We have been playing around with SCCM's Application Catalog and have come across an interesting quirk. My manager has directed me to implement the catalog so that software that falls somewhere between the "one-off install" and "needed by the entire workgroup" points on the spectrum of how many people need it should be published to the Application Catalog. Our help desk technicians can use the App Catalog to deploy these kinds of software to select users that need it as the situation warrants.
We practice account separation, for example, our help desk rockstar Emmet Brickowski has two Active Directory user accounts. His regular unprivileged account, CONTOSO\ebrickowski he should be using for all his regular work and when a UAC prompt rears its ugly head he has an privileged account (CONTOSO\ebrickowski-adm) that is a member of BUILTIN\Administrators on all our workstations.
When Joe User calls the help desk, Emmet remotes in or physically goes to help the user (our culture is big on face-to-face customer time), logs into the App Catalog with his privileged CONTOSO\ebrickowski-adm and sees a plethora of software that he can install in a standardized method for our user.
Except when Emmet presses the Install button he gets this:
Now I cannot find anything in the client-side logs for what happened. Nothing in the AppIntentEval.log, AppDiscovery.log, AppEnforce.log logs and the ConfigMgrSoftwareCatalog.log which is supposed to record the Application Catalog action does not exist.
If we deploy an application to a User Collection containing our regular users and they use the same account they are logged in to Windows as to log into the Application Catalog the same application that previously failed installs. This leads me to believe that you cannot use a separate account for the App Catalog as the current Windows session. Which is kind of a bummer.
- Can anyone verify that you are required to use the same account to access the Application Catalog as you are currently using in your Windows session?
- What logs if any should I look into to investigate further?
- Is there another or better way to accomplish our desired goal of using the Application Catalog as a technician accessed software store?
Best Answer
This is by design, only users logged into the computer can install apps via the app catalog. Trying to "fake out" the app catalog by logging into it with a different Id won't work.
The proper way to go about this is to either advertise the programs to all users, or, since that could get messy, have your Rockstar techs log into the computer with their admin account, either in person or remotely with the new SCCM RC. The new one let's techs access the login screen whereas the old one didn't.
Note: you're slightly going against the grain of what MS is trying to accomplish with the app catalog, it's intended for users to install the apps they need, to minimize helpdesk work in a way, so with a little permission finesse you should be able to avoid disasters, but I completely get why you wanna do it this way, I just wanted to mention this so you're aware of why this is a pain.