Skip to main content

Installing App Portal / App Broker

To install the App Portal / App Broker web site, perform the following steps.

note

You need to be an administrator to run this installer. To run as an administrator, you can right-click the installer file and select Run as administrator from the context menu.

Starting with App Portal 2013, your deployment technology is no longer specified during installation. Instead, you specify your deployment technology connection settings on the Deployment tab of the Settings view, as described in the App Portal / App Broker Administration Guide.

To install the App Portal / App Broker web site:

  1. To start the App Portal / App Broker installer, launch AppPortalSetup_2025_R1.exe
    note

    If OLE DB Driver 18 for SQL Server 18.3.0.0 (x64) is not already installed on your machine, you will be prompted to install it before installation will begin. As this is a prerequisite, click Install.

  2. The Welcome panel opens. Click Next.
  3. Click Next. The License Agreement panel opens.
  4. Read and accept the license agreement and click Next to continue. The Destination Folder panel opens.
  5. Accept the default destination or click Change and select a different location. Click Next to continue.
  6. Click Next. The Database Server panel opens.
info

Only Windows authentication is supported when connecting to the App Portal SQL Server database. Therefore, the account running this installer needs DBO permissions to that SQL Server.

If the Microsoft Entra ID is chosen as IAM, Windows Authentication is not supported and uses Active Directory Integrated Authentication with Trust Server Certificate enabled.

  1. Enter the name of the database server that you are installing to or select it from the list.

    • If you are using a specific database instance (other than the default instance), enter the database server and SQL instance in the following format:

      <SERVERNAME>\<INSTANCE>
    info

    Do not use (Local) as a database name.

  2. In the Name of database catalog field, enter the name of the new App Portal database that will be created by this installer, or click Browse to select an existing catalog.

  3. Click Next to continue.

  4. If you are creating a new database catalog, a message appears stating that a new database catalog will be created. Click OK to continue. The Logon Information panel opens.

  5. A user account is required to interact with Active Directory and SQL. This same account will be used for the App Portal service. The account requires administrative rights on clients to make use of the remote policy execution and to rerun advertisements. In the User name field, enter user account information in Domain\Username format, along with a Password.

    note

    Enter the credentials that App Portal will use to communicate with System Center Configuration Manager and other deployment technologies, SQL Server, Active Directory, and clients. This must be the same account, so it is recommended that you use a devoted service account. This account must also have administrator rights on all client machines.

    note

    If Microsoft Entra ID user (Domain\Username) is provided in the User name field, uncheck the checkbox Validate account and password to avoid user validation. Please note Domain can be dummy.

  6. Click Next to continue. The App Portal Settings panel opens.

  7. In the App Portal Settings panel, you have the following options:

    • Select Authentication Type
    • Select Desired Identities
    1. If you select Select Authentication Type as Windows Authentication and Select Desired Identities as Active Directory Forest:
    note

    When the App Portal Settings panel opens, Windows Authentication will be selected as the default authentication type, and Active Directory Forest will be selected as the default identity source.

    In the App Portal Settings panel, enter the following information:

    PropertyDescription
    DNS Alias (A-Record)Enter one of the following:

    If you have already created a DNS alias for the identity of the site, enter it in this field.

    Note: If you enter an alias, it needs to already be created on your DNS servers. The App Portal installer will not create it for you.

    Note: If you specify an alias, a DNS A-RECORD for that alias must be created in order to access the App Portal site. It is important that the alias be a DNS A-RECORD, and not a CNAME record.

    If you do not want to use an alias, you can accept the default value, which is the server machine name.

    Note: If you specify the server machine name, you do not need to create a DNS A-RECORD because one already exists for the server.

    Tip: After installation, you can edit the DNS Alias value on the General tab of the Site Management > Settings > Web Site view.
    AD Global Catalog ServerEnter the server value (if required).

    By default, the configured server details will be pre-populated.
    SMTP ServerEnter the name of the SMTP Server that will be used for relaying email.

