User and computer categories

Managing user categories

You will probably want to determine which applications users get to see. You do this by defining user categories, which means that you do not have to make an application available globally – you can choose a particular group or user who can shop for it and it also helps organize the applications for easy selection in the Shopping Web portal. For example, if you have a software development group, you can just enable that group to shop for software development applications and not have to worry about unnecessary requests from your HR department or vice versa for HR specific applications.

Will I need to define the users themselves?

Actually, you do not need to create users – it is all handled for you automatically by Shopping. Using your AD, Shopping is able to automatically create users for the system when they browse the Shopping Website. Shopping gets the user's details as well as their department heads/managers.

The Configuration Manager client is used by Shopping to determine what site the user should be looking at, which in turn also determines what applications are made available to them in the Shopping interface and the user's email details are kept up-to-date using the AD synchronization settings described in Active Directory synchronization.

As the non-Configuration Manager application approval process relies heavily on email notifications, users must have their email addresses accessible via AD. If a user’s manager is not assigned, they will not be able to shop for applications that require a manager’s approval.

The Shopping-defined Miscellaneous user group has a special purpose – to catch all applications that do not belong to any other user categories. If you want to get Shopping up and running as quickly as possible, you can simply create applications, not use specific user categories and let your users shop from the this group. The Miscellaneous user category always appears at the bottom of the user categories list.

Creating a new user category

To create a new user category:

  1. In the Shopping Admin Console, choose the User Categories node.

  2. Right-click anywhere in the right-pane and from the context menu, choose New User Category.

  3. In the New User Category wizard:

    1. On the Welcome screen, click Next.

    2. On the User Category General Details screen, provide a name and description for the user category (it is used the Shopping Admin Console and in the list of categories which is visible to users) and click Next.

    3. On the Permissions screen, choose who can see the user category when they browse the Shopping interface:

      • Account list – list of users or groups that have access to this user category

      • Add – adds users to the list of users who can view the application in the Select Users or Groups dialog. There are three sections to the browser: the object type, the location, and the object names. The combination of the parameters in these sections allows you to select AD security groups or pinpoint individuals.

        Although it is possible to change the scope of the browser so that it returns computer groups, only user groups should be used with User Categories.

    4. Click OK to continue.

    5. On the Completion screen, click Finish.

Organizing user categories into groups

To help users find the applications they want to shop for, define category folders to organize the user categories into conceptual groups. To do this, display the properties for an existing user category and select the Category Folders tab.

  1. In Category Folder, type the name for the folder.

  2. Click Add – the newly created folder appears in the Use list.

  3. Click OK.

In the Shopping Web, click the Microsoft Applications menu item to show what's available. Users who are currently logged-in must sign-out and sign-back in again to view the changes.

Managing computer categories

Computer categories let you define computer specific approval that is controlled using individual computer accounts, AD groups or OUs. This can be extremely effective when the machines in a network have a wide geographic spread.

You can use computer categories to nominate administrators for the computers who can carry out maintenance tasks for the computers such as shopping for applications, un-installing applications and restoring applications after re-imaging. Computer categories also form the basis for branch administration for applications – this is where the branch administrator associated with the computer category is able to choose which branch administered applications are published to the computer category and their approval process. For more details see Branch management.

If you need to add a large number of computers to a computer category, it is more efficient to create an AD Group or OU and add the computers to it and then add them to the computer category.

Branch management for Intune devices

Branch management in Shopping allows administrators to organize devices into computer categories (called branches). Each branch can have its own branch administrators and approval workflow. This feature enables the creation of computer categories using Intune based sources, allowing branch creation and management for Intune devices.

Both on-premises AD and Intune devices are managed within the same Branch Management framework. Branch administrators can configure workflows and manage apps for both on-premises and Intune devices.

Branches can be created using the following sources:

  • Intune Administrative Units (AU)

  • Intune Groups

  • Intune Device Names

Creating a new computer category

To create a computer category follow the steps below:

  1. In the Shopping Admin Console, click Computer Categories.

  2. Right-click anywhere in the right-hand pane and choose New Computer Category from the context menu. This starts the configuration using the New Computer Category Wizard.

  3. Click Next, then enter the Name and Description of the computer category.

  4. Click Next, and then click Add Intune on the right.

  5. The Intune Object Picker window appears, allowing you to select Intune objects.

  6. Select any source type and search for the required objects. Move the required ones from Available to Selected and click OK.

    Ensure that the AdministrativeUnit.Read.All Graph API permission is added in the App Registrations of the authentication apps in Azure. When using client secrets for authentication with client apps, this replaces seamless single sign-on.

  7. The selected source now appears in the wizard.

  8. You can choose additional source types for the category, such as:

    • On-prem AD OU/ Group/ Device Name

    • Intune AU/ Group/ Device Name

  1. Click Next to proceed to the final page. Click Finish to create the computer category. The new category is now available in the Branch Management console.

Assigning branch admins

A Shopping administrator can assign one or more branch administrators to the newly created Intune branch.

Branch administrators can:

  • Configure approval workflows

  • Shop for others and search for Intune devices that are part of the branch

Approval workflow

Branch administrators assigned to Intune based branches can set up application approval workflows specific to their branch. This ensures consistent governance across hybrid environments. Branch administrators can define the following types of workflows for app requests:

  • No approval

  • Chain approval

  • Any approval

End users with Intune devices see branch specific apps in Shopping. They can request apps according to their branch's approval policies.

Defining central approvers and branch administrators

Having created the new computer category, add your central approvers and branch administrators.

  1. To add central approvers:

    1. In the Shopping Admin console, choose the computer group (UK Computers in our example).

    2. Right-click anywhere in the right-hand pane and from the context menu, choose Add Central Approvers.

    3. In the Add Central Approvals dialog, select the approvers to add.

    4. Click OK.

  2. To add branch administrators:

    1. In the Shopping Admin console, choose the computer group (UK Computers in our example).

    2. Right-click anywhere in the right-hand pane and, from the context menu, choose Add Branch Administrators.

    3. From the list of administrators, choose the branch administrators for the computer category.

    4. Click OK.

  3. Having added all your central approvers and branch administrators, they are displayed in the Shopping Admin console as follows: