cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Advise on which User / Computer Relationship

We are using App Portal 2018 R1 which is integrated with SCCM CAS & we have set User / Computer relationship to Use SCCM Last Logon. 
  
But we have VDI’s where the Hostname is dynamic & SCCM client is not deployed. So kindly let us know an alternate way to enable the users of such VDI’s to create requests in App Portal.

(Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".)
(1) Solution

You don’t need a user/device relationship to request software for a device.  A user/device relationship simply allows you to request software for one of your assigned devices even when you’re not logging in from that device.  If you log in to App Portal from a device where you don’t have a user/device relationship (assuming the device name can be detected using Web Extensions/ActiveX/reverse DNS/etc.), you can still request software for that device, as long as the device is known to App Portal through the user/computer sync process.  That said, I see a couple potential issues in this case as you’ve described it:

  1. If the VDI’s are non-persistent, there is a good chance that SCCM has not discovered them, and therefore the device would not be “known” to App Portal via the user/computer sync process.  This would prevent you from requesting any software catalog items for that device, because software catalog items can only be requested for known devices (the checkout wizard asks you to select both the target device and the target user).  You can get around this by using general catalog items, as that only requires a known user and not a known device.
  2. You stated that the devices don’t have SCCM clients, but you can only request software catalog items for devices that are managed by a deployment system.  App Portal does not distribute software; it only gives instructions to a deployment system to deliver software.  In this case, if they are using Citrix for VDI, the most common way to use App Portal is with a general catalog item that places the target user into an AD security group.  That AD security group would then be used with a Citrix Delivery Group to make that published application available to that user on any VDI they log into.

 

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

View solution in original post

(4) Replies

You don’t need a user/device relationship to request software for a device.  A user/device relationship simply allows you to request software for one of your assigned devices even when you’re not logging in from that device.  If you log in to App Portal from a device where you don’t have a user/device relationship (assuming the device name can be detected using Web Extensions/ActiveX/reverse DNS/etc.), you can still request software for that device, as long as the device is known to App Portal through the user/computer sync process.  That said, I see a couple potential issues in this case as you’ve described it:

  1. If the VDI’s are non-persistent, there is a good chance that SCCM has not discovered them, and therefore the device would not be “known” to App Portal via the user/computer sync process.  This would prevent you from requesting any software catalog items for that device, because software catalog items can only be requested for known devices (the checkout wizard asks you to select both the target device and the target user).  You can get around this by using general catalog items, as that only requires a known user and not a known device.
  2. You stated that the devices don’t have SCCM clients, but you can only request software catalog items for devices that are managed by a deployment system.  App Portal does not distribute software; it only gives instructions to a deployment system to deliver software.  In this case, if they are using Citrix for VDI, the most common way to use App Portal is with a general catalog item that places the target user into an AD security group.  That AD security group would then be used with a Citrix Delivery Group to make that published application available to that user on any VDI they log into.

 

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

It appears to me that the AppPortal is limited in not being able to perform an uninstall for Citrix delivered software based on usage. I can see how using General Catalog items works for adding software to App-V and XenApp delivered Apps and that is working really well with AppPortal, but our customer is looking to automate license harvesting based on usage and for VDI machines this appears AppPortal will require massive customization.

General catalog items, by definition, are used for things that don't have an installable payload.  If there is no install, then there also is no uninstall.  Reclamation, by definition, requires an uninstall operation.  Therefore, general catalog items are not eligible for reclamation.

There is a workaround for manual uninstall of a general catalog item, but it isn't necessarily intuitive to the user (would require user education).  You can enable the option for users to cancel a request after successful completion.  Then you can link a command script action to the On Cancel event of that catalog item that runs a script to remove the user from the AD group being used for Citrix entitlement of that application.  When a user wants to uninstall the Citrix app, they can go into My Requests and select the Cancel action, which will then trigger the script to remove them from the entitlement group.

You could possibly extend that functionality to reclamation-like capability through a custom script run as a Windows scheduled task on the App Portal server.  Your script would first need to get a list of users that haven't used the software in your designated threshold period (not sure where to get that list unless FNMS is already getting usage data from Citrix or if there is a way to query that information directly from Citrix).  Once you have the list of users, the script could query App Portal to see if those users have an active request for that catalog item (SELECT RequestID FROM WD_PackageRequests WHERE Deleted=0 and UniqueUserName=<Domain\User>).  Now that you have the list of RequestID's for those users that haven't used the software, your script can call the Cancel API to cancel those requests, which will run the associated On Cancel action, which in turn will remove the user from the Citrix entitlement group in AD (previously created/associated by you).

There might be some other ways to trick the system into using the actual reclamation feature, but I'd have to give that more thought (it's probably more convoluted than the workaround described above).

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".
Jim, That is so much more logical and concise than the hair-brained idea I was coming up with. We will give it a go in our lab and report back a status in case anyone ever needs something like this again.