Orchestrator Runbook: Approve Clients in SCCM
The article will detail a runbook to auto-approve clients from an SCCM collection. This runbook is important if you only approve devices from trusted domains. I recently had to set up an untrusted domain that contained devices that I wanted to manage from SCCM. I need these devices to be approved without me having to do it manually, but I do not want to just auto-approve any device. This runbook will achieve that purpose.
Runbook
This is a fairly simple runbook with only three activities. You will need the SC 2012 Configuration Manager Integration Pack, found here: https://www.microsoft.com/en-us/download/details.aspx?id=39622. Here is what the runbook will look like:
This runbook will first get the membership of a collection. Ensure that your devices that need to be approved are filtered into this collection. I set up the membership rule to pull anything from a particular IP address range into this collection. Another option could match the domain name of your untrusted domain. I then run a WMI method against the membership of that collection that approves everything in that collection. If there are devices that are already approved, nothing happens.
First, drag a “Monitor Date/Time” activity into your runbook. This activity will ensure that your runbook runs at a given interval. I have mine set up run every five minutes, but you can set it to fit your needs.
Next, drag a “Get Collection Members” activity into your runbook. Set your connection name to your environment. Next, identify the collection of your unapproved devices. I would identify it by the collection ID instead of the name, because that gives you the freedom to change the name in the future.
After you have this set, go to the “Run Behavior” tab. Check the “Flatten” box and specify a “Separate with” character.
Next, drag a “Run .NET Activity” into your runbook. Change the language to PowerShell, and paste this code in the box:
PowerShell {
$a_res_id = @()
$res_ID = “{Resource ID from “Get Collection Members”}”
$a_res_id = $res_ID.split(“;”)
invoke-wmimethod -computer <site server name> -namespace root\sms\site_<site code> -class SMS_Collection -name ApproveClients -argumentlist @($true,$a_res_ID)
}
First, be sure to replace the blue text with the actual Resource ID published data (assigned to the $res_ID variable) from the previous activity. Also, be sure to input your site server name and site code in the last command.
Now, we have a few things going here. First, you notice that this is running in a separate PowerShell session. My Orchestrator system runs on Windows Server 2012 R2, which has PowerShell version 4. Splitting the resource ID’s from the previous set proved to be impossible using the Orchestrator PowerShell engine, which runs in version 2. Running these commands from another session allows us to use the much-improved PowerShell 4 engine.
Next, we assign the resource ID’s from the previous step to a variable and split them. I used a semi-colon as my split character, but you can use whatever you want. Make sure that it matches the “Separate with” field from the previous activity. Finally, we execute the WMI method that approves the devices.
There will also be an extracted copy of my runbook under the Downloads section of this website.
