3rd-Party Application Patching and Packaging in Configuration Manager and Intune at AppManagEvent

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay i think we will go ahead and get started um first of all thanks everybody for coming to our session my name is justin shelfon i'm the founder at patchmypc and uh i'm adam cook and i'm a support engineer at patchwight pc yeah cool so uh we're going to be doing a demo of our product so how many of you guys are using either intune or configuration manager for your systems management cool okay yeah this would be a good session for you if you're not using that just just to set expectations up front our product does integrate with those two so like if you're not using intune or config man you may not get a lot of value from this session um okay let's just jump right in so as far as the session that we're going to do here we're really going to go through a demo of our product start to finish show you how our software integrates in configman and intune for the process of packaging applications as well as updating third party apps so we'll show how we kind of how those integrations run right so if you're setting this up for the first time if you go to docs.patchmypc.com this is where we have our installer as well as all our step-by-step guides um one thing to call out is we do also have an option where you can do a setup call do you want to kind of cover what that looks like adam yeah so setup call is um something that i do every day we get on a call with you and we help set up our product in your environment and that's just a nice thing that we offer free of charge just to make sure that it happens first time and smoothly so that's one-on-one time with an engineer yeah and then in addition to that like let's say you wanted to do another live demo like what we have here maybe you have people from your team that couldn't make the conference on our website you can also schedule a live demo and you can add additional people right from the invite here and then you'll get on with an engineer from our team like adam to get to get a demo so first step if you are using config manager as far as the requirements go our product would get installed on the top level software update point within your environment which would be that wsus server and that's going to allow us to integrate into the wsus apis that you can use to publish third-party updates into the system that then flow into configman so what we've done is we went ahead and installed our publisher tool and this is about five megabytes so it's it's a lightweight tool this runs as a service this is going to be where you can choose which third-party products that you want to either package or create updates for uh within configman and it's also the same tool that we use in intune which we'll be kind of demoing what that looks like so as far as the first step goes uh we do have a full 30-day trial so if this demo looks interesting if you go to our website you can go to request a trial and that's going to give you full access to all products in our catalog and all features and you can also get a setup or demo like free of charge during that phase as well even before your customer cool so first thing that we're going to kind of jump into is if you're using the third party updates feature within configman you do need to have a code signing certificate and what we've done is in configman 1806 current branch or newer there's a built-in feature within the product where you can allow configman to create that cert for you and automatically deploy it to your client so we're basically just tying off of the certificate that's already being managed through configuration manager and that's going to allow your clients to trust the updates since they're non-microsoft updates so um just to keep things simple like we're using the the built-in capability and then when you install our tool you should see that certificate automatically populate here but just put emphasis there if you're in tune only the code signing certificate is not a requirement this is purely for ws and the windows update agent yeah now um as far as the probably the first step that you'll be looking at is like which products do you actually want to start publishing into your update system right so we do have a supportive products page so i'll kind of cover that like even if before you go through and set up our product if you just want to see kind of what we support today you can come in here and you can kind of search our table right see all the adobe products you know maybe you want to see if java's here so we can search java maybe some of the adopt open jdks right and you can kind of pull up you know what what's currently in there now one thing that that i will notice let's say that there's a product that we don't have in the catalog today do you want to cover kind of what user voice looks like adam yeah absolutely so here is very similar to the microsoft user voice where you submit feature requests for the publisher but also new applications that you want seen in our catalog so we have like 550 plus products in our catalog but you know maybe your business has software that you need or want and we don't yet have and this is where we do that raise the idea for that form and this page that justin's on now is actually our roadmap and this kind of gives you a bit of insight onto how many products we are adding monthly to our catalog on average it's been five to ten it's been pretty strong over the last couple of months we're very committed to growing it but on patchmypc.comroadmap you can see the new features and the new products we're adding to the catalogue and product every month yeah now let's say that you know we have a list that's five 600 or so products that we support today let's say that maybe you don't know what actually exists in your environment that you would want to publish so before you even start enabling some products we do have this feature where we can actually scan your existing configman database and we can tell you hey what's what's already out there so in this scan wizard tool that we have uh i've just populated our sql zoom it's not cooperating today but we've just populated our database server