Skip to main content

We have some entra integration in our environment. We use connect, have enroll enrollment customizations, etc. 

 

The issue I’m having is while I can see AD groups, it seems jamf can’t see memberships (I’m assuming). When I attempt to scope a policy/config profile to an AD group (scope to everyone, limit to the AD group), it still goes to everyone with no limiting. I’m sure there’s a setting I’m missing. Has anyone seen this?

Have you tried using the Extension Attribute to Directory service attribute mapping? It will lookup Entra groups and present as an EA. Then you can create a Smart Group with the attribute, and scope policies/profiles. Use memberOf.displayName to list all the groups associated with the user in Entra.

 

 


So you need to scope to ALL COMPUTERS and SPECIFIC USERS.  Then limit it to your group.

That’s how that works.


So you need to scope to ALL COMPUTERS and SPECIFIC USERS.  Then limit it to your group.

That’s how that works.

That’s what I’m doing (sorry misspoke). The scope shows “no targets” and logs show every machine pending (not limited to the group).


That is

So you need to scope to ALL COMPUTERS and SPECIFIC USERS.  Then limit it to your group.

That’s how that works.

That’s what I’m doing (sorry misspoke). The scope shows “no targets” and logs show every machine pending (not limited to the group).

That is how that works.  We’ve been doing it like this for years now and that’s the expected behavior.

 


That is

So you need to scope to ALL COMPUTERS and SPECIFIC USERS.  Then limit it to your group.

That’s how that works.

That’s what I’m doing (sorry misspoke). The scope shows “no targets” and logs show every machine pending (not limited to the group).

That is how that works.  We’ve been doing it like this for years now and that’s the expected behavior.

 

The issue is though, it’s not limiting. EVRY machine is getting the policy in question. Not just those with group member ship.


Have you tried using the Extension Attribute to Directory service attribute mapping? It will lookup Entra groups and present as an EA. Then you can create a Smart Group with the attribute, and scope policies/profiles. Use memberOf.displayName to list all the groups associated with the user in Entra.

 

 

We tried this as well. The outcome was better, but still did not produce the expected result (Only showed 18 out of a group with 800).


I think you’re bumping into this:


Basically if your username on the device doesn’t match what’s in the group (samAccountName vs UPN or whatnot), then it won’t process.  

Easiest way to test this is in Self Service - make the policy available in self service, let the user in that limited group log in and see if it’s scoped to them.  If so, then your mappings for your cloud IdP don’t exactly match the login user account to reference against.


Oh and every machine will “get the policy” in a pending status because those users can theoretically log into every machine.


@rpayne any update?  I do think I hit the nail on the head with the snippet from the documentation of what you (and a lot of others) run into with user based scoping. 


@Chubs I have not had a second to test the theory yet. I will likely do it today. I did notice however, the smart group we have created based on an EA is SLOWLY populating (470 machines in 48 hrs).