Supported platforms and requirements

Category

Product

Notes

Server OS

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

Systems running these server OS will support:

  • Shopping Central Server (website and services)

  • Shopping Admin Console

  • Shopping Receiver

SQL Server

  • SQL Server 2022

  • SQL Server 2019

  • SQL Server 2017

  • You must have one of these SQL Server versions installed.

  • SQL Server must be configured to use a case-insensitive, accent-sensitive collation as the server default (the preferred collation is SQL_Latin1_General_CP1_CI_AS).

  • If TLS 1.0 is disabled on either the Web server or the SQL Server, you will need to install the SQL Server Native Client on the Web server before installing Shopping. Please refer to Installation when TLS 1.0 is disabled for more details.

  • Shopping supports SQL Server 2019 High Availability (HA) with the following caveats:

    1. When “SQL Always ON” setting is enabled, we can’t upgrade the Shopping DB with usual upgrade process.

    2. When failover switching takes place, it takes approx. 3 to 5 seconds to up the secondary node (this depend on the server configuration). Shopping Website will not be available during this time and following message correctly shows the state – “Unable to access availability database 'Shopping2DB' because the database replica is not in the PRIMARY or SECONDARY role. Connections to an availability database is permitted only when the database replica is in the PRIMARY or SECONDARY role. Try the operation again later”, this message can also be seen in Shopping logs.

Microsoft Endpoint Configuration Manager

  • SCCM CB 2203

  • SCCM CB 2111

  • SCCM CB 2107

  • SCCM CB 2103

  • SCCM CB 2010

  • SCCM CB 2006

  • SCCM CB 2002

Microsoft Intune

  • Intune service release 2006

  • Integration with Intune is an optional feature of Shopping. See Microsoft Intune integration.

  • Shopping has been tested with this release of Intune, there are no known issues with previous or newer Intune releases.

  • Azure Active Directory (AAD) is required, and must be in hybrid mode with seamless single sign-on (SSO) enabled, and either pass-through authentication or federation enabled.

  • See Microsoft Endpoint Configuration Manager requirements for details.

Web Server

  • IIS 10

Runtime libraries

  • .NET Framework 4.8

  • Shopping server components requires one of these versions of .NET Framework

Companion products

  1. Application Migration (optional)

  2. WakeUp (optional)

The following lists are combinations of products compatible with Shopping:

  • 1E Client 8.1, Nomad 8.1, 1E Platform 8.1, Application Migration 8.1

  • 1E Client 8.0, Nomad 8.0, 1E Platform 8.0, Application Migration 8.0

  • 1E Client 5.2, Nomad 7.1, 1E Platform 5.2, Application Migration 3.1

If you are implementing self-service OS deployment through Shopping, using the OS Deployment Wizard, then you will need to install 1E and Application Migration to support migration of applications during the OS deployment.

Others

  1. SMTP/Exchange server

  2. Active Directory

  1. Access to an SMTP or Exchange server.

  2. Access to Active Directory. Where AD groups are specified for accounts with an associated group email address, you must have Exchange server for email notifications to be sent to all members of the group.

Category

Product

Notes

Client OS

  • Windows 11 CB 23H2

  • Windows 10 CB 21H2

  • Windows 11 CB 21H2

  • Windows 10 CB 21H1

  • Windows 10 CB 20H2

Systems running these client OS will support the Shopping Admin Console.

Runtime libraries

  • .NET Framework 4.8

The Shopping Admin Console requires one of these versions of .NET Framework.

Browsers

Latest version of:

  • Google Chrome

  • Microsoft Edge (Chromium)

  • Mozilla Firefox

Computers running these browsers support access to the Shopping portal for various purposes. Refer to Shopping Web administration.

 

  • Where localization for Portuguese is enabled, the language-code is pt-BR (Portuguese-Brazil)
  • Firefox requires the option Firefox support enabled set to True in the Shopping admin console. This option is set to False by default. Changing this value will require an IIS reset for the Shopping website and a 1E client service restart on the user's device before it comes into effect. This is not required if the Shopping website is accessed using HTTP

Recent versions of browsers issue warnings when connecting to HTTP websites.

Category

Product

Notes

Client OS

  • Windows 11 CB 23H2

  • Windows 10 CB 21H2

  • Windows 11 CB 21H2

  • Windows 10 CB 21H1

  • Windows 10 CB 20H2

Systems running these client OS will support the Shopping Client module in 1E Client 5.0 or later.

The Shopping Client module in 1E Client contains the following:

  • Shopping Client - this provides the loopback feature

Shopping Client is available in the 1E Client. Refer to 1E Client.

