Category Archives: Configuration Manager

Publish the Cireson Configuration Manager Portal with Azure AD Application Proxy

1 Reply

Cireson will soon be releasing a new web based Portal for System Center Configuration Manager, http://go.cireson.com/cireson-portal-for-configmgr. This would make it possible to access a lot of functionality for Configuration Manager anywhere with a web browser. The Cireson Portal for Configuration Manager must be installed locally, either on the Configuration Manager server or on a server close to the Configuration Manager server and database.

This makes this an ideal candidate for Azure AD Application Proxy publishing, as we can make it available as an Azure AD App with all the features and possibilities that this can give, including:

  • Azure AD Preauthentication and Single Sign-On to the Portal
  • Assigning Users and Groups
  • Conditional Access
  • Easy access via the users Access Paneler or the Office 365 App Launcher

We will look into all this in a two-part blog post! This will also be a good opportunity to use the new management experience for the preview of Azure Active Directory management in the Azure Portal, https://portal.azure.com.

Part 1: Publish the Cireson Configuration Manager Portal with Azure AD Application Proxy
Part 2: Conditional Access and Self Service for the published Configuration Manager Portal Application (link when available)

Enable Azure AD Application Proxy

I you want to publish applications with Azure AD Application Proxy, there are some requirements:

  • You need an Azure AD tenant configured with licenses for Azure AD Premium P1 or EMS E3 Suite. Actually it is enough with Azure AD Basic licenses for AAD App Proxy, but if you want to configure Conditional Access you will need at least Premium P1. More on that later.
  • If you want to enable SSO for your internal users you have to synchronize those users via Azure AD Connect.
  • You have to Enable Azure AD Application Proxy for your AAD tenant directory, and download and install one or more Application Proxy Connectors.

The diagram below shows the communication flow from when the user launch the published application, authenticates to Azure AD, and then via the Application Proxy Connector installed internally access the web based portal. Single Sign-On is achieved via the Application Proxy Connector authentication on behalf of the user via Kerberos Constrained Delegation.

image

So the first step is to go to the Azure Portal, and open the Azure Active Directory blade, which at the moment is in preview. From there go to the Application Proxy section and make sure that the Application Proxy is enabled as shown below:

image

In the image above we also see that there already are some Azure AD App Proxy Connectors installed and active. They are also configured in two different groups, and these groups are used later when we publish the application. At the top of the blade, you can download a new Connector installation file.

Download and install Application Proxy Connector

The Application Proxy Connector must be installed on a server that can reach the internal web portal server. In this case I want to install the Connector locally on the Configuration Manager server that also hosts the Cireson Portal for Configuration Manager. I could have used one of my existing connectors, but they are installed respectively on an Azure VM environment and on a separate network from our Configuration Manager environment.

Following the download link from above, I download and start the Application Proxy Connector installation on my SCCM server.

image

During installation you must provide a global administrator admin account:

image

After finishing the installation of the connector, we will se the new connector with the server name in the portal.

We can now create a group, and place the connector installed in the group:

image

Publish the Configuration Manager Portal App

To start publishing the Configuration Manager Portal Application, go to Enterprise Applications and select Add, and from the Add your own app section select to add an “On-premises application”:

image

Next, specify the Name of the Application and the Internal Url. In this case I have installed it internally as http://configmgrportal. For External Url, you have a choice for the alias and domain. By default the alias will be the Application Name without spaces, appended with –<tenant name>.msappproxy.net.

image

You can change the domain to one of your verified domains, which I have done here together with changing the alias so that the External Url now will be https://configmgrportal.skill.no. By the way, you have to upload a SSL certificate if you want to use your own domain, either a wildcard certificate or a certificate with the appropriate FQDN. We will look at that later.

image

Note that I need to add a CNAME entry at my DNS provider as stated in the info box above. I will do that right now before I proceed.