and then our database name for our configman database and what we actually do is we'll look at the hardware inventory on your devices and tell you of the products that are in our catalog how many already exist in your environment right so we could do something like sort by maybe the count let's say that we wanted to filter out any products that you know it has to be on at least 10 or more machines we could filter that out to say hey these are these are the machines that have uh you know this product installed on at least 10 different devices right so this can be a good way like maybe if you're trialing our product just trying to show management maybe value of hey you know we have a hundred apps that that are that patch might be could help us package and update this scan tool can be quite helpful for that um we do also have an option you want to look at the auto publishing um yeah absolutely so this is something that's really going to kind of cover all bases when you start using our our software so the idea here is that you can create a raw within this feature by automatically enabling products in our tool based on the number of devices that have that product installed in your environment and that's going to cover you in scenarios where sometimes users just install software they do they can or maybe they helped us do it for them and they shouldn't and the most common scenario is because we're adding new products every month this is going to help you kind of stop doing that routine comparison of saying hey what's new in patch my pc this month or quarter and then going through and re-selecting these new products so this would you know say we got here the the the criteria of 15 what would happen is that when you run a sync of our tool we'll run the same query and anything where the device count is greater than 15 we'll just go ahead and automatically enable that product and publish it so in theory you could just set it and leave it alone yeah and i think that's one kind of thing to emphasize is once you choose the products and potential customizations you want to apply for different applications and updates you really don't come back into our tool everything is completely automated and then you can get like alerts via microsoft teams or emails like as new products are updated like day to day but once we set this up really you don't come back into our tool it would either be through configman that you're deploying the updates or apps or through intune using the native functionality within that tool but one thing that we'll look at is we're going to enable a couple products to show you how it works but we'll look at some of the right-click customizations that we can apply and we can do these customizations at different levels of our product tree so for example we could apply some settings at the all products level things that are global or we could apply them at specific product level or at the vendor level so let's say that we wanted to go through all products and let's say that we wanted to delete shortcuts for a product we'll go ahead and choose delete here so what that will do is let's say that google chrome when it installs it puts a public desktop icon for all users let's say you didn't want that to happen right so in a single click at the all products level we could have that turn off do you want to talk about the self updates here adam yeah absolutely so a lot of our software in our catalog a lot of the software in our catalogue has the opportunity to update itself some people are happy to roll with that why not it updates it works but other people like to operate in a controlled environment so setting that option there whether it's at the product level globally for any products that support it we'll apply the application specific settings so that the product itself doesn't update itself so google chrome sets a few registry keys just to stop google chrome kind of wildly updating it just depends on your kind of need to control application versions and on the client side we'll look at this happening in real time and within our log files you can see the specific reg values that we're setting for you on these different uh features um logging cover that one oh yeah sorry yeah absolutely this is a no brainer to set my opinion should be a default really um so it will enable sort of the bose logging on the installers and a key point here to make is that we are using the vendors native media so msi sorry google chrome's msi or you know the original exe for some other software we're not repackaging and so the benefit here is really if the vendor's installer provides a verbose logging option this is that and it's the opportunity to choose on disk on the endpoint where those logs go so these will really help you if the installation fails and you just need those log files to tell you what went wrong yeah so for example you know if for those of you that do software packaging probably have seen the 1603 error generic error right that's not really all that helpful but if you have a log file you can actually see hey this this is the part in the installation that actually felt right so enabling that can be quite helpful now what we're going to do here as well is look at the product level so i just enabled a software update for google chrome 64-bit now once we get to the product level we have three other customizations that are product specific so we can do pre or post scripts we could add a custom command line like a product key or license code or really any custom command that you may want for a specific product or if it's an msi based product you can just add a transform directly browse out to it yeah question yeah absolutely so what we're going to do for chrome actually we'll look at a post update script so if i go ahead and click browse these are the file types that we can as the pre or post action within an app so powershell batch vbscript you can even add exe or msi as a pre or post action within this so what we're going to do for this specific product is um i've got a powershell script that we've pre-created and what this is going to basically do is set the google chrome home page just using a registry value and it's going to set it to patchmypc.com so just the