The list in the Product column only shows OS versions in mainstream support by Microsoft, and therefore supported by 1E and Shopping. However, the following legacy OS continues to be supported as an exception to help customers during their migration to the latest OS:

  • Windows 8.1

Shopping's Intune integration feature is not supported on any legacy OS. Please be aware that Microsoft Intune has very limited support for application deployment on Windows 8.1, especially for enterprise application types.

Please refer to Constraints of Legacy OS regarding end of mainstream support.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Please refer to the Support for Microsoft Rapid-Release Cycle on for details of which Current Branch versions are supported by 1E products, and known issues regarding specific versions.

Runtime libraries

  • .NET Framework 4.8

The Shopping Client module in 1E Client contains the following:

  • Shopping Client - this provides the loopback feature, and does not require .NET Framework

Browsers

Latest version of:

  • Google Chrome

  • Internet Explorer 11

  • Microsoft Edge (Chromium)

  • Mozilla Firefox

Computers running these browsers support access to the Shopping portal.

 

  • Where localization for Portuguese is enabled, the language-code is pt-BR (Portuguese-Brazil)
  • Firefox requires the option Firefox support enabled set to True in the Shopping admin console. This option is set to False by default. Changing this value will require an IIS reset for the Shopping website and a 1E client service restart on the user's device before it comes into effect. This is not required if the Shopping website is accessed using HTTP

Recent versions of browsers issue warnings when connecting to HTTP websites.

If you use Shopping's ConfigMgr integration, you will need the following installation accounts, ConfigMgr security role, and database access.

Shopping installation accounts

The user installing Shopping Central or Shopping Receivers requires membership of the Full Administrator security role in Configuration Manager, as described in Installation accounts.

1E Shopping Receivers security role

The Receiver service account or group requires the following permissions in Configuration Manager.

Classes

Permissions

  • Application

  • Distribution Point

  • Distribution Point Group

  • Package

  • Site

  • Status Messages

  • Task Sequence Package

  • Users

Read

  • Collection

  • Configuration Item

  • Folder Class (new in CB1906)

  • Global Condition

All (Full)

These permissions are defined in an XML file and can be imported using the Configuration Manager console to create a 1E Shopping Receivers security role. Each Receiver service account or the Receivers group can then be assigned to this role. This is a one-time only manual procedure prior to installation of the first Receiver. The permissions for the 1E Shopping Receivers role were changed in Shopping 5.6 to include support for Configuration Manager client notification. You will need to import one of the following files, depending on your Configuration Manager version:

  • 1E Shopping Receivers Security Role in CB1906 and later.xml (includes Folder Class introduced in CB1906)

    Copy 
    <SMS_Roles>  
    <SMS_Role CopiedFromID="SMS0002R" RoleName="1E Shopping Receivers" RoleDescription="">    
    <Operations>      
    <Operation GrantedOperations="1879047847" ObjectTypeID="1" />      
    <Operation GrantedOperations="1" ObjectTypeID="2" />      
    <Operation GrantedOperations="1" ObjectTypeID="4" />      
    <Operation GrantedOperations="1" ObjectTypeID="6" />      
    <Operation GrantedOperations="805708823" ObjectTypeID="11" />      
    <Operation GrantedOperations="1" ObjectTypeID="20" />      
    <Operation GrantedOperations="1" ObjectTypeID="28" />      
    <Operation GrantedOperations="1" ObjectTypeID="31" />      
    <Operation GrantedOperations="1047" ObjectTypeID="32" />      
    <Operation GrantedOperations="1" ObjectTypeID="42" />      
    <Operation GrantedOperations="1" ObjectTypeID="43" />      
    <Operation GrantedOperations="1047" ObjectTypeID="226" />    
    </Operations>  
    </SMS_Role>
    </SMS_Roles>

You can copy the details given above, paste it in a notepad and save as an XML file. Then import it to SCCM console.

When a Receiver creates a collection for deploying an application, it needs to specify its limiting collection. By default, that is either All Systems or All Users and User Groups. However, these defaults are configurable in the Receiver's config file. Other collections can be mapped if the Shopping RBAC feature is used. If these collections are known, specify them, otherwise select All instances of the objects that are related to the assigned security roles option in the Security Scopes tab. For more information, refer to Role-Based Access Control in Shopping.

When upgrading 1E Shopping Receivers from versions prior to Shopping 5.6, because later version now use Configuration Manager client notification, you will need to update the 1E Shopping Receivers security role in Configuration Manager CB1810 and later. This can be done in the following way:

  1. Remove any users assigned to the existing 1E Shopping Receivers security role in Configuration Manager - noting them down for re-assigning later. If a user only has that role, you will need to assign the user to a temporary role, for example Read-only Analyst.
  2. Remove the existing 1E Shopping Receivers security role from Configuration Manager.
  3. Import the 1E Shopping Receivers security role using the appropriate xml file for the version of Configuration Manager you are using.
  4. Re-assign the previous users to the new 1E Shopping Receivers security role.
  5. Unassign the users from any temporary roles.

