This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

App Portal User Discovery (SCCM)

Jump to solution
dcopher
By
Level 6

We are currently working with a customer on an App Portal implementation. We are configuring App Portal to discover User and Computer information. The computer information is coming across without any issue. The user info appears to require additional attributes to be discovered with SCCM in order for the data to sync properly. 

Is there an official piece of documentation that states what AD attributes must be discovered with SCCM to use AppPortal's out of the box user data sync?

Also, based on this document, it appears that you can limit your data sync. Is there already a stock query to use if you do not want to include the added attributes into your SCCM discovery?

‎Aug 19, 2019 01:49 PM

0 Kudos
(1) Solution

Jump to solution
jdempsey
By Moderator Moderator
Moderator

Take a look at APT13 on this page in the App Portal Installation Guide.  This lists all the attributes that need to be enabled in AD User Discovery for the sync process to work (the same list of attributes is also on the page you linked in your post).  There is also a PowerShell script provided if you prefer that over manually editing the attributes in the ConfigMgr console.  In addition to adding the attributes to the configuration, you'll need to ensure there is at least one user with each attribute populated (it can be a combination of users or a single user, but on aggregate, all attributes must have at least one record populated), and then run a full discovery cycle.  This will cause ConfigMgr to extend the discovery schema in the site database (but only attributes with data will be added to the schema).  We normally suggest just ensuring that every attribute is filled out for the App Portal service account.

Note: SCCM 2012 and older versions of ConfigMgr current branch will add a "0" (zero) on the end of the column names, which is what App Portal expects with the default user query.  However, newer versions of ConfigMgr current branch (I think the change was in build 1810?) will no longer add the "0" on the end of the column names, which will break the default sync and will require a custom user sync query.

The default user sync queries are listed in the Admin Guide on the page you linked in your post (you can also find them in the datasync.log on your App Portal server, though you may only see them if you have verbose logging enabled).  You'll notice the "0" on the end of several column names in those queries.  If your sync is failing because the version of ConfigMgr you're using doesn't put the "0" on the column name, you can take the default query and remove the "0" from the appropriate column names and use that as your custom user sync query.  The best way to ensure you have the right column names is to look at the v_R_User view in the SCCM site database.

Note: The custom query is primarily intended for adding other attributes you might want to capture that aren't part of the default (e.g. cost center) or for getting data from a system other than one of the supported deployment systems.  While there may be some attributes you don't really need (e.g. you may decide that title0 isn't needed for reporting or visibility conditions or workflow conditions, etc.), I don't recommend removing them from the custom query.  Instead, just fill that out for the service account and those values will be blank for all other users where it isn't populated.  Alternatively, you could just hard-code a value to be used for all users (disclaimer: the following examples are just portions of a larger query and not complete queries)

Instead of:
SELECT title0 as Title

use:
SELECT '' as Title

or

Instead of:
SELECT company0 as Company

use:
SELECT 'Acme Inc' as Company
Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

View solution in original post

‎Aug 19, 2019 03:27 PM

(3) Replies

Jump to solution
CharlesW
By Level 12 Flexeran
Level 12 Flexeran

Look at the section titled "Active Directory User Discovery" in the install guide . This will list the attributes that you need to extend.. I'd feel better suggesting that you extend all attributes in the list... With that being said, some are not strictly necessary, so you could always use a custom query so that they would not be required. For example, if you did not want to extend deparment, you could modify the user sync query to be as follows:

SELECT DISTINCT givenName0 AS FirstName, sn0 AS LastName, DisplayName0 AS DisplayName, 
Network_Operating_System0 AS OS, physicalDeliveryOfficeNam0 AS Office, 
l0 AS City, vru.postalCode0 AS PostalCode, NULL AS Department, NULL AS Title, 
User_Name0 AS UserName, mail0 AS Email, manager0 AS Manager, vru.ResourceID AS UserResourceID, 
distinguished_Name0 AS ADSPath, Full_User_Name0 AS FullName, Name0 AS Name, Unique_User_Name0 AS UniqueName, 
Windows_NT_Domain0 AS UserDomain, company0 AS Company, ra.User_OU_Name0 AS UserOU
FROM v_R_User AS vru
LEFT JOIN v_RA_User_UserOUName ra on ra.ResourceID = vru.ResourceID

 

Note  the "NULL AS Department, NULL AS Title" in the query. This would allow you to not extend the title and department attributes. 

‎Aug 19, 2019 03:26 PM

Jump to solution
jdempsey
By Moderator Moderator
Moderator

Take a look at APT13 on this page in the App Portal Installation Guide.  This lists all the attributes that need to be enabled in AD User Discovery for the sync process to work (the same list of attributes is also on the page you linked in your post).  There is also a PowerShell script provided if you prefer that over manually editing the attributes in the ConfigMgr console.  In addition to adding the attributes to the configuration, you'll need to ensure there is at least one user with each attribute populated (it can be a combination of users or a single user, but on aggregate, all attributes must have at least one record populated), and then run a full discovery cycle.  This will cause ConfigMgr to extend the discovery schema in the site database (but only attributes with data will be added to the schema).  We normally suggest just ensuring that every attribute is filled out for the App Portal service account.

Note: SCCM 2012 and older versions of ConfigMgr current branch will add a "0" (zero) on the end of the column names, which is what App Portal expects with the default user query.  However, newer versions of ConfigMgr current branch (I think the change was in build 1810?) will no longer add the "0" on the end of the column names, which will break the default sync and will require a custom user sync query.

The default user sync queries are listed in the Admin Guide on the page you linked in your post (you can also find them in the datasync.log on your App Portal server, though you may only see them if you have verbose logging enabled).  You'll notice the "0" on the end of several column names in those queries.  If your sync is failing because the version of ConfigMgr you're using doesn't put the "0" on the column name, you can take the default query and remove the "0" from the appropriate column names and use that as your custom user sync query.  The best way to ensure you have the right column names is to look at the v_R_User view in the SCCM site database.

Note: The custom query is primarily intended for adding other attributes you might want to capture that aren't part of the default (e.g. cost center) or for getting data from a system other than one of the supported deployment systems.  While there may be some attributes you don't really need (e.g. you may decide that title0 isn't needed for reporting or visibility conditions or workflow conditions, etc.), I don't recommend removing them from the custom query.  Instead, just fill that out for the service account and those values will be blank for all other users where it isn't populated.  Alternatively, you could just hard-code a value to be used for all users (disclaimer: the following examples are just portions of a larger query and not complete queries)

Instead of:
SELECT title0 as Title

use:
SELECT '' as Title

or

Instead of:
SELECT company0 as Company

use:
SELECT 'Acme Inc' as Company
Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

‎Aug 19, 2019 03:27 PM

Jump to solution
CharlesW
By Level 12 Flexeran
Level 12 Flexeran
In response to jdempsey
Jim's answers are always so much better than mine 🙂

‎Aug 19, 2019 03:28 PM

0 Kudos
Top Kudoed Authors
View all