ganeshbaker79
Level 2

How to restrict access for contractors

Jump to solution

I would like to know if we are able to restrict access for set of users or contractors accessing the App Portal in their machine. In my case, my contractor is able to access the App Portal and place a software request in his NONE company's computer which this is not the way.

2 Solutions
rmiller1
Level 6 Flexeran
Level 6 Flexeran

Hi Ganesh,

I'm assuming that the user is authenticating with AppBroker as defined here:
https://docs.flexera.com/appportal/2021r1/ag/Content/helplibrary/AP_Settings_SSO.htm?Highlight=authentication

If the device is a non-work device and receives a software package, then it may not be of concern in licensing terms, for your company. If it is a package that contains data that should not be outside of the company, then this is not the case.

In this case, I believe you can use Catalog Security:
https://docs.flexera.com/appportal/2021r1/ag/Content/helplibrary/APR_CatSecurity.htm

to ensure that the device / user must be a AD member or in a AD group before AppBroker will authorise a deployment.

Please review the documentation in the links above.

R.Miller

View solution in original post

0 Kudos
jdempsey
Moderator Moderator
Moderator

First, please note that App Portal doesn't deploy software.  SCCM (or another deployment system) deploys the software to computers.  If the contractor's computer is not managed by your deployment system, it should not even show up in App Portal, but even if it did, App Portal would not allow you to select that non-managed device as a target for the software request.  And even if it got through that part of the checkout somehow, the deployment system would never be able to deploy software to it.  Is this a request for a general catalog item rather than a software catalog item?  If so, then the request isn't tied to a specific device, only to the user, and it wouldn't deploy software (unless you've configured some sort of custom actions on the catalog item).  In short, no matter where a user requests software from, they cannot request a software catalog item to be deployed to a device that isn't managed by your deployment system.

Having said that, I'll point out a couple related features that you may be interested in configuring:

  • First, under Site Management > Settings > Web Site > Catalog Behavior, there is a setting called "Allow users to request to SCCM primary devices".  If you enable that setting, a user can request software for any device they are associated with in the deployment system, even if that's not the device they are currently shopping from.  If you disable that setting, they will only be able to request software for the device they are currently shopping from (and that won't work if the device is not managed by your deployment system).
  • Second, if there are specific users that you don't want to be able to request software using App Portal at all (e.g. contractors that don't have company-provided computers), you can use Catalog Security to ensure they don't have the Browse Catalog permission.  Make sure you haven't included any broad groups (e.g. Domain Users) that may include those restricted users.

Edit: Oops, just realized Bob already mentioned the Catalog Security option.  Sorry, Bob.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

View solution in original post

0 Kudos
2 Replies
rmiller1
Level 6 Flexeran
Level 6 Flexeran

Hi Ganesh,

I'm assuming that the user is authenticating with AppBroker as defined here:
https://docs.flexera.com/appportal/2021r1/ag/Content/helplibrary/AP_Settings_SSO.htm?Highlight=authentication

If the device is a non-work device and receives a software package, then it may not be of concern in licensing terms, for your company. If it is a package that contains data that should not be outside of the company, then this is not the case.

In this case, I believe you can use Catalog Security:
https://docs.flexera.com/appportal/2021r1/ag/Content/helplibrary/APR_CatSecurity.htm

to ensure that the device / user must be a AD member or in a AD group before AppBroker will authorise a deployment.

Please review the documentation in the links above.

R.Miller
0 Kudos
jdempsey
Moderator Moderator
Moderator

First, please note that App Portal doesn't deploy software.  SCCM (or another deployment system) deploys the software to computers.  If the contractor's computer is not managed by your deployment system, it should not even show up in App Portal, but even if it did, App Portal would not allow you to select that non-managed device as a target for the software request.  And even if it got through that part of the checkout somehow, the deployment system would never be able to deploy software to it.  Is this a request for a general catalog item rather than a software catalog item?  If so, then the request isn't tied to a specific device, only to the user, and it wouldn't deploy software (unless you've configured some sort of custom actions on the catalog item).  In short, no matter where a user requests software from, they cannot request a software catalog item to be deployed to a device that isn't managed by your deployment system.

Having said that, I'll point out a couple related features that you may be interested in configuring:

  • First, under Site Management > Settings > Web Site > Catalog Behavior, there is a setting called "Allow users to request to SCCM primary devices".  If you enable that setting, a user can request software for any device they are associated with in the deployment system, even if that's not the device they are currently shopping from.  If you disable that setting, they will only be able to request software for the device they are currently shopping from (and that won't work if the device is not managed by your deployment system).
  • Second, if there are specific users that you don't want to be able to request software using App Portal at all (e.g. contractors that don't have company-provided computers), you can use Catalog Security to ensure they don't have the Browse Catalog permission.  Make sure you haven't included any broad groups (e.g. Domain Users) that may include those restricted users.

Edit: Oops, just realized Bob already mentioned the Catalog Security option.  Sorry, Bob.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".
0 Kudos