I set Pre Authentication to Azure Active Directory, as I want everyone accessing the External Url to be a valid Azure AD user from my tenant. I also select to translate URL in headers, and select my previously configured App Proxy Connector Group.

Press Add to add the application to the directory. After that you are presented with a Quick start menu like below:

image

First I go to Properties, and optionally you can upload a logo which I have done here, note also that User assignment is required is set to yes, this means that no user cannot access the published application until I have added users or groups to it.

image

After saving I go to users and groups, and add some users to test the published application:

image

These users will now be able to launch the published application, but we have some more configuration to do first. As I want to have Single Sign-On configured for this application, I configure the following settings for Single Sign-On. I set the mode to Integrated Windows Authentication, meaning that the App Proxy Connector will impersonate any Azure AD authenticated user to the on-premises application via Kerberos constrained delegation.

I also need to specify a internal SPN for the application, which will be HTTP/<fqdn-of-server>, where the server is where the internal web application is installed. I will also specify which delegated login identity, which in most cases will work fine with user principal name for synchronized federated users.

image

After configuring Single Sign-On settings, and if you elected to use your own domain name, you need to upload or specify an existing SSL certificate. Go back to Application Proxy settings and click to view or change certificate settings:

image

After saving this configuration, the required portal configuration for the application is now complete, but optionally we can configure self service and conditional access, We will get back to that later in part 2 of this blog post.

That leaves only one more step, and that is to configure kerberos delegation for the App Proxy Connector server. In your on-premises Active Directory, find the computer object for the server you installed the App Proxy Connector on, and go to Delegation, and select to trust this computer for delegation to specified services only, and for kerberos only adding the computer name and http service for the server where the internal web application is installed. This should med the same as the internal spn you configured in the portal earlier for Windows integrated authentication.

image

Testing Single Sign-On

We can now test the application. Go to https://myapps.microsoft.com and log in with one of the assigned users. Among other published apps I will see the Configuration Manager Portal:

image

And if I launch it, I will see that I can access the Configuration Manager Portal, and I have been automatically signed in with my local AD user via Single Sign-On and Kerberos Constrained Delegation. I also see my url, https://configmgrportal.skill.no, which I can access directly if I want without going through the MyApps panel.

image

So now we have successfully published the Cireson Configuration Manager Portal with Azure AD Application Proxy, using SSO with Azure AD, and User Assignment so that only users that are pre-authenticated and assigned the application by Azure AD, will have access to it.

Stay tuned for part 2 of this blog post, where we will configure Conditional Access using Azure MFA and Device Compliance, and what Self Service functionality we have.

Creating a Console Task for Cireson’s Remote Manage App in Service Manager

Leave a reply

Cireson recently released a Remote Manage App for Configuration Manager, read more about it here: http://cireson.com/blog/remote-manage-app/. The App is even free, so go get your download.

As I am working a lot on Service Manager and customizations, I thought it would be useful to create a console task in Service Manager Console for this Remote Manage App. I have previously been using a similar task for the built in Remote Control functionality in Configuration Manager.

The first thing I verified was that the Remote Manage App from Cireson supports launching from command line and with parameters. How to do that is described in the above link where you would specify the command like this:

Installpath\ConfigMgrClientTools.exe client
smsprovider

Actually, it is easy to create your own task in the Library section of the Service Manager Console and use the built in Wizard, but I will show the whole process from creating the XML Management Pack and the required contents in it to get the task up and running. This will also let me specify an Image for the task, which I cannot do if I use the wizard in the Console.

I will even leave the complete Management Pack for you to download and just import in your own environment. After all, Christmas is coming up!

Requirements

There are some requirements for this to work:

  1. You have to have the Remote Manage App installed on the same computer you are using Service Manager Console.
  2. You will need permissions to connect to the Configuration Manager site as well as administrative permissions to the clients you will Remote Manage.

