Skip to main content
Solved

Smart Group membership based on EntraID membership

  • April 2, 2024
  • 11 replies
  • 497 views
Fjordmonkey
Forum|alt.badge.img+3

New and somewhat confused JAMF-user here, and thus: silly questions.

I'm using Entra as my Cloud Identity provider and I'm trying to create a smart user group based on membership in an Entra-group (JAMF_KLA) in order to build configurations for said usergroups. But I cannot for the life of me get it to work (nor do I know if it's actually possible).

Looked at the mapping of both the SUG and in the CIP-setup, and everything there looks like it should work. Can also do a test against various users, and it works (User that is in the Entra-group gets green checkmark, user that is not in group gets red checkmark). Which tells me that the lookup is working.

I see that I can also add users from a Directory Service from the Settings-menu. However, is that only for admins/auditors? I see that there's an option for Enrollment Only. Does this mean that the imported users do *not* have access to the JAMF-console?

Best answer by mvu

This should be doable, especially if your LDAP test lookups are working. It sounds like it is.

My first note would be to put a ticket in with your Jamf Support and see if you can get help there. They helped me with this...

• You could implement an EA with the Directory Service Attribute Mapping and "memberOf" to pull in group memberships.

• From there, you'd create a smart group with criteria for that EA to build configurations for the EntraID memberships.

• I look up these groups after the EA is run, and search for the membership in the computer, inventory, and extension attribute listings.

    11 replies

    mvu
    Forum|alt.badge.img+20
    • mvu
    • Jamf Heroes
    • Answer
    • April 2, 2024

    This should be doable, especially if your LDAP test lookups are working. It sounds like it is.

    My first note would be to put a ticket in with your Jamf Support and see if you can get help there. They helped me with this...

    • You could implement an EA with the Directory Service Attribute Mapping and "memberOf" to pull in group memberships.

    • From there, you'd create a smart group with criteria for that EA to build configurations for the EntraID memberships.

    • I look up these groups after the EA is run, and search for the membership in the computer, inventory, and extension attribute listings.

    aparten11
    Fjordmonkey
    Fjordmonkey
    Forum|alt.badge.img+3
    • Fjordmonkey
    • Author
    • New Contributor
    • April 3, 2024

    This should be doable, especially if your LDAP test lookups are working. It sounds like it is.

    My first note would be to put a ticket in with your Jamf Support and see if you can get help there. They helped me with this...

    • You could implement an EA with the Directory Service Attribute Mapping and "memberOf" to pull in group memberships.

    • From there, you'd create a smart group with criteria for that EA to build configurations for the EntraID memberships.

    • I look up these groups after the EA is run, and search for the membership in the computer, inventory, and extension attribute listings.


    Thanks, will have a look!

    Fjordmonkey
    Forum|alt.badge.img+3
    • Fjordmonkey
    • Author
    • New Contributor
    • April 3, 2024

    This should be doable, especially if your LDAP test lookups are working. It sounds like it is.

    My first note would be to put a ticket in with your Jamf Support and see if you can get help there. They helped me with this...

    • You could implement an EA with the Directory Service Attribute Mapping and "memberOf" to pull in group memberships.

    • From there, you'd create a smart group with criteria for that EA to build configurations for the EntraID memberships.

    • I look up these groups after the EA is run, and search for the membership in the computer, inventory, and extension attribute listings.


    Had to check the box "Collect user and location information from Directory Service" under Settings - Device Management - Inventory Collection before I had the option of using the Directory Service Attribute Mapping. Will test further, but looks promising.

    Thanks for the help and response!

    mvu
    Forum|alt.badge.img+20
    • mvu
    • Jamf Heroes
    • April 3, 2024

    Had to check the box "Collect user and location information from Directory Service" under Settings - Device Management - Inventory Collection before I had the option of using the Directory Service Attribute Mapping. Will test further, but looks promising.

    Thanks for the help and response!


    Nice catch. We had this checked already, but good to add to notes.

    If it helps, I replicated this for iOS mobile devices and Macs. Should work for you if you have Macs too.

    Fjordmonkey
    mtory
    Forum|alt.badge.img+3
    • mtory
    • New Contributor
    • June 27, 2024

    @mvu Hey Obi-K I was trying this for Directory Service Attribute Mapping and "memberOf' for Entra ID and isn't working. Could this be a mapping issue?

    Any thoughts?

    mvu
    Forum|alt.badge.img+20
    • mvu
    • Jamf Heroes
    • June 27, 2024

    @mvu Hey Obi-K I was trying this for Directory Service Attribute Mapping and "memberOf' for Entra ID and isn't working. Could this be a mapping issue?

    Any thoughts?


    • When you go to a computer or a device inventory tab, and Extension Attributes, are there LDAP groups listed under EA?

    • Did you do an inventory update on the device/s

    • When you run an LDAP "test" connection, is it successful under Settings, LDAP Server?
    • Did you check the box on "Collect user and location information from Directory Service" box under Settings, Inventory Collection?

    mtory
    Forum|alt.badge.img+3
    • mtory
    • New Contributor
    • June 28, 2024

    • When you go to a computer or a device inventory tab, and Extension Attributes, are there LDAP groups listed under EA?

    • Did you do an inventory update on the device/s

    • When you run an LDAP "test" connection, is it successful under Settings, LDAP Server?
    • Did you check the box on "Collect user and location information from Directory Service" box under Settings, Inventory Collection?


    Hey Obi-k

    LDAP Server settings are no longer set up, though use to be. 
    Question if you used the same EA that we used for LDAP when it was configured and just changed the input type from LDAP to Directory Service Attribute Mapping.. could this be the problem as some devices that still showing the old ldap file paths.

     

    Would I need to delete this original EA and reset it up?

    D
    Forum|alt.badge.img+1
    • deboerOT
    • New Contributor
    • June 28, 2024

    Hey Obi-k

    LDAP Server settings are no longer set up, though use to be. 
    Question if you used the same EA that we used for LDAP when it was configured and just changed the input type from LDAP to Directory Service Attribute Mapping.. could this be the problem as some devices that still showing the old ldap file paths.

     

    Would I need to delete this original EA and reset it up?


    I'm trying to implement this as well after our migration to Entra (cloud identity provider) from LDAP. "memberOf" definitely does not work.

    SteveS
    trevoredwards
    Forum|alt.badge.img+3
    • trevoredwards
    • New Contributor
    • September 19, 2024

    Anyone figure this out? 

    Trying to create a mobile device Smart Group based on membership of a shared Entra group, but can't quite get it figured out. 

    memberOf definitely doesn't work.

    J
    Forum|alt.badge.img+8
    • JeffBugbee
    • Contributor
    • November 21, 2024

    memberOf is also not working for me with Entra and cloud lookups.

    J
    Forum|alt.badge.img+14
    • jmb03012
    • Contributor
    • November 26, 2024

    There is an open PI for this - PI103644 - PI-009562 Using the 'memberOf' attribute with Azure LDAP integrations returns no results.

    J
    trevoredwards
    SteveS
    Terms & ConditionsCookie settingsAccessibility statement