basic powershell script you can see the different values that we're setting so anytime a chrome update or application gets applied we're going to make sure that's in a state that we want via post action here yeah i just want to make a quick point about additional files here as well if your scripts need or want uh dependency on additional content like dlls or maybe just config files in that additional files or folders section there you can bundle all that in so it ultimately gets delivered locally to the client all that extra content is local on the client at the time of of install exactly yeah exactly yeah it could be like an ini settings file maybe you have a script that caused that ini file to put in like program files to configure yeah it could really be anything here there's a couple of points i want to make here real quick justin okay especially with the modified command line in the transformation file again earlier i said that we are using the vendor's original media so when you're looking to add custom command lines and mst files you know just check out the vendors docs you know if you want to customize software or if you currently package and customize software you totally still can and you know we are taking away the process from you of creating and looking for new versions but you still have absolute control of applying your needs your customizations yeah and if we were to right click a product or even at the our products level we can see what what we're doing by default if we click that show package info so we can see things like what is the command line that we're appending by default we can see the download url and if you click the digest wall should show you the virus total scan against the binary that we would be essentially packaging up for you all right so next up what we're going to do is go ahead and enable notepad plus plus 64-bit question yep [Music] i think i actually investigated that app about three months ago and it is on our user voice it's not in there right now yeah um i put a note in the use in the request bloom um about why we couldn't do it can you search it double o m at the end there that's that's the right spelling isn't it yeah um berg b-e-r-g i'm 90 sure all together bloomberg is that it yeah just append berg this is painful yeah we'll follow up with that one um but yeah if you didn't see it at the start on our website we have a list of supported products currently in our catalog check that out yeah and if it's not on the ideas page just make a new idea for it absolutely for sure yeah for sure absolutely yeah all right now notepad so what we're gonna do here is uh so notepad specifically if the application is open while the update's trying to apply like the end user has the editor open it will actually fail so there's a feature where we can choose how do we want to handle apps that are currently open while an update's being applied right um so you want to look at some of these options out and maybe you can talk to somebody yeah absolutely so if you just take the scenario google chrome chrome.exe is running on the user's device the default option is that we'll perform the installation the other options force close with no warning skip the installation entirely if we detect the process of running don't notify the last bit is what we really want to talk about here is provide a toast notification to the user and and that lights up all of this config right and then you can do things like set deferral policy how many times you want the user to be able to snooze the installation because it will appear as a toast notification um and the real yes this is really good point the real importance of this feature is that there is some software that absolutely must be closed before you run the install because the software becomes corrupt if it's open while it's installing and we document the ones that we know that have that behavior there's not many um for the majority of cases it updates perfectly fine if the user has google chrome another scenario where you might want to actually do this beside corruption is to increase your patch success you want to avoid pending reboots a lot of the time you want to make sure you patch quickly by closing open handles and files and processes you kind of ensure that there's no pending reboot there's no delay um so that's a nice feature another really nice feature sorry are you going to go from that question yeah yes yeah so i'm excited for this because we just added this feature like last week so before it was no but now it's a yes so this is actually where the localization can happen of of how you want that to look right so let's say that we wanted to say our org name was app you know manage event and oh shoot here we go so this is where you can add additional languages so by default everything used to be english but we just added the ability to append to what the locale is running on the actual end user device so we have the default wording so we have our install if you popped up for an uninstall i could choose the default and then during an update i could add the default here right so this is kind of the default wording that we used by default and then you could add multiple languages so let's say that we wanted to add one for an additional language you could go and customize it and then you could use the different variables for your end user to show them how that would look so for example if i uh preview if i preview it yeah uh oh no default language let me let me try to save this so this is what it will look like in the current english version right when it shows up on the end user's machine and you could have whichever languages that you want in there for the end user a quick show of hands how many people here support devices in multiple languages yeah so this this could really help you yeah absolutely yeah i saw a hand at the back yeah go for it yes yeah yeah so we're working both both in tune and config pretty much everything we've shown you so far has feature parity of our intune integration i don't understand the question sorry ps app deploy doesn't work in intune is that what you're saying okay yeah we definitely work in both yes yeah yeah yeah and there's different there's different options we can do here right so let's say that they're in focus assist mode we could choose to defer it on behalf of the user and not show that pop-up right and you can control like how many times could the end user defer the update right so we would be able to track like and give your end users a specific number of times if you wanted to and then force it at the end of that right you can also choose what processes so it depends so um when when the timeout is expired um so you you have the ability to say close and update if it times out if you choose this option um or you could choose to just keep deferring it if they don't address the message when that when that five minute timeout occurs so it's configurable based on what you want to do yeah cool so that's notepad that's chrome any any ones that were missing here before you look at the apps uh no cool they were good yeah awesome so what i'll do is i'm gonna just run a sync in the background just to get the updates going because they usually take a few minutes longer um so these two that we've enabled so far in the updates tab these are going to correspond to the software updates in config manager right so oh zoom it's still not working so these will kind of sink in and flow into our software updates now what we're going to look at next is the configman apps tab which is going to allow us to actually package applications into config manager so for the base installation not just the patching of existing machines that have the app right so as far as the options go maybe you could look at some of these core ones adam yeah absolutely so source folder um you have a directory today that you use for your app sources tell us tell us where that is sms provider connection so if where you have the publisher installed is remote to your site server just tell us where your provider is but some of the really key important ones here that i think are really worth discussing i think personally are this check box here probably real quick code sign so it's just quick shout out to say that in our configman apps the detection method is powershell and if your devices have an execution policy set to all signed check that box and we'll actually just use the same code signing certificate from the beginning in the general tab to sign those scripts yeah and when a new application update is available so this this is really good so the default behavior if you take the scenario where if we create the app now google chrome 88 it's an old version and you synchronize tomorrow or next week and it's 89 or 90. with this default option we will rename that existing object in configman to b89 or 90. we will update the content we'll update the detection method so it will persistently be the same object in configman we will not delete it tear it down it will be the same we'll just rename it and the benefit there is that if you use that app in your tar sequences or if it had any deployments those relationships will remain so you will find that your devices whenever you provision windows in your tile sequence they'll be installing the latest version of whatever product you've chosen whereas the inverse of that create a new app without modifying any previously applications that is creating a whole new object a whole new application for each time we create a new version um so then you have to manually redeploy manually re-add it into guitar sequence that's just if you want that extra kind of care and control yeah and retain retained real quick so you can say how many previous versions of an app you want to keep that's going to help you in rollback if you want to roll back because we populate the uninstall string and mostly all of our apps and then lastly content distribution by default we'll distribute to all dps but you can specify a dp group yeah and similar concepts here so on the right clicks we will have some additional options that are specific to configman apps that aren't relevant updates so for example some of them are the same right so let's say i want to delete shortcuts let's say that i want to enable logging during the base installation of the app and let's say that i want to disable the updates right so they would apply for updates and applications but there's also ones that are specific to apps so let's say that maybe you wanted to set a specific security scope so that only certain admins could see applications created by patch mypc you could set a specific scope within config manager to control who sees it that's a right-click option that we could apply at the all products level um there's also a variety like for example categories you know this categories probably isn't one that you would set at all products that would maybe be at an individual product level maybe you want 7-zip to have the file archiver category for example that would show up in software center one thing that we did actually miss on the global options is you do have the ability where you can choose to put all of the apps in a specific folder so for example if i open my configman console i can see that i have different folders for organization right so let's say that any app that gets created by patchmypc we want to add it in the patchmypc folder to keep it organized by default now once we get to the individual product level though let's go enable 7-zip as an app we'll do the 64-bit msi let's say for this one we just want to get a little bit more specific so we wanted to override that global option and we wanted to put it in a sub-folder called 7-zip we could do that right we could come in here and we could do a custom category so let's say that we want to give it a user category of file archivers right so this is in software center you could sort by categories for your users and have custom categories if you wanted to right any other right clicks that that you think would be worth mentioning adam oh there's yeah um i guess the the main point to make here really is that you will inherently see a different set of right-click options depending on which tab you're in because you're dealing with a different platform so the updates tab revolves around wsus the configman app scrolls around config manager ccm and as we get onto the intune tabs you'll see again there's just