What is the best way of Using Jamf, in regards to applying policy´s
Is it possible in jamf to apply policies to OU´s - or AD groups - or both ?
What is the best practice in regards to that. Today all Mac computers are created in AD the same location as windows computers are. So question is if it would make sense to split up in separate AD group or use OU´s to apply JAMF policies
You can setup a smart group looking for a certain user group a user is in. I dont think that will work for computers. Beside that you can bind computers to a certain OU with the AD bind policy.
Apple doesn't speak GPO, so GPO workflows, such as applying something to an entire OU, doesn't apply to Jamf.
You can, however, scope user AD groups for policies and configuration profiles.
Depends on what your end goal is. For us we generally create smart-groups looking for certain X (files, apps, directory, etc) and then the policies apply to those smart groups. In other situations, its a deploy to all. All depends on how you need it to work.
Came up with a workflow that helped in several companies:
Get assigned user:
#!/bin/bash
# Create folder
/bin/mkdir -p /Library/COMPANY/APIscripts
/bin/chmod -R 755 /Library/COMPANY/APIscripts
/usr/sbin/chown root:staff /Library/COMPANY/APIscripts
# Parameters
apiUser="$4"
apiPass="$5"
jssURL="$6"
outputFile="/Library/COMPANY/APIscripts/checkAssignedUser.txt"
uuid=$( /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/grep UUID | /usr/bin/awk '{ print $3 }' | /usr/bin/sed -e s/"//g )
assignedUser=$( /usr/bin/curl -s -k -u ${apiUser}:${apiPass} ${jssURL}/JSSResource/computers/udid/${uuid} | /usr/bin/xpath '/computer/location/username/text()' 2>/dev/null )
/bin/echo ${assignedUser} > ${outputFile}
exit 0Get LDAP groups for assigned user:
#!/bin/bash
# Create script folder
/bin/mkdir -p /Library/COMPANY/LDAP
/usr/sbin/chown -R root:wheel /Library/COMPANY/LDAP
/bin/chmod -R 755 /Library/COMPANY/LDAP
# Parameters
ldapUser="$4"
ldapPass="$5"
ldapUrl="$6"
ldapDns="$7"
assignedUser=$( /bin/cat /Library/COMPANY/APIscripts/checkAssignedUser.txt )
outputFile="/Library/COMPANY/LDAP/LDAP_Groups.txt"
# LDAP query
if ping -c 1 "${7}" &> /dev/null
then
echo "LDAP reachable, running query..."
/usr/bin/ldapsearch -LLL -H "${6}" -x -D "${4}" -w "${5}" -b "dc=XXXX,dc=XXXX,dc=XXXX" sAMAccountname="${assignedUser}" | grep memberOf | cut -f2 -d "=" | cut -f1 -d "," > "${outputFile}"
else
echo "LDAP not reachable, exiting..."
fi
exit 0Check assigned user per LDAP group:
#!/bin/bash
ldapGroup="NameOfLDAPgroup"
#---- Do not edit below ----
file="/Library/COMPANY/LDAP/LDAP_Groups.txt"
if grep -q "${ldapGroup}" "${file}"; then
echo "<result>Member</result>"
else
echo "<result>NotAMember</result>"
fiThen create your Smart Computer Groups.
PS, we went with ldapsearch to avoid searching local dscl cache.
HTH,
Don
Thanks for the response. When saying applying policies, it is not windows policies I am thinking about, but when applying policies from Jamf to fx. OU or Ad groups. But as I can understand it is AD groups that is supported
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.