Skip to main content
Solved

Trouble with OS X Self Service Policies Limited to AD Groups

  • August 28, 2015
  • 11 replies
  • 62 views
C
Forum|alt.badge.img+8

Hello folks,

I hope everyone is doing well and that all the school system admins out there are having a smooth transition back.

I am having a problem with some of our Self Service policies in OS X. The ones in question will display "Gathering Information..." along with a very quick progress bar when the user attempts to install them. Nothing actually gets installed on the machine and no policy logging event is generated by the action. I thought something was possibly corrupt with these policies or their packages until I removed their AD group limitations and set them to "All Computers" or "Specific Computers" only. When the AD limitations are gone, they work like a charm through Self Service.

Has anyone else experienced this? Any ideas? Thanks as always!

Best answer by shanejorgensono

@cpdecker What you are seeing is most likely defect D-008830.

--Self Service policies that include all computers in the policy scope and are limited to LDAP users or LDAP user groups fail to run on a computer if users are not required to log in to Self Service and an LDAP user is assigned to the computer.

When limiting Self Service Policies to LDAP Groups, authentication for Self Service is required. It is the authenticating of Self Service that then tells the JSS which policies are available for that user.

I recommend to file a case with your TAM, to attach to the defect.

    11 replies

    emily
    Forum|alt.badge.img+26
    • emily
    • Hall of Fame
    • August 28, 2015

    So unless I'm misremembering here, policies scoped to AD groups should be "All Computers" with a limitation set to the group. Is that the case here? And are you sure you're using the right security groups? And have the packages replicated to the appropriate distribution points?

    ekw | jamf @ jamf
    A
    Forum|alt.badge.img+13
    • andrew_nicholas
    • Honored Contributor
    • August 28, 2015

    Do you have more than one domain, with users from one domain being in the limited security groups from the other AD?

    A
    Forum|alt.badge.img+13
    • andrew_nicholas
    • Honored Contributor
    • August 28, 2015

    @cpdecker Does your Self Service require login? I was able to replicate this with my test JSS if I turned Self Service to require no login, but once I changed it to "Allow users to log in" I was able to deploy a package correctly. I was logged in as an AD user on 10.10.5 with 9.65 of Self Service.

    scottb
    Forum|alt.badge.img+18
    • scottb
    • Valued Contributor
    • August 28, 2015

    Like @emilykausalik and @andrew.nicholas , we use AD groups for Self Service.

    *Require Login to Self Service.

    *Set scope: "All computers", Limitation: AD Group

    Works great. Not sure if it's supposed to work without a login to SS, but the above is how we work things.

    C
    Forum|alt.badge.img+8
    • cpdecker
    • Author
    • Valued Contributor
    • August 28, 2015

    Our scoping options are:

    Targets: All Computers
    Limitations: School1 Office, School1 Teachers
    Exclusions: None

    We only have one distribution point and it is up and functional. The logic for the AD group memberships and scoping options appear to be correct (both in my head and in Casper) since the policy wouldn't even appear as an option in the self service portal if it were incorrect.

    We also only have one domain.

    We do not require login for the Self Service portal but we have associated the AD usernames with the computers. This can be confirmed since the AD username shows at the top right of the SSP. Making the users log in to their AD account to access the SSP isn't ideal for us. This was working during last school year but admittedly wasn't tested much over the Summer.

    So, if I were to take the scoping options above and remove the limitations from them, the policy works fine. Thanks for all responses so far!

    C
    Forum|alt.badge.img+8
    • cpdecker
    • Author
    • Valued Contributor
    • August 28, 2015

    Also as another note this appears to be affecting Mavericks and Yosemite.

    scottb
    Forum|alt.badge.img+18
    • scottb
    • Valued Contributor
    • August 28, 2015

    Since we all failed to ask, what version of the JSS are you running?

    A
    Forum|alt.badge.img+13
    • andrew_nicholas
    • Honored Contributor
    • August 28, 2015

    To go along with what @scottb asked, my test JSS instance that demonstrated the issue is 9.73.

    emily
    Forum|alt.badge.img+26
    • emily
    • Hall of Fame
    • August 28, 2015

    I'm sure this isn't helpful but it seems warranted now:

    ekw | jamf @ jamf
    C
    Forum|alt.badge.img+8
    • cpdecker
    • Author
    • Valued Contributor
    • August 28, 2015

    I will accept it as a failure on my part for not providing: 9.73 :)

    If this turns out to be an official bug we can adjust our workflow for now to get around it until it is dealt with. I will make sure I get in touch with my JAMF Support Personnel.

    Thanks all--any additional input is still greatly appreciated. I may try rebooting the server this weekend and seeing if the issue still persists :)

    S
    Forum|alt.badge.img+2
    • shanejorgensono
    • New Contributor
    • Answer
    • August 30, 2015

    @cpdecker What you are seeing is most likely defect D-008830.

    --Self Service policies that include all computers in the policy scope and are limited to LDAP users or LDAP user groups fail to run on a computer if users are not required to log in to Self Service and an LDAP user is assigned to the computer.

    When limiting Self Service Policies to LDAP Groups, authentication for Self Service is required. It is the authenticating of Self Service that then tells the JSS which policies are available for that user.

    I recommend to file a case with your TAM, to attach to the defect.

    Terms & ConditionsCookie settingsAccessibility statement