Skip to main content

Hi there,

 

I'm currently seeing behaviour from jamf scoping with exclusions.

We have 1 configuration that applies based on "All manage devices" excluding "Devices on macOS Ventura without Sophos Monterey Config Installed".

The problem is, it looks like when enrolling the device, if scope criteria is checked for "All managed devices" before "Devices on macOS Ventura without Sophos Monterey Config Installed" criteria then it will install on that Ventura device anyway as if the device is actually not part of "Devices on macOS Ventura without Sophos Monterey Config Installed" scope exclusion.


 

I cant think of a way around this except to somehow get the criteria checked for "Devices on macOS Ventura without Sophos Monterey Config Installed" first. 

 

Most likely what's happening is that jamf has to perform a task to verify if the criteria of the config profile existing is met but the device is already part of all managed devices and not part of the exclusion YET until that task is completed.

All Devices is probably triggering the install before the mac has had time to run an inventory update and be populated into the smart group.

The workaround I would use for this is not scoping the application to "All Devices" with an exclusion but by Scoping it to a new Smart Group with setting like this:
Computer Group > Not Member of > Devices on macOS Ventura without Sophos Monterey Config Installed

By Doing it this way, even if it's convoluted, you are ensuring that the primary scope smart group is ALWAYS populated correctly before the app gets sent out. 

All Devices is probably triggering the install before the mac has had time to run an inventory update and be populated into the smart group.

The workaround I would use for this is not scoping the application to "All Devices" with an exclusion but by Scoping it to a new Smart Group with setting like this:
Computer Group > Not Member of > Devices on macOS Ventura without Sophos Monterey Config Installed

By Doing it this way, even if it's convoluted, you are ensuring that the primary scope smart group is ALWAYS populated correctly before the app gets sent out. 


Hi @mickgrant thanks for your response this is actually the conclusion I came to myself, I've done this yesterday and even added an extra criteria to check if the device has said profile making it so that this smart group would have to wait until an inventory update is done as well before it can propagate.

I tested it between Monterey to Ventura upgrade and Ventura fresh install and things work as intended. Thanks.

Reply


Terms & ConditionsCookie settings