different right-click options because we're working with intune you can do things like manage esp profiles for example in intune there will still be the core ones like scripts and command lines and all that good stuff and managed conflicting processes but there are some platform specific ones so in the alerts tab this is going to be how you can get notified whenever things take place in your environment so by default if we look at the sync schedule we're going to sync every night at 7 pm so let's say that there's a new version of chrome that came out or 7zip or any of the products that you enable if we've released a update for that in our in our catalog on the back end this is going to be how often you're checking in publishing either that new update or that new application to your environment so from our perspective we usually do about four to five updates per week right so third party updates happen all the time it's not quite like patch tuesday where for the most part it's usually once a month right um so by default our daily sync schedule is is daily right but then in the alerts tab this is where you can actually get notified so for example if we open up our teams channel because we added a team's web hook if you remember we enabled notepad plus plus as an update and we enabled google chrome as an update so just uh you know four minutes ago that synchronization took place and we can see that the update was published into config manager so if i were to click here i can see that you know we'll take you right out to the release notes um maybe the cve stuff adam and call some of this out yeah absolutely so there's a bunch of metadata we include so we denote kind of like severity classification and if the vendor discloses any kind of cve ids that are a part of their update we'll bundle that in the metadata we'll include that within the alerts so that your security team can kind of be in the loop about the updates that you're kind of creating in your environment yeah go for it can you speed up the updates based on the security if it's a critical update yeah so i guess the thing i'd want to say there is that you're totally still in control of the updates deploying of the updates so if you're thinking daily those updates become available for you daily and if you want to expedite the deadline of your deployment totally go ahead you've still got full control of your deployments yeah yeah and so what what you could do in that scenario is uh let's say that you're using adrs and configman for deploying updates you could maybe have two adrs maybe one for normal updates and then you could have one where the severity level is like critical or security based classification and you could have that to play right away so on the configman side you could control exactly how you want to escalate and deploy quicker in the event that it had cves or it had a classification or a severity level um so that's kind of the three things that we would set on our side that you could key off of within the adr criteria yeah that's that's a much better answer yeah i think he answered it more than i did should we mention about the adr stuff for intune just mention it amazing i kind of said it it's coming soon yeah yeah similar engine sorry it does well yeah so within within our lab we had it kind of pre-set up but what you would do is you would just create a web hook so if you click the more info link on on our guide it will show you how you can go through your team's channel and make an incoming web hook using the connectors and then uh you know once you enable that url you would be able to get it right away um so you just paste in the url here of that web hook and then you could choose whether you want all notifications or only success or error and then every time something publishes you will get notified in real time yeah and what we should see now is i just ran a manual sync and now we have our application created as well for 7-zip so if i were to come back in and look at my updates and my apps and one thing that i will call out is we do have this option to trigger a software update point sync whenever we've published a new update to wsus so what happens is when we detected oh chrome and notepad was published we automatically talked to configman and told it to start synchronizing so that we see the update in our console right away and you don't have to wait for the next scheduled software update point sync now one thing that you will notice is these are both deployed already and that's because we had an adr pre-configured in configuration manager so this is where for example your question how could i control security updates and deploy it quicker that's where all the the default functionality of configman comes into play so for example we're just using a generic show me all third-party updates from patch mypc right but let's say that you wanted to look at severity level and you wanted to have anything that's marked as critical from us which means it has a cve now we only have chrome so you could have multiple adrs and you could have deadlines that are more aggressive based on that for example deployment settings same same thing here so you have all the same options so we have a pilot pilot broad in production that are staggered out differently so we can get our phased rollouts right so same thing collections you would use make use of existing collections deadlines maintenance windows reboot behavior everything would be using the native configman options right so when that adr kicked off it downloaded our content into deployment package so we'd make use of existing dps created our software update group for us and it's already deployed to our clients now on the application side if we look at 7-zip we can see we have 7-zip in that custom folder that we defined if i looked at the properties of this we're going to automatically fill out metadata for you things like the icons descriptions keywords i can see that custom category file archivers that we added is automatically added there as well cool so what i'm going to do is i'm going to deploy that app to all users as available just going to use a powershell script to speed up that process so we don't have to go next next next anything else