Management Pack

The content of my Management Pack is shown below, and I will comment on each section. At first, I have the Manifest with the Identity, Version and Name of the Management Pack, and the required references with aliases. These references will be used later in the MP.

<ManagementPack ContentReadable=true SchemaVersion=2.0 OriginalSchemaVersion=1.1xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:xsl=http://www.w3.org/1999/XSL/Transform>
<Manifest>
<Identity>
<ID>SkillSCSM.RemoteManageApp.ConsoleTask</ID>
<Version>1.0.0.0</Version>
</Identity>
<Name>SkillSCSM Remote Manage App Console Task</Name>
<References>
<Reference Alias=EnterpriseManagement>
<ID>Microsoft.EnterpriseManagement.ServiceManager.UI.Console</ID>
<Version>7.5.3079.236</Version>
<PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
</Reference>
<Reference Alias=CustomMicrosoft_Windows_Library>
<ID>Microsoft.Windows.Library</ID>
<Version>7.5.8501.0</Version>
<PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
</Reference>
<Reference Alias=ConfigurationManagement>
<ID>ServiceManager.ConfigurationManagement.Library</ID>
<Version>7.5.3079.0</Version>
<PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
</Reference>
</References>
</Manifest>

The next section is the Categories. The first Category ID is for the MP itself. After that, I can have Categories where I can control where the Task will be shown. I have commented them out here, but two Categories are shown for how to Hide the Task either from the Console Tasks section, or from the Form Tasks section. Leaving it like shown under here will show the task in both the Console and Form tasks.

<Categories>
<Category ID=Category.SkillSCSM.RemoteManageApp.ConsoleTask Value=EnterpriseManagement!Microsoft.EnterpriseManagement.ServiceManager.ManagementPack>
<ManagementPackName>SkillSCSM.RemoteManageApp.ConsoleTask</ManagementPackName>
<ManagementPackVersion>1.0.0.0</ManagementPackVersion>
</Category>
<!–<Category ID=”Category.SkillSCSM.Hide.RemoteManageApp.FromConsole” Target=”RemoteManageAppTask” Value=”Console!Microsoft.EnterpriseManagement.ServiceManager.UI.Console.DonotShowConsoleTask” />–>
<!–<Category ID=”Category.SkillSCSM.Hide.RemoteManageApp.FromForms” Target=”RemoteManageAppTask” Value=”Console!Microsoft.EnterpriseManagement.ServiceManager.UI.Console.DonotShowFormTask” />–>
</Categories>

Following that is the Presentation section. This is where I define the actual Task and its Target. As you can see, I have targeted it to Windows Computers, meaning that the task will show up everywhere I select a Windows Computer either in a View or open the Windows Computer Form. I am running the task as a Command Line Task, and the Parameters are specified as arguments.

Important! Here you must verify that the Application Path is the same as where you would be running it.

The last argument is constructed of the variable where I choose to use the Netbios Computer Name as client name. Here you can if you like to replace that with the DNS FQDN or IP address or whatever fits your need. The second part of the argument is to specify your SMS Provider Host, make sure you fill inn your own Servername there.

At the end of the Presentation section, I have included an Image Reference to the task, with an Image ID. This ID is later specified in the Resources section.

<Presentation>
<ConsoleTasks>
<ConsoleTask ID=RemoteManageAppTask Accessibility=Public Enabled=true
Target=CustomMicrosoft_Windows_Library!Microsoft.Windows.Computer RequireOutput=false>
<Assembly>EnterpriseManagement!SdkDataAccessAssembly</Assembly>
<Handler>Microsoft.EnterpriseManagement.UI.SdkDataAccess.CommandLineHandler</Handler>
<Parameters>
<Argument Name=LoggingEnabled>False</Argument>
<Argument Name=Application>C:\Program Files (x86)\Cireson\Remote Manage app\ConfigMgrClientTools.exe</Argument>
<Argument Name=WorkingDirectory>%windir%\system32</Argument>
<Argument Name=“”>$Context/Property[Type=’CustomMicrosoft_Windows_Library!Microsoft.Windows.Computer’]/NetbiosComputerName$ YOURSMSPROVIDERHOST</Argument>
</Parameters>
</ConsoleTask>
</ConsoleTasks>
<ImageReferences>
<ImageReference ElementID=RemoteManageAppTask ImageID=ImageRemoteManageApp />
</ImageReferences>
</Presentation>

Following this we have the Language Packs section, where the string values for the different translations are available. Feel free to add your own language packs and strings here.

