Skip to main content

Hello folks,



I hope everyone is doing well and that all the school system admins out there are having a smooth transition back.



I am having a problem with some of our Self Service policies in OS X. The ones in question will display "Gathering Information..." along with a very quick progress bar when the user attempts to install them. Nothing actually gets installed on the machine and no policy logging event is generated by the action. I thought something was possibly corrupt with these policies or their packages until I removed their AD group limitations and set them to "All Computers" or "Specific Computers" only. When the AD limitations are gone, they work like a charm through Self Service.



Has anyone else experienced this? Any ideas? Thanks as always!

So unless I'm misremembering here, policies scoped to AD groups should be "All Computers" with a limitation set to the group. Is that the case here? And are you sure you're using the right security groups? And have the packages replicated to the appropriate distribution points?

Do you have more than one domain, with users from one domain being in the limited security groups from the other AD?

@cpdecker Does your Self Service require login? I was able to replicate this with my test JSS if I turned Self Service to require no login, but once I changed it to "Allow users to log in" I was able to deploy a package correctly. I was logged in as an AD user on 10.10.5 with 9.65 of Self Service.

Like @emilykausalik and @andrew.nicholas , we use AD groups for Self Service.



*Require Login to Self Service.



*Set scope: "All computers", Limitation: AD Group



Works great. Not sure if it's supposed to work without a login to SS, but the above is how we work things.

Our scoping options are:



Targets: All Computers
Limitations: School1 Office, School1 Teachers
Exclusions: None



We only have one distribution point and it is up and functional. The logic for the AD group memberships and scoping options appear to be correct (both in my head and in Casper) since the policy wouldn't even appear as an option in the self service portal if it were incorrect.



We also only have one domain.



We do not require login for the Self Service portal but we have associated the AD usernames with the computers. This can be confirmed since the AD username shows at the top right of the SSP. Making the users log in to their AD account to access the SSP isn't ideal for us. This was working during last school year but admittedly wasn't tested much over the Summer.



So, if I were to take the scoping options above and remove the limitations from them, the policy works fine. Thanks for all responses so far!

Also as another note this appears to be affecting Mavericks and Yosemite.

Since we all failed to ask, what version of the JSS are you running?

To go along with what @scottb asked, my test JSS instance that demonstrated the issue is 9.73.

I'm sure this isn't helpful but it seems warranted now:

I will accept it as a failure on my part for not providing: 9.73 :)



If this turns out to be an official bug we can adjust our workflow for now to get around it until it is dealt with. I will make sure I get in touch with my JAMF Support Personnel.



Thanks all--any additional input is still greatly appreciated. I may try rebooting the server this weekend and seeing if the issue still persists :)

@cpdecker What you are seeing is most likely defect D-008830.



--Self Service policies that include all computers in the policy scope and are limited to LDAP users or LDAP user groups fail to run on a computer if users are not required to log in to Self Service and an LDAP user is assigned to the computer.



When limiting Self Service Policies to LDAP Groups, authentication for Self Service is required. It is the authenticating of Self Service that then tells the JSS which policies are available for that user.



I recommend to file a case with your TAM, to attach to the defect.

Terms & ConditionsCookie settings