adam we can think of on the server side before we jump to the client that i missed here maybe just jump to the content path for 7-0 and i'll quickly talk about script runner real quick because i think it's important just to point out its existence um so you'll see whenever you create an app or an update with custom options that in the source directory you will see the vendors sort of native media like i mentioned earlier and i just want to emphasize this is always the item it's going to get installed but you'll see a bunch of patch my pc sort of accompanying content and a lot of this content drives your customization so what you'll see in the install string for a lot of our apps and updates is patchmypc.scriptrunner.exe is called and that ingests just package.xml and that kind of contains the instructions of your customization so things like delete desktop shortcut um produce the toast notification to the user um and and that's what drives the installation and i'm pointing this out purely because maybe you have like endpoint security software that kind of has controlled sort of allowed binaries or processes um and you know the script runner itself is signed with our code signing certificate from digiset so as far as trust goes widely it should be okay but i just wanted to call it out because it's it's useful to know for sure so now we're on the client side this is part of our pilot collection that had a deadline for one day from now right so since we allowed the deployment to be visible in software center we're getting the ability to install it ahead of time that's why we see it but this could of course be totally silent if you wanted to now one thing that i will call out if we look at google chrome if i open this up just standard google.com is the as the home page for all users i can also see that i do have my public desktop icon and if i look at details i can see it's on the public desktop not my user right so those customizations that we applied let me go and kick this off but the customizations that we applied we said hey delete the shortcut create the log from that vendor set the home page using the powershell script so if i look at my ccm logs which is the default folder and we can see that that we've automatically created patch my pc install logs based on that right click option and now we've got the actual verbose msi log for google chrome here so we'll be able to troubleshoot in the event something ever happened and it didn't work you would actually have a log now if we also look in the root of ccm logs we have the patch my pc script runner log which is kind of what adam was talking about here so this is where you can see customizations taking place like the right click options so we're currently running chrome's msi right forward slash qn no reboot we can see it just finished 34 seconds and then these lines are where we can really see customizations happening so deleting the public desktop shortcut we would see that on the client log here's the three different reg values um specific to updates right yeah the disabled self-update yeah that's right yeah and then lastly we have that custom powershell script that we applied for the home page so if i minimize this i can see that that shortcut's now gone if i launch chrome from my start menu we'll see that the powershell script set the reg value that that controls the policy for all users for the home page so just an example if you did have something very specific to your organization that we couldn't you know obviously we couldn't configure that for all users you can get very flexible and custom pre or post out you know actions um now that's for chrome so now we're all up to date just using configman software updates notepad plus plus so if i look i've got this currently open just uh just a file open in the background let me go ahead and click install now we did enable that right click option for the pop-up so what we'll see here is the pop-up occurring right cool so a couple of options here the user could either close and update from the pop-up itself or if they were to close it from just the app we would detect that and automatically start the installation so if i look back at our script runner log i can see there's the notepad installation it took a second we can also see when we we show the pop-up we'll log out whether or not the user click close an update whether or not they click snooze how many attempts are still left you would see that all in the same log file that you would see all the other actions taking place in cool and that's notepad and then lastly on the app side of things so those two were the updates that we applied if i look at our apps we can see we have 7-zip showing up as available so this is an app that we you know we don't have today so for for example chrome we went from version 71 to version 88 and then notepad we went from seven nine one to seven nine two right now we can also see uh 7-zip isn't installed so we can just kick that off and this would be like any other application in configman as well so for example if we go look at the log files you'll be able to see things like the app enforce log we'll see this kick in in a second and it's going to make use of all the existing functionality that you would be accustomed to in config manager so app discovery will see the detection method kicking off here app enforce we'll see the actual execution of the deployment type how long it takes and then of course same thing for the script runner log you'll see both the app installs and the updates happening here as well so here's the msi where we can see all that taking place look back over here i can also see that for both installation log for 7-zip for the msi as well cool refresh and now we have that installed any questions on yeah how does it work yeah good question do you wanna look at that yeah absolutely take me back to the publisher um so yeah there's actually a few software in our catalogue that um kind of is behind a pay wall right that requires someone to have a sort of paid subscription where they then log in and then they are authenticated to access the exe or the msi and this is why we have the local content repository setting in the advanced tab of the publisher