Configuration Manager site databases

Shopping Central - the Shopping Central Service account (SVCUSER) must be a member of the Shopping Configuration Manager Database Access group (refer to SHOPPINGCONSOLESMSUSERS on Active Directory security groups). This group requires a login with db_datareader rights and execute permission on the fn_GetAppState and fnGetSiteNumber functions. If the Shopping Central installer has sufficient rights on the Configuration Manager database, then these database rights will be configured automatically during installation.

Shopping Receivers - in all Configuration Manager Site databases, ensure the Shopping Receiver service account has a login with db_datareader rights and execute permission on the fnGetSiteNumber function. If the Shopping Receiver installer has sufficient rights on the Configuration Manager database, then these rights will be configured automatically during installation.

Configuration Manager deployment notifications

To enable deployment notifications, the following summarizers must be enabled in the Configuration Manager Admin Console (Administration > Site Configuration > Sites > <top-level Site> > Status Summarizers):

  • Application Deployment Summarizer

  • Application Statistics Summarizer

  • Component Status Summarizer

  • Site System Status Summarizer

Refer to Requirements in Microsoft Intune integration.

In this documentation, the following are referred to as legacy OS. Below are described some known issues for these OS.

1E does not provide support for 1E products on the following OS unless the OS is explicitly listed as being supported for a specific 1E product or product feature. This is because Microsoft has ended mainstream support for these OS or they are not significantly used by business organizations.

  • Windows XP *
  • Windows Vista
  • Windows 7
  • Windows 8.0
  • Windows 8.1
  • Windows Server 2003 *
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

1E Client and later will not install on Windows XP and Windows Server 2003. Please contact 1E if you intend to continue using any of the other legacy OS. If you experience an issue, then please try replicating the issue on a supported OS.

For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.

Certificate limitations - expired root certificates

Ensure that your Root CA Certificates are up-to-date on clients and servers. The Automatic Root Certificates Update feature is enabled by default, but its configuration may have been changed or restricted by Group Policy Turn off Automatic Root Certificates Update.

If this GPO is enabled, then you will see DisableRootAutoUpdate = 1 (dword) in HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot.

Certificate limitations - signing certificates missing

On Windows computers, the installation MSI files, and binary executable and DLL files of 1E software are digitally signed. The 1E code signing certificate uses a timestamping certificate as its countersignature. 1E occasionally changes its code signing certificate, and uses it for new releases and patches for older versions, as shown in the table(s) below.

Root Certificate Authorities are implicitly trusted to validate certificates, and their certificates must be correctly installed to do this. Your computers should already have the necessary root CA certificates installed, however this may have been prevented by your organization's security policies, or inability to connect to the Internet, or they are legacy OS. In general this is not an issue because by default Windows allows software to be installed and run without validation, although you may see a warning or experience a delay. However, you must have relevant CA certificates installed if you are using 1E Client (which self-validates its own files), or your organization has applied more secure polices (for example UAC, AppLocker or SmartScreen).

Typical reasons for issues with signing certificate are:

  • If your organization has disabled Automatic Root Certificates Update then you must ensure the relevant root CA certificates are correctly installed on each computer

  • If computers do not have access to the Internet then you must ensure the relevant root and issuing CA certificates are correctly installed on each computer, numbered in the table(s) below.

The signature algorithm of the 1E code signing certificate is SHA256RSA. In most cases, the file digest algorithm of an authenticode signature is SHA256, and the countersignature is a RFC3161 compliant timestamp. The exception is on legacy OS (Windows XP, Vista, Server 2003 and Server 2008) which require the file digest algorithm of an authenticode signature to be SHA1, and a legacy countersignature.

The table below applies to software and hotfixes released in 2020.

2020 Signing certificate Timestamping certificates

Certificate

1E Limited

TIMESTAMP-SHA256-2019-10-15 and DigiCert Timestamp Responder

Issuing CA

 DigiCert EV Code Signing CA (SHA2)

Thumbprint: 60ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e3

 DigiCert SHA2 Assured ID Timestamping CA

Thumbprint: 3ba63a6e4841355772debef9cdcf4d5af353a297

and

DigiCert Assured ID CA-1

Thumbprint: 19a09b5a36f4dd99727df783c17a51231a56c117

Root CA

 DigiCert High Assurance EV Root CA

Thumbprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25

 DigiCert Assured ID Root CA

Thumbprint: 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43