<LanguagePacks>
<LanguagePack ID=ENU IsDefault=true>
<DisplayStrings>
<DisplayString ElementID=SkillSCSM.RemoteManageApp.ConsoleTask>
<Name>SkillSCSM Remote Manage App Console Task</Name>
<Description>Management Pack for Remote Manage App Console Task</Description>
</DisplayString>
<DisplayString ElementID=RemoteManageAppTask>
<Name>Remote Manage Computer</Name>
</DisplayString>
</DisplayStrings>
</LanguagePack>
</LanguagePacks>

And at last in the Management Pack, we have the Resources section where I specify the Image ID and the FileName. I have included a small 24×24 PNG file, which are similar to the icon Cireson use for Remote Manage App.

<Resources>
<Image ID=ImageRemoteManageApp FileName=ConsoleTaskRemoteManageApp24x24.png
Accessibility=Public HasNullStream=false Comment=Remote Manage App Image />
</Resources>
</ManagementPack>

Importing the Management Pack

With the Management Pack now ready, the next step is to import it to Service Manager. There is one important thing though, since I chose to add an Image for my task, I will need to create a Management Pack Bundle file (.mpb) before I can import it. This can easily be done with some Service Manager PowerShell. These are the CmdLets I have been using:PowerGUI Script Editor


# Import Module for Service Manager PowerShell CmdLets
$SMDIR    = (Get-ItemProperty 'hklm:/software/microsoft/System Center/2010/Service Manager/Setup').InstallDirectory
Set-Location -Path $SMDIR
If (!(Get-Module –Name "System.Center.Service.Manager")) { Import-Module ".\Powershell\System.Center.Service.Manager.psd1" }

# Change to Directory for MP files
$MPDIR = "C:\_Source\ServiceMgrAuthoring"
Set-Location -Path $MPDIR

# Set variables for MPB, MP og Resource files
$mpbPath = "SkillSCSM.RemoteManageApp.ConsoleTask.mpb"
$mp1 = "SkillSCSM.RemoteManageApp.ConsoleTask.xml"
$r1 = "ConsoleTaskRemoteManageApp24x24.png"

# Opprette MP Bundle
New-SCSMManagementPackBundle -Name $mpbPath -ManagementPack $mp1 -Resource $r1 -Force

After the Management Pack Bundle has been created, import it to Service Manager under the Administration Pane and Management Packs Node.

Using the Remote Manage Console Task

Now that I have the Console Task imported to Service Manager, I can lookup any Windows Computer I would want to Remote Manage. For example by going to Configuration Items Pane, and choosing the View for All Windows Computers. When I select a Computer Name I can see my Remote Manage Computer Task in my right Console Task window.

When clicking on the Task, the Remote Manage App is launched and are immediately starting to connect the selected Computer (if it has permission and FW permits that is):

Similarly, if I am working with an Incident Work Item, and have added this users Computer as related CI, I can also open the Computer Form and launch the Task from there.

Downloading the solution

As promised I have made this solution freely downloadable, please click the link below to start downloading a Zip file consisting of:

  • SkillSCSM.RemoteManageApp.ConsoleTask.xml
  • ConsoleTaskRemoteManageApp24x24.png
  • CreateRemoteManageAppConsoleTaskMpbBundle.ps1

Download the Zip file from here: http://1drv.ms/1BIxW5G

Good luck and Happy Christmas!