Is there a way to revoke an application that was approved in SCCM 2012?

Scenario: 

User A requests app A and it is approved, then that user moves to a different department or role that no longer requires them to have access to this app.

I know I can uninstall the application but the user could just go back in to the application catalog and reinstall the app. Is there any way to deny an application once it has already been approved?

No, there is no way from the console to remove the approved status from an application.

Let me add that you can control access to the applications by creating deployments for the appropriate user collections. For example, if the application is deployed to a collection that only contains certain users or security groups, the user not in the collection or security group will not see the application in the Application Catalog.

Hi - I asked pretty much the same question last night and got a good answer: http://social.technet.microsoft.com/Forums/en-US/configmanagerapps/thread/25372c4c-921b-4f57-a328-4568fc11b225

I agree the most logical thing to do would have a mechanism for revoking that application, but for the meantime use either:

a) Deployment type requirements to limit the scope of where the application can be deployed to. Assuming you set this up correctly in the first instance a person moving to a different role shouldn't cause a problem as they won't be eligible to install it.

b) Deployment to collections that consist of security groups and not direct user links. That way when the user changes department they won't be in the collection any more and won't see the app.

.

I was trialling this in my test environment last night and basically did the following:

1) Create collection for "Sales" that is limited to the AD security group "gSales"

2) Create application with deployment type native MSI that has the requirements (User) of "Primary PC == True".

3) Create user based deployment of the application to the Sales collection

.

So... when the user moves group they will they no-longer be able to see the application to install anymore as the deployment isn't advertised to them. Also in the meantime assuming they regularly use 3 PCs they will see it advertised on all PCs via the Application Catalog but can only issue the install on their primary PC thereby limiting Bob to using 1 licence and not a potential 3 licences.

I suspect/hope a more practical "revoke" will come in SP1, but this will suffice until then.

Cheers

Yeah, adding on to what Anton was saying...

I'm not a huge fan of Deploying an application that requires approval to "All Users".  I think you're much better off limiting who can see that instead based on SCCM Collections (which could be tied to AD groups if that's how you manage things).  Then of course bring UDA into the mix so that you don't have an end user running around giving everyone the app that they are approved to install.  Hold them to just their primary device.

Of course if you use App-V then perhaps you could still let them have it everywhere they go...but only install the virtualized version on their non-primary rather than the full install (and have it remove itself when the logoff).

If you delete the user object from "\Assets and Compliance\Overview\Users" , the Approval Request will be removed.

Its no easy feat...you'd need to

1. capture all other information related to that user object (UDA, Approval Requests etc) - use the powershell cdmlets
2. delete the user object
3. run a full AD user discovery
4. restore the captured information from step 1- I haven't looked into how to do this yet

This is an interesting idea.. Going to look into this. If fully automated it might be just the solution we need until (hopefully) Microsoft realizes how the lack of this feature sure is crippling. :-/