locked
SCCM Admin Console - 3rd Party Tool RRS feed

  • Question

  • Dear community,

    I'm working in a distributed environment where we want to allow certain roles (distributed globally) only to do certain task for their assigned client computers (e.g. start OS or software installation jobs and monitor them). Due to our SCCM configuration we cannot realise this using the standard SCCM admin console. There we could only control this on a very high level (e.g. IT colleagues in Europe can manage clients for all European subsidiaries).

    To solve this we plan to use a 3rd party development that gives only limited access to certain SCCM tasks depending on the role and the country/subsidiary. Somehow this 3rd party tool is not getting started... :-(

    Is there someone with a similar requirement/situation and if so - how did you handle this?

    Or are there any other tools especially for this (on the 3rd party software market) that I was not able to find?

    Thanks & best regards,

    Thomas

    Wednesday, January 9, 2013 10:05 AM

Answers

  • If you can dream it, it can be done.  There is the SDK for exactly your requirements--make a custom interface.  However, exactly what you are asking (software deployments and monitoring), the only way I know of people doing that is with a very carefully thought out Console Access rights, with very few class rights, and instead using instance rights, and status filter rules to copy collection per-instance rights, and advertisement rights, and package rights, and task sequence rights, and patch deployment rights, and (what else am I forgetting to mention).  Sure, you could do that... but honestly Configuration Manager 2012 has been out for a year and all of that role based access rights are built-into CM12 for scope and responsibilities.  Setting up console rights in cm07 was a pia (I remember, because we had to do that--took weeks to plan and tweak that).

    Personally... I'd start encouraging this company, heavily, to move to cm12 as soon as may be so you can forget making your own 3rd party, or forget customizing instance rights in the cm07 console.  Obviously either one could be done... but yikes why bother?  upgrade.


    Standardize. Simplify. Automate.

    • Proposed as answer by NPherson Thursday, January 10, 2013 1:53 AM
    • Marked as answer by Garth JonesMVP Saturday, January 2, 2016 5:25 PM
    Thursday, January 10, 2013 12:01 AM

All replies

  • you can install the SCCM console on any workstation(XP/Win7) , if you get the proper rights, you can do the sccm administration works from that console machine.

    We can restrict the permission on console access like software distribution or patching or remote tools or collections,etc

    (http://it-howto.blogspot.ch/2011/03/managing-user-rights-in-sccm-2007.html)


    Configuration Manager Console Prerequisites

    Before installing the Configuration Manager console on a remote computer, you should ensure that it meets the minimum requirements outlined in the Configuration Manager supported configurations, as well as the following installation prerequisites:

    Please find the all 3rd party Supporting tools for SCCM in below location.

    http://www.myitforum.com/myitwiki/SCCMTools.ashx


    Narahari


    • Edited by Narahari B Wednesday, January 9, 2013 11:53 AM
    Wednesday, January 9, 2013 11:23 AM
  • If you can dream it, it can be done.  There is the SDK for exactly your requirements--make a custom interface.  However, exactly what you are asking (software deployments and monitoring), the only way I know of people doing that is with a very carefully thought out Console Access rights, with very few class rights, and instead using instance rights, and status filter rules to copy collection per-instance rights, and advertisement rights, and package rights, and task sequence rights, and patch deployment rights, and (what else am I forgetting to mention).  Sure, you could do that... but honestly Configuration Manager 2012 has been out for a year and all of that role based access rights are built-into CM12 for scope and responsibilities.  Setting up console rights in cm07 was a pia (I remember, because we had to do that--took weeks to plan and tweak that).

    Personally... I'd start encouraging this company, heavily, to move to cm12 as soon as may be so you can forget making your own 3rd party, or forget customizing instance rights in the cm07 console.  Obviously either one could be done... but yikes why bother?  upgrade.


    Standardize. Simplify. Automate.

    • Proposed as answer by NPherson Thursday, January 10, 2013 1:53 AM
    • Marked as answer by Garth JonesMVP Saturday, January 2, 2016 5:25 PM
    Thursday, January 10, 2013 12:01 AM
  • Dear Sherry,

    We are just implementing CM 2012 and have the problem in this environment. The system implementation planning has been done with Microsoft and this is the output. The easiest way of realising our requirements is using such a 3rd party tool.

    Of course we should consider re-thinking our requirements but as far as I understood (I'm the project manager, so technically not too much involved) the alternative is that too many people can then start actions like re-install the wrong computers what we want to avoid (not because we don't trust the people but mistakes just happen and could then have quite some impact). Additionally we could (on short notice) not configure certain parameters for the OS set-up process (e.g. model name to select drivers for the computer, host name).

    Best regards,

    Thomas

    Thursday, January 10, 2013 6:47 AM
  • So if I understand you correctly, you are talking about security rights in CM12?  And you (or your technical team) are unable to come up with appropriate security rights to fit your requirements?  I wonder... if they are unaware of the tool in the CM12 toolkit, specifically to help work out what rights and scopes you want to give to group A vs. group B.

    Standardize. Simplify. Automate.

    Thursday, January 10, 2013 1:16 PM
  • Design has been done with MS, the implementation is going on with MS consultants. During the design phase this tool has been recommended to avoid the efforts for implementing the security/role concept in CM12. Now we have problems with the 3rd party tool and are looking for alternatives. Using the CM12 role/permission model is one alternative what we would be capable to realise from technical perspective. :-)
    Thursday, January 10, 2013 1:47 PM
  • Using the CM12 role/permission model is one alternative what we would be capable to realise from technical perspective. :-)

    I would check if a problem can be solved using built-in functions before thinking about 3rd party or custom solutions. So using CM12's security model is an *alternative* for using a 3rd party tool? (I do not consider the RBA tool as a 3rd party tool BTW) What problems are you facing exactly?

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, January 15, 2013 10:25 AM