Autopilot Manager with additional automation – Modern IT – Cloud – Workplace
source link: https://oliverkieselbach.com/2023/01/24/autopilot-manager-with-additional-automations/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Autopilot Manager with additional automation – Modern IT – Cloud – WorkplaceSkip to content
New enhancements to Autopilot Manager are here. This time I focused on further optional automations of the import process based on customer feedback.
Another year is gone and Autopilot Manager once again gets new features. Ironically last time I introduced new features (Evolving Autopilot Manager) was also ~1 year after the initial release. So here we are again (after ~1 year) with the latest additions, mainly focused on further automation of the overall process.
To accomplish my goal to add further optional automations with Autopilot Manager, I needed a way to add additional customer specific logic. For example, logic to validate requests to deny them directly if not allowed. Furthermore, I needed a way for automatic approvals if an extended validation was successful. Finally, if we have these options, wouldn’t it be nice to also provide Autopilot Group Tags in an automated way?
What did I implement?
I added several logical checks in the Autopilot Manager code, so called Azure Function calls to the Autopilot Manager workflow. There are 3 new Azure Function calls added:
- Validation Function
- GroupTag Function
- AutoApproval Function
The purpose of them is to lower the effort of helpdesk personas. Imagine a rather big company using Autopilot Manger and therefore getting a lot of requests for approval. This means someone from the helpdesk (assuming Autopilot Manager runs in approval mode) needs to frequently check the approval page and process the incoming requests. Here it might be efficient if the code does an additional check very early in the process to validate if a request is valid or should be instantly denied. This way no requests would be captured which are not pre-validated. So, they are most likely requests which are also approved by the help desk persona later as well.
A little bit more to this. The Validation function is simply an Azure Function. These functions are running in your Azure environment in a so-called Function App. This app does provide functions (authenticated via a function key) which can be called via https. They receive an input, then in my case PowerShell code is running (other languages available as well C#, Python, …), does some additional checks/validations and returns a result. For the validate function you can now imagine validation checks by using the received Serial Number/Manufacturer/Model and check in other company owned systems like ServiceNow, an asset management system, or other CMDBs, if the device is known and allowed. Based on this information you can return true or false to allow or directly deny the request.
The Validate Azure Function gives the option to instantly deny requests or allow them for further manual approval.
The GroupTag Azure Function provides the Group Tag based on the Serial Number/Manufacturer/Model. This can be useful if you like to flag a device as SharedDevice or Kiosk device. After import it would get based on the function the defined GroupTag fully automatically. Following an example of a custom Group Tag provided by Azure function fully automatic:
The AutoApproval Azure Function provides the final go if a device is flagged for automatic approval. Imagine a CMDB call for a S/N and a registered ChangeRequest (CR) for a device to replace the Mainboard (break-fix scenario). This information could be an indicator to return back a true value to allow automatic approval. In this case the Autopilot Manager and the Autopilot Manager Client would not wait for any manual approval, it would directly start the Hardware Hash import process.
Especially the AutoApproval can lower the effort of helpdesk personas as the function is basically taking over the validation and approval for the device.
Why didn’t I implement the new logic within the Autopilot Manger itself?
This is easy to answer, with the architecture above every company has the option to implement their own validation, grouptag, and autoapproval function. They can be used individually or all together. Every company has its own asset systems, ticket systems etc. which might be used as an information source to make the decisions in the functions.
How to use the new Azure Function calls?
All you have to do is create an Azure Function App (see here to create the function app) and add 3 http trigger functions with the name validate, grouptag, and autoapproval and an authorization level of function.
You should have now three functions
In the following example I used the sample PowerShell script provided by Microsoft and modified it slightly to return the value true in the body, indicating validation success. In a real-world implementation, you would add logic to call your additional data sources to make the final decision and return true or false based on that decision:
The functions are built very simple but the internal decision logic is up to you and you must return the result in the body:
How to enable the new Azure functions in Autopilot Manager?
To enable the new Azure Functions with Autopilot Manager, you have to enable them in the Azure App Service Configuration:
AppConfig:AutopilotManagerConfig:AzureFunctionsUrl set to your Azure Function URL (e.g. https://apm-functions-xxx.azurewebsites.net/api/) AppConfig:AutopilotManagerConfig:UseValidationFunction set to true AppConfig:AutopilotManagerConfig:ValidationFunctionKey set to "your azure function key" AppConfig:AutopilotManagerConfig:UseGroupTagFunction set to true AppConfig:AutopilotManagerConfig:GroupTagFunctionKey set to "your azure function key" AppConfig:AutopilotManagerConfig:UseAutoApprovalFunction set to true AppConfig:AutopilotManagerConfig:AutoApprovalFunctionKey set to "your azure function key"
The Azure Functions app URL can be found on the Overview page:
To get the Azure function key you simply click on Function Keys within your function and copy the default one:
Monitoring your Functions
There is a built-in Monitor that logs function calls and also a live logs feature if you click on Logs (right beside Invocations):
Final remarks
If you want to use any of those enhancements you have to configure them explicitly via configuration. Nothing is silently configured in the background. To get the latest version just restart the Autopilot Manager App Service. As long as the app configuration setting WEBSITE_RUN_FROM_PACKAGE points to:
https://raw.githubusercontent.com/okieselbach/Autopilot-Manager/master/dist/Artifacts.zip
You will get the latest version min v1.6 including all the enhancements.
If you are looking for the solution, it is found on my GitHub site:
https://github.com/okieselbach/Autopilot-Manager
I hope these enhancements are as useful for others as they are already for some out there.
This project is a community release and based on my voluntary work, I appreciate any constructive feedback. Just open a GitHub issue, use GitHub Discussions, or leave a comment here. I will support the solution as best effort and as time allows. I’ll look into bugs and help out to get the solution up and running. On GitHub Discussions I may already have answered specific questions you have, it’s worth a visit.
Happy Autopilot automation for you all
AutoPilot, Azure Functions, Functions App, Intune, PowerShell, PowerShell Scripts, Windows, Windows 10, Windows Autopilot
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK