Prerequisites for Application Management in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

This topic lists the prerequisites for application management in Microsoft System Center 2012 Configuration Manager. The prerequisites are categorized as either external dependencies or dependencies within Configuration Manager.

Dependencies External to Configuration Manager

The following table lists the external dependencies for application management.

Prerequisite

More information

IIS is required on the site system servers that run the Application Catalog website point, the Application Catalog web service point, the management point, and distribution point.

For more information about this requirement, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

For client computers that access the Application Catalog by using Internet Explorer 6 and HTTPS client connections:

  • Configure Internet Explorer 6 to disable the display of mixed content for the Internet zone.

Internet Explorer 6 incorrectly detects some areas of the Application Catalog to be unsecure and displays a security warning about mixed content. When this occurs, users might not be able to use the Application Catalog. Later versions of Internet Explorer do not display this message.

Configure Internet Explorer 6 by using the following steps:

  1. In Internet Explorer 6, click Tools, click Internet Options, click the Security tab, select the Internet zone, and then click Custom Level.

  2. Locate Display mixed content and click Disable.

For mobile devices that are enrolled by Configuration Manager:

  • If you use Active Directory Certificate Services to code sign applications for mobile device applications, do not use a version 3 certificate template.

When you code sign applications in order to deploy them to mobile devices, do not use a certificate that was generated by using a version 3 template (Windows Server 2008, Enterprise Edition). This certificate template creates a certificate that is not compatible with Configuration Manager applications for mobile devices.

To deploy applications to Symbian Bell mobile devices:

  • The Nokia Symbian Installation Source (SIS) file must conform to the OS v9.x SIS file format specification.

If you deploy .SIS/.SISX files to a Nokia Symbian Belle mobile device that is enrolled by Configuration Manager, you must use a file format that conforms to the OS v9.x SIS file format specification.

Clients must be configured to audit logon events if you want to automatically create user device affinities.

Configuration Manager reads the following two settings from the local security policy on client computers to determine automatic user device affinities:

  • Audit account logon events

  • Audit logon events

To automatically create relationships between users and devices, make sure that these two settings are enabled on client computers. You can use Windows Group Policy to configure these settings.

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for application management.

Prerequisite

More information

Management point

Clients will contact a management point to download client policy, to locate content, and to connect to the Application Catalog.

Important

If clients cannot access a management point, they cannot use the Application Catalog.

Distribution point

Before applications can be deployed to clients, you must have at least one distribution point in the hierarchy. By default, the site server has a distribution point site role enabled during a standard installation. The number and location of distribution points will vary according to the specific requirements of your enterprise.

For more information about how to install distribution points and manage content, see Configuring Content Management in Configuration Manager.

Client settings

Many client settings control how applications are installed on the client and the end user experience on the client. These client settings include the following:

  • Computer Agent

  • Computer Restart

  • Software Deployment

  • User and Device Affinity

For more information about these client settings, see About Client Settings in Configuration Manager.

For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager.

For the Application Catalog:

  • Discovered user accounts

Users must first be discovered by Configuration Manager before they can view and request applications from the Application Catalog. For more information, see the Configure Active Directory Discovery for Computers, Users, or Groups section in the Configuring Discovery in Configuration Manager topic.

App-V 4.6 SP1 or later client to run virtual applications

To be able to successfully create virtual applications in Configuration Manager, client computers must have the App-V 4.6 SP1 or later client installed.

You must also update the App-V client with the hotfix described in the Knowledge Base article 2645225 before you can successfully deploy virtual applications.

Application Catalog web service point

The Application Catalog web service point is a site system role that provides information about available software from the Software Library to the Application Catalog website.

For information about how to configure this site system role, see Configuring the Application Catalog and Software Center in Configuration Manager.

Application Catalog website point

The Application Catalog website point is a site system role that provides users with a list of available software.

For information about how to configure this site system role, see Configuring the Application Catalog and Software Center in Configuration Manager.

Reporting services point

To be able to use the reports in Configuration Manager for application management, you must first install and configure a reporting services point.

For more information, see Configuring Reporting in Configuration Manager.

Security permissions for application management

You must have the following security permissions to manage applications.

To create, modify and retire applications:

  • AlertsCreate, Delete, Modify, Modify Report, Read, Run Report.

  • ApplicationApprove, Create, Delete, Modify, Modify Folder, Move Object, Read, Run Report, Set Security Scope.

  • BoundariesRead.

  • Boundary GroupRead.

  • CollectionModify Client Status Alert, Read, Read Resource.

  • Distribution PointCopy to Distribution Point, Read.

  • Distribution Point GroupCopy to Distribution Point, Read.

  • Global ConditionRead.

  • PackageCreate, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report, Set Security Scope.

  • SiteRead.

The Application Author security role includes the preceding listed permissions that are required to create, modify and retire applications in Configuration Manager.

To deploy applications:

  • AlertsCreate, Delete, Modify, Modify Report, Read, Run Report.

  • ApplicationRead, Run Report.

  • BoundariesRead.

  • Boundary GroupRead.

  • Client Agent SettingRead.

  • CollectionDeploy Applications, Deploy Client Settings, Deploy Packages, Modify Client Status Alert, Read, Read Resource.

  • Deployment TemplatesRead.

  • Distribution PointRead.

  • Distribution Point GroupRead, Create Association to Collection.

  • Global ConditionRead.

  • Mobile Device Enrollment ProfilesRead.

  • PackageRead, Run Report.

  • QueryRead.

  • SiteRead.

  • Status MessagesRead.

  • User Device AffinitiesRead, Run Report.

The Application Deployment Manager security role includes the preceding listed permissions that are required to deploy applications in Configuration Manager.

The Application Administrator security role contains all of the permissions from both the Application Author and the Application Deployment Manager security roles.

For more information, see Configure Role-Based Administration in the Configuring Security for Configuration Manager topic.