SCOM Agent approval

Michael · October 11, 2021, 7:08am

Very often automatic SCOM agent approval is a bad idea, as we often see test and development servers, accidentally being approved in our production SCOM environment. Furthermore we don’t want to automatically approve agents, as the deployment is often not completed, before the agent is active and then raising positive/False alerts in SCOM.

Therefore we have setup manual approval on our SCOM agents, but we want everyone who can deploy servers, to be able to approve the agents, ones they are done deploying. We don’t want everyone to be SCOM admin, as that would potentially give other challenges.

We want a Squaredup Dashboard where we can list agents pending approval and where everyone can approve, if they have access to the dashboard.
Has anyone setup such a dashbord? and are you willing to share how you did it?

Badger1 · October 11, 2021, 8:45am

Hey Michael

This command gets the list of agents pending approval:

You can use the Powershell tile to make a grid dashboard out of this. You can then also create a task in SCOM to approve the agents and assign proper accesses to the said task and the dashboard to the people required.

Hope this helps.

Cheers

Michael · October 11, 2021, 9:06am

Hi Badger

Thanks for the reply
I got to list the pending approval agents, but I struggle to setup the task in SCOM as I would like the approval to be depending on the choosen agent, from the list in my SquaredUp Dashboard.
I’m not very good at Powershell and it’s properly a quite straight forward one-liner, but I would appreciate some assistance on the script, if possible

Badger1 · October 11, 2021, 11:21am

Hey Michael

Thinking more on this, I realized a couple of things.

Powershell grid tile won’t help you run SCOM tasks
There is no pending agents class in SCOM,
You have to drill into an object in SquaredUp to access tasks targeted at them

So the alternative I can think of is to write a scripted discovery to retrieve all pending agents in a class, and then write a task to approve it scoped at this class. If you’re drilling into the server and running the task from there, I don’t think you have to explicitly pass that server in the script.

This involves authoring though, and I am no MP author, so I’ll leave it at that…maybe someone else has better and easier alternatives!

Not sure how helpful this is but hope this helps

Cheers

Michael · October 11, 2021, 12:07pm

It’s great information and thoughts of a possible solution - I’ll see what I can do from what you have come up with

an_evil_penguin · October 11, 2021, 4:31pm

To make things more interesting/complicated the Shell does have methods for pulling and approving agent installs:

$MG = Get-SCOMManagementGroup

$Mg.Administration.GetAgentPendingActions()
$MG.Administration.ApproveAgentPendingActions()

I have never used these so I’m not entirely sure how they work… But usually, you can pipe them into Get-Member for an idea of what they expect and how they work:

$Mg.Administration | Get-Member

In the case of approval it appears to be a list of AgentPendingActions, so presumably you can filter down what you want from the get method and pass them into the approve one.

an_evil_penguin · October 19, 2021, 2:48pm

I’ve just installed the latest version of Kevin Holmans SCOM Management Management pack and at some point in the last version or two he’s actually implemented a class that goes looking for these actions and it comes with tasks to approve the pending agents!

Should make it dead easy to make a dashboard and then use individual tasks when you drill into a pending agent!