    Note: You may need to configure the SMTP server internally to accept relay from this server’s IP address.

    Note: You can also enter the mail settings after installation on the Site Management > Settings > Email view.
    SMTP AccountEnter the SMTP account name.
    Computer Discovery MethodSelect one of the following options to specify the method to use for discovering the active machine visiting the App Portal site:

    WebExtensions—If WebExtensions is selected, an administrator must ensure that the respective WebExtensions installer has been deployed and installed on each user's machine. A link to the installer is provided in the description provided next to the Primary computer discovery method field.

    Reverse DNS—Uses the reverse DNS zones in Active Directory (if present) to look up the computer name by IP address.

    Note: If you select Reverse DNS, every computer in your DNS will be discovered, not just those in SCCM. It only searches the Active Directory DNS, so if you have other DNS providers, it will not work.

    1. If you select Select Authentication Type as Single Sign-On and Select Desired Identities as Active Directory Forest:

      The Single Sign-On Configuration panel opens.

      In the Single Sign-On Configuration panel, enter the following information:

      PropertyDescription
      Client IDEnter the Client ID provided by your identity provider platform.
      Client SecretEnter the client secret provided by your identity provider platform.
      Authorization end pointEnter URL provided by your identity provider platform.
      Call back UrlEnter the following URL:

      http://YOURAPPPORTALSERVER/esd/oauth2SignOn.aspx?MethodToInvoke=CallBack
      ScopeEnter URL provided by your identity provider platform.
      Profile end pointEnter URL provided by your identity provider platform.
      Token end pointEnter URL provided by your identity provider platform.

    2. If you select Select Authentication Type as Single Sign-On and Select Desired Identities as Microsoft Entra ID:

      The Microsoft Entra ID Configurations panel opens.

      In the Microsoft Entra ID Configurations panel, enter the following information:

      PropertyDescription
      Microsoft Graph URLEnter the Microsoft graph URL.

      Note: By default, this field value is pre-populated with the value - https://graph.microsoft.com. This field can be configured with country specific Intune Government URL. For example, for US government the URL will be https://graph.microsoft.us.
      Azure Authentication URLEnter the azure authentication URL.

      Note: By default, this field value is pre-populated with the value https://login.microsoftonline.com. This field can be configured with country specific Intune Government URL. For example, for US government the URL is https://login.microsoftonline.us.
      Tenant ID/Tenant NameProvide the registered Tenant ID or Tenant Name associated with your Azure account.
      Client IDEnter the Client ID of the registered application in Azure.
      Client SecretProvide the secret key generated for the registered application.
      Principal IDEnter the valid Principal ID to authenticate the application.
      Validate the access role permissions for Microsoft Entra IDBy default, this checkbox is selected. It verifies whether the necessary role permissions are granted and valid for accessing Microsoft Entra ID.

      After entering the above details, click Next. A popup will appear with the following messages

      • If the Validate the access role permissions for Microsoft Entra ID check box is selected, a popup will appear with the message: EntraID configuration settings are valid. Required permissions are successfully validated.
      • If the Validate the access role permissions for Microsoft Entra ID check box is not selected, a popup will appear with the message: EntraID configuration settings are valid.

      Click OK to continue. In the next Single Sign-On Configuration details panel, enter the following details:

      PropertyDescription
      Client IDEnter the Client ID provided by your identity provider platform.
      Client SecretEnter the client secret provided by your identity provider platform.
      Authorization end pointEnter URL provided by your identity provider platform.
      Call back UrlEnter the following URL:

      http://YOURAPPPORTALSERVER/esd/oauth2SignOn.aspx?MethodToInvoke=CallBack
      ScopeEnter URL provided by your identity provider platform.
      Profile end pointEnter URL provided by your identity provider platform.
      Token end pointEnter URL provided by your identity provider platform.

    3. If you select Select Authentication Type as Single Sign-On and Select Desired Identities as Active Directory Forest and Microsoft Entra ID: The Microsoft Entra ID Configurations panel opens.

