Home Configuration Manager

User Device Affinity

Steve_O'ConnorSteve_O'Connor Customer IT Monkey ✭
in Configuration Manager
Is there any way to stop a user having more than one primary device? Ours is set to automatically set it based on useage data.

I'm currently building a user deprovisioning service with SCSM and Orchestrator. This works nicely until we hit someone in IT, I get servers as well as clients returned as primary devices. This poses a huge problem as part of the deprovisioning process is to disable the leaving users client.

Comments

  • joivan_hedrickjoivan_hedrick Cireson Consultant Advanced IT Monkey ✭✭✭
    In Service Manager, is this for the Primary User on Windows Computer objects, or the Primary User on Hardware Assets? The ConfigMan connector will set the Primary User on Windows Computer objects, and the Cireson Hardware Asset Sync Workflow will optionally set the Primary User on Hardware assets from Windows Computer objects. What I've done previously is have the import connector run a SQL query against the ConfigMan database and exclude certain entries, like service accounts, collections, names, etc. 

    As for ConfigMan itself, in some environments you can change the UDA threshold to have a more aggressive setting, such as 20 hours in a 7 day period. This probably won't work if your IT users are always logged on servers. 

    A slightly tacky method would be to have the runbook check each of the machines that is returned for a user, and then check the collection, OU, or some other property and exclude it. This one's not my favorite, but can be effective without changing any SCSM or ConfigMan settings. 
  • wally_meadwally_mead Member Advanced IT Monkey ✭✭✭
    In Configuration Manager itself, I am not aware of any way to lock a user to only having one primary device. The product obviously supports multiple primary devices per user, as well as multiple primary users per device. As Joivan suggested, you'd likely need to do some sort of automation to handle this scenario.
  • Adam_DzyackyAdam_Dzyacky Product Owner Contributor Monkey ✭✭✭✭✭
    Since IT is really the only culprit (but I suppose there could just as easily be more) I'd say:
    1. Get the User in SCSM
    2. Get all of their related devices in SCSM
    3. Filter the devices to only get Windows Clients with a specific naming convention, Active Directory Organizational Unit, or anything else you could reliably key off within your environment to ensure a Windows Client match

    If you wanted to be extra careful, you could dynamically add two additional activities of an RA and an RB if the user to disable is in X department. Then send that RA to someone on your help desk (or SCCM team/whatever) to approve/reject. When the RA is approved, the additional RB to "Disable device in AD" engages.
  • Steve_O'ConnorSteve_O'Connor Customer IT Monkey ✭
    Thanks Guys, thats a few ideas to have a look into.
  • wally_meadwally_mead Member Advanced IT Monkey ✭✭✭
    Good luck Steve, Unfortunately not something native in the Configuration Manager product. Not sure if it is something that we'd explore doing at Cireson or not, we'll discuss it :-)
Sign In or Register to comment.