and you just need to define a path here in this tab here and like justin has it's this directory here and these are where we have the ex it's great that you pick java as an example because we have binaries here ready you just place binaries in this directory you enable java in patch by pc and then we would just look in this directory um and a nice little bit i'll follow up with on that is if a new version of java became available using the alerts mechanism will ping you teams or emails saying hey there's a new version for java but we don't see the exe for that particular version in the local content repository please go get it so if you go to the more info for that page real quick justin for the local content repository i just want to quickly list out the other apps in our catalog that require a low a manual download effectively and it's this table here um there's not many i think it's like 10 or so now this table here so for one reason or another we cannot automatically download those at the time of syncing patch my pc and it's those apps there so yeah for example i just enabled java but i deleted those files from our repo so this is an example of what the alerts would look like in teams let's say a new version of java comes out tomorrow obviously you wouldn't have that file in your repo unless like you know maybe you are paying attention to java every day we would alert you and say hey we couldn't create this new update for java you need to go download this specific java file and put in your repo and then the next thing will pick it up and publish for you yeah yeah good question yeah cool any other questions before you look at the intune the entry is quite nice because it's very similar yeah cool so the intune piece is pretty much the same concept it's just different tabs so in the intune options if we click test this is where you would grant us permissions to your intune tenant using an azure app registration so this is going to give us access just the men permissions that we would need in order to create and manage applications within your tenant right so similar options like do you want to delete you know how many revisions do you want to keep of an app so we won't go too deep into that for time's sake but the process is pretty much exactly the same so for example let's go to our intune apps and let's enable 7-zip let's do the msi version and same thing here right-click options right so let's say that you wanted to enable logging for the intune side the only difference is we would put this in program data not ccm log since it's intune based right so we'll do that we can also create assignments so this can be done at the global level so let's say that any app that you enabled you wanted to make it available in company portal rather than going into intune after we create all these apps in a single click we could say make all these apps available to all users within company portal okay so that's 7-zip i won't go super deep into right-click options because they're going to be very similar can we just say manage esp profiles just oh yeah that's a good one yeah so does anybody use autopilot to provision devices today a few okay so real quick then um you can add an app into an enrollment status page profile so that whenever devices go for autopilot they get that app and if there's a new version released of that app at sync we'll take out that old version that old win32 app and put in the new one so that again similar concept is earlier with tar sequences you'll be installing the latest version of google chrome whenever devices get provisioned autopilot yep same thing for notepad for the update side let's say that we want to do the manage conflicting process and we want to notify that user in the same way right so let's apply that and i'll just make the update we'll make that required to all devices now one key thing to point on the updates let's go ahead and get a sync running and have this created really quick so just go ahead and run a sync and we'll look at the log file while this is happening but what we'll see going on here is we'll see us downloading the content from the vendors there's for example the java not found notification or log but now we're connecting into intune using microsoft graph so we'll see things like the apps getting created so if i go back into intune and look at my tenant we'll see that we don't currently have any applications created but here in a second on the back end we're gonna have our automation that's gonna create both the app and then the update for notepad within intune using graph yeah so we'll expect to see the apps and updates both appearing as win32 apps in engine in the apps blade here's where we can see it getting added to the enrollment status page so we can see that in the log file now we're creating the notepad plus plus update so if we look back in intune now we'll see that we have the 7zip application already we should see it's also assigned using that right-click option to our all users group and we can see in the properties of this app we've got things like our icons our keywords and and all those details automatically added for you powershell as well detection method would be using a powershell script which can also be code signed if you have a code signing cert and you can configure for intune specifically you could choose the code signing cert that you want in the intune option so you can look at the personal certificate store and you could choose a code signing cert there for your scripts if needed cool yeah you have the same availability you do yeah yep yep so if we for example let's go look at 7-zip let's say that you wanted to do a custom pre-or pro script pretty much all the right-click options would be the same that we said there just might be a few additional ones for example like the esp profile that's specific to intune so we wouldn't see that in the configman updates or apps but yeah so pre or post scripts right here you could add that in intune the same way the ui notifications for pop-ups would also work the same way in intune as well categories so if you right-click and look at categories this would show the categories that exist in your intune tenant as well so for the most part on most