This blog is owned and operated by the ANZ ConfigMgr Premier Field Engineer team.
Contributors
Ian BartlettMatt ShadboltGeorge Smpyrakis
Blog Links
Many customers are still configuring collection structures similar to 2007 and using collections to control the validity of who should receive which applications.
Where possible we should be changing how we now manage application deployments and move the validity processing of the application back to the client by using our Global Conditions (state based) to manage Requirement Rules. This works well for many Off The Shelf (OTS) applications that do not have specific procurement constraints as we can safely deploy this category of applications to ALL USERS and if needed implement an Application Approval workflow. Where I am increasingly seeing customers still reverting back to specific targeted of applications, normally based of an AD Security Group, is for APP-V application deployments.
I continue to see a large uptake of APP-V in many customer sites as we move towards a user-centric mobile environment, which is great, however I am seeing a lot of customers experiencing poor publishing times of virtual applications which is often a result of poor administrative processes.
In SCCM 2007 we had the option to instruct the virtual application advertisement to auto remove the virtual application when the advertisement was no longer available to a client. Unfortunately this option is no longer available in 2012 and as a result many customers have gone searching for a solution by looking to the ConfigMgr Community forums. Unfortunately a lot of members of the community are simply recommending to use the general deployment rule that an INSTALL deployment takes precedence over an UNINSTALL deployment. As a result many of the community forums have been instructing customers to simply create an UNINSTALL deployment for each virtual application and target this to the ALL USERS or ALL SYSTEMS collections. Please DO NOT DO THIS as you will continue to experience slow publishing times for APP-V applications.
If you are already doing this approach, I strongly recommend you read this blog to understand why this is a BAD idea and be VERY CAUTIOUS in your approach to undo this setup. DO NOT do a BIG BANG approach and remove all of the current UNINSTALL deployments in one hit and create the new recommended workflow as this will cause a huge amount of deployment policy objects potentially causing significant issues in your environment. It would be very advisable that you slowly stage the changes in your environment over a few days to prevent a mass number of policy changes in one hit.
Only when you have specific LOB applications that require a REQUIRED Deployment.
When a client polls for new policy changes, a SPROC is run by the Management Point consuming SQL resources.
The more records in ResPolicyMap and DepPolicyAssignment, the more CPU time required to process the “GET” SPROC like
ResPolicyMap maps the resource ID and PADBID, (unique identifier for the policy). You can Query the count of ResPolicyMap objects to determine the number of policies being targeted to each user / system that must be processed.
DepPolicyAssignment links a policy object with its dependency polices and are provided to both users &/or machines when a policy request is initiated.
Examples:
Below are examples of the Collection Queries you can use to manage an auto un-publish workflow for App-V deployments based off an AD Security Group.
1. Create an AD Security group for the application you are deploying.
2. Create an INSTALL Collection for each Virtual Application with a dynamic query linked to the AD Security Group. Target the INSTALL Deployment for each APP-V Application to this Collection.
2. Create a specific UNINSTALL Collection for each Virtual Application with a dynamic query using the syntax below. Also add an explicit EXCLUDE Collection membership rule that excludes the INSTALL Collection for that application. Ensure the application name matches that listed in the ConfigMgr database.
select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User inner join SMS_G_System_AppClientState on SMS_R_USER.UniqueUserName = SMS_G_System_AppClientState.UserName where SMS_G_System_AppClientState.AppName = "APPLICATIONNAME" and G_System_AppClientState.ComplianceState = 1
Create and Target the UNINSTALL deployment policy to the UNINSTALL Collection.
The result will be…. When a User is added to the AD Security Group the virtual application will be made available to the end user and install silently. When the user is removed from the AD Security group that has previously successfully published the APP-V application, they will be added to the UNINSTALL collection resulting in the virtual application being automatically removed from the client only then. This approach will minimise the ongoing policy objects that every user in the organisation will have to process.
OK things to note with this setup (that i have tested): - When the user is removed from the AD group you have to wait for the AD Group Discovery to kick in for the query to run. If the discovery is set for Delta updates it should happen quite frequently. - The user gets added into the Uninstall collection and stays there until the collection is cleaned out (manual task). - The application gets completely deleted from the App-V cache and their start menu. HOWEVER, if they have pinned the shortcut to their start menu or taskbar these will remain! - If another user of the same application logs into their machine the app gets pulled down again. When the original user logs back in the app will be in the cache..... though they will not have any capability to launch it (no icons present). - Adding a user back into the relevant AD group re-publishes the application to them. Cheers
Hello, Is your best practices are the same like this Microsoft Official Guide ? http://www.microsoft.com/en-us/download/confirmation.aspx?id=38177 Best regards,
Hi Alan, This guide provides the solution for a system centric deployment. If you review page 31 you will see the "Note: The uninstall collection query listed only works for systems. The query must be modified when the install collection contains user objects." This solution is based around the same concepts however for a user deployment model. Hope that answers your query.