      In the Microsoft Entra ID Configurations panel, enter the following information:

      PropertyDescription
      Microsoft Graph URLEnter the Microsoft graph URL.

      Note: By default, this field value is pre-populated with the value - https://graph.microsoft.com. This field can be configured with country specific Intune Government URL. For example, for US government the URL will be https://graph.microsoft.us.
      Azure Authentication URLEnter the azure authentication URL.

      Note: By default, this field value is pre-populated with the value https://login.microsoftonline.com. This field can be configured with country specific Intune Government URL. For example, for US government the URL is https://login.microsoftonline.us.
      Tenant ID/Tenant NameProvide the registered Tenant ID or Tenant Name associated with your Azure account.
      Client IDEnter the Client ID of the registered application in Azure.
      Client SecretProvide the secret key generated for the registered application.
      Principal IDEnter the valid Principal ID to authenticate the application.
      Validate the access role permissions for Microsoft Entra IDBy default, this checkbox is selected. It verifies whether the necessary role permissions are granted and valid for accessing Microsoft Entra ID.

      After entering the above details, click Next. A popup will appear with the following messages

      • If the Validate the access role permissions for Microsoft Entra ID check box is selected, a popup will appear with the message: EntraID configuration settings are valid. Required permissions are successfully validated.
      • If the Validate the access role permissions for Microsoft Entra ID check box is not selected, a popup will appear with the message: EntraID configuration settings are valid.

      Click OK to continue.

      Click Next. The Single Sign-On Configuration panel opens.

      The In the next Single Sign-On Configuration details panel, enter the following details:

      PropertyDescription
      Client IDEnter the Client ID provided by your identity provider platform.
      Client SecretEnter the client secret provided by your identity provider platform.
      Authorization end pointEnter URL provided by your identity provider platform.
      Call back UrlEnter the following URL:

      http://YOURAPPPORTALSERVER/esd/oauth2SignOn.aspx?MethodToInvoke=CallBack
      ScopeEnter URL provided by your identity provider platform.
      Profile end pointEnter URL provided by your identity provider platform.
      Token end pointEnter URL provided by your identity provider platform.

      Click Next. The App Portal Settings panel opens.

      In the next App Portal Settings panel, enter the following information:

      PropertyDescription
      DNS Alias (A-Record)Enter one of the following:

      If you have already created a DNS alias for the identity of the site, enter it in this field.

      Note: If you enter an alias, it needs to already be created on your DNS servers. The App Portal installer will not create it for you.

      Note: If you specify an alias, a DNS A-RECORD for that alias must be created in order to access the App Portal site. It is important that the alias be a DNS A-RECORD, and not a CNAME record.

      If you do not want to use an alias, you can accept the default value, which is the server machine name.

      Note: If you specify the server machine name, you do not need to create a DNS A-RECORD because one already exists for the server.

      Tip: After installation, you can edit the DNS Alias value on the General tab of the Site Management > Settings > Web Site view.
      AD Global Catalog ServerEnter the server value (if required).

      By default, the configured server details will be pre-populated.
      SMTP ServerEnter the name of the SMTP Server that will be used for relaying email.

      Note: You may need to configure the SMTP server internally to accept relay from this server’s IP address.

      Note: You can also enter the mail settings after installation on the Site Management > Settings > Email view.
      SMTP AccountEnter the SMTP account name.
      Computer Discovery MethodSelect one of the following options to specify the method to use for discovering the active machine visiting the App Portal site:

      - WebExtensions—If WebExtensions is selected, an administrator must ensure that the respective WebExtensions installer has been deployed and installed on each user's machine. A link to the installer is provided in the description provided next to the Primary computer discovery method field.

      - Reverse DNS—Uses the reverse DNS zones in Active Directory (if present) to look up the computer name by IP address.

      Note: If you select Reverse DNS, every computer in your DNS will be discovered, not just those in SCCM. It only searches the Active Directory DNS, so if you have other DNS providers, it will not work.

    4. If you select Select Authentication Type as Windows Authentication and Select Desired Identities as Active Directory Forest and Microsoft Entra ID:

      Important:This option is not recommended for optimal functionality.

      The Microsoft Entra ID Configurations panel opens.

      In the Microsoft Entra ID Configurations panel, enter the following information

      PropertyDescription
      Microsoft Graph URLEnter the Microsoft graph URL.

      Note: By default, this field value is pre-populated with the value - https://graph.microsoft.com. This field can be configured with country specific Intune Government URL. For example, for US government the URL will be https://graph.microsoft.us.
      Azure Authentication URLEnter the azure authentication URL.

      Note: By default, this field value is pre-populated with the value https://login.microsoftonline.com. This field can be configured with country specific Intune Government URL. For example, for US government the URL is https://login.microsoftonline.us.
      Tenant ID/Tenant NameProvide the registered Tenant ID or Tenant Name associated with your Azure account.
      Client IDEnter the Client ID of the registered application in Azure.
      Client SecretProvide the secret key generated for the registered application.
      Principal IDEnter the valid Principal ID to authenticate the application.
      Validate the access role permissions for Microsoft Entra IDBy default, this checkbox is selected. It verifies whether the necessary role permissions are granted and valid for accessing Microsoft Entra ID.

      After entering the above details, click Next. A popup will appear with the following messages

      • If the Validate the access role permissions for Microsoft Entra ID check box is selected, a popup will appear with the message: EntraID configuration settings are valid. Required permissions are successfully validated.
      • If the Validate the access role permissions for Microsoft Entra ID check box is not selected, a popup will appear with the message: EntraID configuration settings are valid.

      Click OK to continue.

      Click Next. The App Portal Settings panel opens.

      In the App Portal Settings panel, enter the following information:

      PropertyDescription
      DNS Alias (A-Record)Enter one of the following:

      If you have already created a DNS alias for the identity of the site, enter it in this field.

      Note: If you enter an alias, it needs to already be created on your DNS servers. The App Portal installer will not create it for you.

      Note: If you specify an alias, a DNS A-RECORD for that alias must be created in order to access the App Portal site. It is important that the alias be a DNS A-RECORD, and not a CNAME record.

      If you do not want to use an alias, you can accept the default value, which is the server machine name.

      Note: If you specify the server machine name, you do not need to create a DNS A-RECORD because one already exists for the server.

      Tip: After installation, you can edit the DNS Alias value on the General tab of the Site Management > Settings > Web Site view.
      AD Global Catalog ServerEnter the server value (if required).

      By default, the configured server details will be pre-populated.
      SMTP ServerEnter the name of the SMTP Server that will be used for relaying email.

      Note: You may need to configure the SMTP server internally to accept relay from this server’s IP address.

      Note: You can also enter the mail settings after installation on the Site Management > Settings > Email view.
      SMTP AccountEnter the SMTP account name.
      Computer Discovery MethodSelect one of the following options to specify the method to use for discovering the active machine visiting the App Portal site:

      - WebExtensions—If WebExtensions is selected, an administrator must ensure that the respective WebExtensions installer has been deployed and installed on each user's machine. A link to the installer is provided in the description provided next to the Primary computer discovery method field.

      - Reverse DNS—Uses the reverse DNS zones in Active Directory (if present) to look up the computer name by IP address.

      Note: If you select Reverse DNS, every computer in your DNS will be discovered, not just those in SCCM. It only searches the Active Directory DNS, so if you have other DNS providers, it will not work.
      note

      Today, the combination of Windows Authentication with Microsoft Entra ID as the Identity is not officially supported and is therefore not recommended.

  8. Click Next. The Ready to Install the Program panel opens.

  9. Click Install to begin the installation. When installation is complete, the Completed panel opens.

  10. Click Finish to close the installer.**