Some things I have learned using the Fresh PowerShell Automation App

  • 21 September 2022
  • 8 replies
  • 185 views

Userlevel 3
Badge +2
  • Top Contributor
  • 11 replies

I’ve been working with Freshservice automation and its PowerShell Orchestration App for over a year now, and I thought I’d share some of the things I’ve learned.

The PowerShell App times out after around 23 seconds.

This is apparently the length of time it takes to poll the process 10 times - if there’s no response after this, the Orchestration/Workflow just forgets about it.

Errors are different depending on whether you’re running a PowerShell function or a PowerShell script.

If you’re anticipating an error in the Automation workflow, you can usually capture it by looking for a response from the app that isn’t 200 (or greater than 299, if oyu might expect another 2xx code). Whilst this works fine for PowerShell functions, it doesn’t work for PowerShell scripts - call a .ps1 file, and the result will always be ‘200’, even if your script fails.

Tagging a ticket does not trigger an ‘Updated’ event.

Workflows begin with triggers, such as ‘Service Request raised’ or ‘Ticket updated’. But just adding a tag to a ticket doesn’t appear to be classed as a ticket ‘update’ (neither do adding notes or replies). To update a ticket you need to change the subject, status, type, priority, source, urgency, impact, agent group or agent. 

Deleting a ticket will mark all of its outstanding tasks as ‘Completed’

This may not seem like a major issue on the face of it, but if you have automations that run when tasks are completed, then those automations will be run. I have let Fresh know about this ‘feature’ and I believe it’s in their ‘to-do’ list to change the behaviour to having tasks cancelled instead.

 

 

I’ll add to the list as and when I encounter (or remember) things, but at our organisation, over 40% of our service requests are serviced by automation (by which I mean PowerShell invoked from the Automation Workflow), and I’m aiming to increase this yet further.


8 replies

Userlevel 3
Badge +6

Out of interest, what are some automations you are doing with Powershell. Currently we use it for AD User and Group automation only. Be good to hear some other use cases. 

Userlevel 3
Badge +2

Out of interest, what are some automations you are doing with Powershell. Currently we use it for AD User and Group automation only. Be good to hear some other use cases. 

 

It isn’t that dissimilar - where we use SSO for access, it is just adding users to the appropriate groups. However, there are some where we’ve added a bit more ‘value’ into the process.


For example, with Microsoft Office products, when someone requests access, we also check to see how many licenses are available. If none are available, the ticket will be put in the provisioning/procurement team’s queue.

 

Some applications have their own administrators who need to approve access to. For these, following approval by the line/reporting manager, an extra approval step is there which asks for approval from the relevant administrators group. This utilises records in a Custom Object, which is updated nightly with the list of administrators for each application.

 

There are also some cloud applications we give access to, where I’ve created PowerShell modules to interact with the relevant APIs to create and assign permissions to users, where SSO is not available.

 

I’ve also been working on group requests, where someone requests to be added to a security group or a distribution group, the group manager(s) are emailed for approval - again using records in a custom object.

We also created a ‘New Starter Form’ as a service cataolg item. This raises a service request for HR (a restricted group), and when the HR agent marks a task complete to say the signed employment contract has been received, another ticket is raised for the corporate IT function to process, as well as an email being sent out with the relevant details to notify other departments (such as finance) of the new addition. This was quite complex, switching between ticket automations and task automations to accomplish the end goal.

We also have some maintenence/routine processes, where scheduled tickets are raised for:

  • Checking the ‘health’ of the Active Directory estate
  • Dropping penetration scan reports (once generated) to areas for parts of the business to access
  • Updating Fresh Custom Objects
  • License reclamation (any licensed products that are not used for a couple of months are removed from the user)

We’re also looking how to order from our supplier via automation - the PowerShell module is mostly written to work with their API, we just need to work out the overall process and guidelines (approval processes budget limits, how purchase orders will work, etc.) before we can implement.

Userlevel 3
Badge +2

Out of interest, what are some automations you are doing with Powershell. Currently we use it for AD User and Group automation only. Be good to hear some other use cases. 

 

I’m sure I posted a response to this earlier, but it isn’t here. So I’ll try to remember what I said…

Access is granted to applications in various ways. Where SSO is available, we would just use AD User/Group cmdlets. With some applications (e.g. MS Office apps), there is a check to see how many licenses are available, and if there are none, the ticket is passed on to another team to procure additional licenses.

Some applications require approval from an administration team, so we populate records in a Custom Object to facilitate the approvals. These records are updated nightly based on the membership of the relevant AD group. If an administrator makes the request, the approval processes are bypassed.

For some cloud applications that do not fully support SSO I’ve created PowerShell modules that allow users to be provisioned and permissions granted via APIs. 

There are also workflows that facilitate license reclamation. These are usually weekly or monthly tickets, and will remove access to users that haven’t used an application for a couple of months.

We have service catalog items that will create Security and Distribution Groups, prompting for the required information for audit purposes.

I’ve also created a workflow that allows end users to request to be added to an AD Security Group or an Exchange Distribution Group. Before being added to the group, approval is requested from the group manager(s). This also utilises Fresh Custom Objects.

There’s a service catalog item for the Service Desk agents only, that allows them to provision new users. It creates the user in AD, populates the appropriate groups, configures Exchange routing, and adds them to a particular Azure AD group. Needless to say, this would time-out, as the entire process can take up to an hour, so the function updates the ticket via the API.

There’s also a ‘New Starter’ catalog item. Hiring managers complete this, and the form is sent to HR (who are also agents in Freshservice). This uses both ticket and task automations, and example of which is when a task is completed to say the signed employment contract has been received, a new Fresh ticket is raised for corporate IT to provision the new user (without any sensitive employee data), and an email is also sent to notify other departments of the new starter (such as finance for payroll), so they can make the appropriate arrangements. Some of the fields in the New Starter form are populated by Custom Objects (e.g. if a mobile phone is part of the package, the handset can be selected from a pre-defined list).

There are also some regular/maintenance tickets/processes which:

  • generate reports on the health of the ACtive Directory estate
  • download pen testing reports and dropping in locations accessible to the interested parties
  • update the custom objects for administrators, group owners, mobile phone handset list, etc.
  • disable and remove groups from ‘expired’ user accounts, then after a period of time, delete these accounts from AD
  • disable accounts determined to be ‘dormant’ (i.e. not used in a while)

In the pipeline, we are looking at being able to automate the ordering of IT equipment - the PowerShell module to interface with our supplier’s API is nearing completion, so we’ll need to figure out how the overall process will need to work.

 

Userlevel 3
Badge +6

Some inspiration there for my dept. thank you

أنا جديد في تطبيق لم نشتغل  عله من قبل

العديد من أشخاص هم عارفين  مهارتو وكل  واحد من يجني المال 

we are new to freshservice and start our onboarding next week.

23 seconds is really short, are you saying any single call from the workflow to the on prem powershell server has to be completed within 23 seconds? 

 

 

Userlevel 3
Badge +2

we are new to freshservice and start our onboarding next week.

23 seconds is really short, are you saying any single call from the workflow to the on prem powershell server has to be completed within 23 seconds? 

 

 

Hello George

23 seconds is approximate, but yes - if the call to PowerShell takes longer, then the workflow won’t continue, effectively timing-out that session.

Where I’ve had processes taking linger than this time, I would write a function that would make calls back to the Freshservice API to update the ticket to update the progress (I created a FreshAPI module to facilitate this - see my post here

Reply