licensing limitations.
How do we define the approval process
In a high level, below is how we would look at an approval process as displayed in Figure 1.1
This is a workflow which you would typically see in various ITSM or CMDB based technologies such as System Center Service Manager (SCSM), ServiceNow and many other tools.
We want to be able to replicate a workflow such as this where it fits within our Modern Endpoint Management so we can fully enrich the process from end to end.
Methods of Approval Workflow Processing
Intune Policies
There are some alternatives which can be achieved in regards to formulating a process for application approvals within Intune. This will be something which I will expand on more on the next part where we will do a much greater dive into using MS graph for various automation procedures.
Below is a somewhat native method which you can get some understanding of the licensing which has been used.
VPP License Synchronization
For those who are familiar with making applications available from the iOS store for apple managed devices, windows tore for windows devices and google play store for Android devices, there is normally either a business or offline versions of each which allow you to synchronize these applications alongside the licensing for each application.
Now for applications like Company Portal these will have a healthy amount as these are to apply to all devices in theory, but more emphasis on this article is aimed towards those which don’t have as many licenses.
This section doesn’t necessarily look at or define the approval process, but it definitely can provide you with a report or statistic look at all of the licenses which are in use as well as which ones are available.
You will mainly get this kind of view and better utilization on if you are using Apple Business Manager where you can create the VPP tokens to issue out in accordance to the integration you have with the company portal application.
More information on this can be found here
ServiceNow Integration
There is also the ability of creating an integration with ServiceNow using the Service Graph connector.
This allows you to create an enterprise application where you can make available the permissions of your applications to ServiceNow where you can take advantage of not only the ITOM but also ITSM capabilities. With these in place you can then have these applications synchronized as CIs within the CMDB in which you can then formulate a workflow where you can then get approvals from using areas such as Service Requests or Change control to then provide access to groups which have the deployments made available to them.
To see more information on this you can click here on the official documentation page for the Service Graph Connector https://docs.servicenow.com/en-US/bundle/sandiego-servicenow-platform/page/product/configuration-management/concept/cmdb-integration-intune.html
Au2mator Self-Service Portal
For those who are not familiar with the Au2mator Self-Service Portal, it is a very interesting solution from Michael Seidl where you have a portal which can develop your own workflows from scratch which is then provided with a front-end for users to utilize and can range from various types of workflows or processes we may want them to use.
Now suppose for example we wanted to stretch this capability to approving application requests which came from Intune? Whilst we will touch on MS graph much deeper on the next part I feel it will be good to give some ideas on how this can work with a solution such as this.
So when we think of a template for approving applications what are some of the most typical questions we would ask? I would say it would be around the below type;
- Name of the Application
- Application Deployment Priority
- Reason for Application Request
- Delivery Date of the Application
This gives a good idea on how you would want this to be laid out. Now if we look at the Self-Service portal below we then have those same questions outlined in the portal;
Then when we click the Application Request we are then presented with a very similar questionnaire below
Once I’ve filled this form out, then the approvers of this particular process will then get a message about the details of this request
Now once I approve this request, the application deployment can then be carried out.
But as we have seen here this is kind of a manual process in a sense where the actions haven’t automatically carried out the actions of adding a user or device to a deployment a such, but the workflow is there and track record of requests is there also.
Now in the next part we are going to show in full detail how we would use a tool like the Au2mator self-service portal to utilize MS-Graph and really get this going to see how an application approval workflow would work.
Why not just use Service Manager for this workflow?
Service Manager may come to mind as the obvious choice and as it should being the CMDB and ITSM tool within the System Centre stack and can work great with providing a solution like this for Intune. But the only challenge is the tremendous amount of moving parts which come along with it.
For those who remember the SDK of SCCM/SCSM it came with something called an AAW (Application Approval Workflow) which consisted of some custom management packs and some orchestrator runbooks. And this worked out great as it allowed us to use the life cycle of ITSM across the CIs of any application a user wanted to request, but there is ALOT of dependencies within this solution.
That’s not to say that it cannot or shouldn’t be used, but it is perhaps a subject or article series within itself which we may expand on later on.
Next On Part 5
On the next part we are going to dive further into the MS Graph areas and expand on this topic where we can structure an application approval workflow directly within Intune as opposed to the third party options listed above. In will contain a lot of moving parts to this so will be quite detailed technically.
It will be a continuation from this part that will illustrate step by steps on how to not only setup the application approval workflow but how it will automate and integrate with everything too!