right-click options there's like a one-to-one mapping between the different areas with the exception of updates and ws there some of the right clicks don't really apply in that scenario like the categories for example that wouldn't be applicable to updates in config man yeah good question um outside of that uh i guess one more thing reporting really quickly is the scan wizard don't have to go into it necessarily but just highlighting that what we showed you earlier with the configman scanning feature of looking at the hardware inventory data in configman the same is true here for our intune integration again we're creating the hardware inventory data that is in tune and the same is true with the auto publishing rules so we've spent a lot of time on the first couple of tabs but only because there's feature parity everything we showed you at the beginning is also mostly true for intune too yeah so we just got the five minute warning um maybe a quick look at reports and then leave the the rest of the time for q a so from a reporting perspective we do have some dashboards that we provide for configuration manager as well as in tune so we have power bi dashboards both for configman and intune and then we also have some ssrs dashboards that you can add for configuration manager so we have a variety of different options just depending on which platforms that you're using but you will be able to see things like your third party patch compliant directly in here so for example i think this environment is a bit out of date but you'll be able to see things like what's the compliance for a specific month and then you can break in and see updates released that month and get pretty detailed on what your compliance looks like right but outside of that i think let's leave the rest of the time for any questions to make sure that we can cover that we've only got about five minutes left so any other questions that you guys have yeah so the only thing that would happen in that case is you wouldn't get new apps but you would still have everything that you had um so yeah i mean in theory you could go build a lot of apps and then not buy but yeah yeah that's perfectly fine um but yeah hopefully you know once once you get to that point we have a pretty once you start working with us we have a pretty high conversion rate so but yeah nothing would happen you just wouldn't get anything new once that expiration happens if there's a new version of chrome that came out uh you know that would just say hey we can't publish it but everything that you do during that that phase will like still be around you'll still be able to have the apps and updates that you had throughout that that period yeah just to follow up there real quick if you converted to a customer again you wouldn't have to do anything we'll change your license key on the back end and then it will just spring back into life you don't have to reinstall you'd have to re-enter a new key just picked up where it left off yeah for sure yeah yeah set up call is is a great way to start as well like where you can actually get on with an engineer make sure things are good it usually takes less than an hour like literally the time of the demo is about the time it takes with the exception of maybe you need to get a certificate created right so yeah question so it's yeah good question so it's per device um let me pull up our licensing so so we do have all the pricing like on the website um it's not we don't like hide that like you know a lot of companies do so you'll be able to see like exactly what what it looks like so the top tier subscription which is what we looked at today that includes both the base application feature for configman and the update so kind of the app creation and updates and the intune functionality this is per year so it's three and a half dollars per device per year now we do have a starting price regardless of your device size so for the top tier it's 24.99 at least per year and then the enterprise only this would be just the updates feature for configuration manager so for example the top tier would include all four of these tabs basically the two dollars per device would just be the update so you could update existing devices that already have the app but you couldn't package the app and you wouldn't get the intune features and then we have like a our intune only kind of cloud and that's two and a half dollars per device per year so these are all per device per year um for these different tiers yep and when you're thinking about device counts how many devices to tell us just tell us the number of devices you intend to patch so for instance if you have a thousand devices but you don't intend to deliver software to them like 200 of the you know then just tell us 800. just license for 800. if you only intend to deliver software to 800 devices just license for 800. yeah and like if you have mac or linux devices you could exclude those in your account for example yeah so pretty flexible cool other questions i guess if there wasn't any questions i would definitely push for a demo because the good thing about demo is if you just click on schedule demo up top there it's just a chance to kind of look at the platform that you're using in more time and detail so if you don't use intune don't plan to use it in tune anytime soon you just want to see more of what we showed you about configman we can do that in a demo and kind of answer specific questions that maybe you don't want to share here about your environment you know demos instead of calls is definitely the way to go to get up quickly yeah yeah if you haven't stopped by the booth as well we're doing some raffles for some laptops um one of them will be on twitter there's just a qr code you can scan um yeah so we also have some swag there some hats yeah so stop by if you haven't yeah stickers any other questions about anything that you cool yeah i think that uh that probably takes us some time then yeah thanks everybody for uh coming to the session and hopefully it was valuable thank you you

Info

Channel: Patch My PC

Views: 622

Rating: undefined out of 5

Keywords:

Id: 5Jf69keXjB8

Channel Id: undefined

Length: 50min 28sec (3028 seconds)

Published: Mon Dec 06 2021