Well…. I sort of lied I guess… I do SOMETIMES deploy to computers but only apps that are deployed to all computers. Like upgrades or something like that.
Yes, I use primary device as a requirement rule. I am in the process of switching from Flexera over to 1E shopping. Either product offers the ability to do approvals. Apps that are not site licensed require approvals. This is how I deal with licensed software. As I said, the same thing could be done on a shoestring budget using that free SCORCH web frontend. http://www.eupsco.nl/HowItWorks but honestly Shopping is cheap. I don't make any apps available. All of my apps are required. From: [email protected] [mailto:[email protected]] On Behalf Of sccmfun Sent: Tuesday, March 03, 2015 10:28 AM To: [email protected] Subject: RE: [mssms] Deploy applications using AD groups. Awesome info, so last few questions and I think I’m all sorted out. You said you never put computes in groups, just users. So do you never deploy to computers or if you do you just make a collection of machine names? How do you target them for the deployment? So what requirements do you have so this doesn’t happen? Are you using primary user so it only gets installed on that machine? The way I was thinking of doing it was to have any application that isn’t licensed we would make it available so the user can install it. If it’s a licensed app we would deploy that to the computer as required (using an AD group we put the machine into). We would never deploy anything to the user that is required. It sounds like you target users with required AND available apps but use primary user to ensure any required apps only installs on their primary machine and not ever machine they log into. Is that right? Very helpful stuff. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marcum, John Sent: Tuesday, March 3, 2015 11:11 AM To: '[email protected]' Subject: RE: [mssms] Deploy applications using AD groups. You definitely "could" have this happen if your requirement rules are not setup correctly. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Matt Browne Sent: Tuesday, March 03, 2015 9:50 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Deploy applications using AD groups. We tend to target our software to computer collections only, with one or two exceptions. If you target the software to a user exception you could get in the situation where the software gets installed on every machine the user logs into. We never deploy software to the user and computer collections at the same time. I’ve just never needed to do this. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of sccmfun Sent: 03 March 2015 15:11 To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Deploy applications using AD groups. Thanks Matt. John you use the same exact WQL query that Matt uses for your collections? When you say all your software is done using AD user groups, so you always target only the user, you don’t put computers into AD groups and target them also? Another question: When you look in System Resource (computer collection), there is a Security group name and System Group name, does anyone know what the difference is? Same question when looking at User Resource (user collection) there is a Security group name and User Group name, does anyone know what the difference is? Thanks From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marcum, John Sent: Tuesday, March 3, 2015 9:58 AM To: '[email protected]' Subject: RE: [mssms] Deploy applications using AD groups. +1 Doing it that way means the user doesn't even have to log out and back in before the software is deployed. ALL of my software is done this way using AD user groups and the app model. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Matt Browne Sent: Tuesday, March 03, 2015 4:55 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Deploy applications using AD groups. The collection query we use for users and computers is : Computers : select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System where SMS_R_System.SystemGroupName = "DOM\\GROUP_NAME_FROM_AD" Users : select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = "DOM\\GROUP_NAME_FROM_AD" Make sure the collection is set to incremental updates and you should be good to go. It’s not instant, but the software should go out in a few minutes. Hope that helps From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of sccmfun Sent: 03 March 2015 10:42 To: [email protected]<mailto:[email protected]> Subject: [mssms] Deploy applications using AD groups. What is the best way to create a collection to deploy software to users/computers based off of AD Group Should I populate the collection using the security group name, in which case the collection only has 1 member (ex: contoso\winzip) or should I create the collection so it returns the members of the group so it shows the actual objects (ex: 15 users/computers)? I thought I remember something that the collection needs to have the actual computer/user names returned and not just the 1 group name returned or users/computers would need to logoff/logon for their token to refresh before they receive the policy. Does anyone have the query they use? My goal is to create a collection based off AD group (ex: contoso\winzip) and have the least amount of wait/interaction from the user. Thanks ________________________________ Information in this message is sent in confidence and is intended only for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, any use, distribution or copying of the information is strictly forbidden. Please notify the sender immediately by return email or telephone 01823 721400. If you received this email in error please delete it and any copies of it from your system. Viridor Waste Management Limited Registered Office: Peninsula House, Rydon Lane, Exeter EX2 7HR Registered in England No. 575069 ________________________________ ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Information in this message is sent in confidence and is intended only for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, any use, distribution or copying of the information is strictly forbidden. Please notify the sender immediately by return email or telephone 01823 721400. If you received this email in error please delete it and any copies of it from your system. Viridor Waste Management Limited Registered Office: Peninsula House, Rydon Lane, Exeter EX2 7HR Registered in England No. 575069 ________________________________
