Skip to main content
Solved

Configuration Policy Scope target LDAP Group and users

  • February 15, 2023
  • 5 replies
  • 13 views

Forum|alt.badge.img+4

Hello,

 

I am setting up configurations profiles that now I want to start adding in some scoping to using based on user logged in. I see when I go to exclusions it shows the options for LDAP Users, LDAP Groups.

 

However if I go to select specific scope targets (not exclusion) for tabs I don't see LDAP Users or LDAP groups. Is this by design or is there something I can do get that to work?

 

Thank You

Best answer by DBrowning

You'll want to scope to all Computer under targets and then use Limitations for Group/Users.

 

View original
Did this topic help you find an answer to your question?

5 replies

DBrowning
Forum|alt.badge.img+24
  • Esteemed Contributor
  • 668 replies
  • Answer
  • February 15, 2023

You'll want to scope to all Computer under targets and then use Limitations for Group/Users.

 


AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2725 replies
  • February 15, 2023

The only way to target an LDAP group, is to target all devices and all users then set that LDAP group as an exclusion. This will target all devices and users, but only if they are in that LDAP group. The wording on it is garbage but that is how it works. 

 

One thing to know, using LDAP groups in JAMF for scoping is not reliable. It goes off who JAMF thinks is using the Mac off of device assignment, or whoever logs in to selfservice. This may not be correctly identifying who is actually logged in to the device. You also must still target the device level, for user level configuration profiles the users need to MDM enabled user accounts which is a whole other can of worms.

 


metalfoot77
Forum|alt.badge.img+11
  • Valued Contributor
  • 76 replies
  • March 2, 2023

I'm having the same thoughts in my environment regarding LDAP connection.  Our config has a JIM server and LDAP connection.  We leverage this only to require authentication on enrollment to prefill the username etc for local accounts.  I'm exploring using LDAP groups to give access to certain apps in policies as this is how it is done on the Windows side of things in SCCM.

We DO have Okta and that is our primary IDP at this point so my question is why even keep the LDAP and JIM integration around when I can leverage Okta to pull user data.... especially if using LDAP groups is not recommended in Jamf.


Forum|alt.badge.img+4
  • Author
  • Contributor
  • 10 replies
  • March 7, 2023
AJPinto wrote:

The only way to target an LDAP group, is to target all devices and all users then set that LDAP group as an exclusion. This will target all devices and users, but only if they are in that LDAP group. The wording on it is garbage but that is how it works. 

 

One thing to know, using LDAP groups in JAMF for scoping is not reliable. It goes off who JAMF thinks is using the Mac off of device assignment, or whoever logs in to selfservice. This may not be correctly identifying who is actually logged in to the device. You also must still target the device level, for user level configuration profiles the users need to MDM enabled user accounts which is a whole other can of worms.

 


Thank you for your reply and more in-depth explanation. I tried both. Both are very shot. Reason i say that is because when user logs in it doesn't check upon login until a reboot(Don't know if there command or script I can run on login to force check configs). Right now how i have it rolling is by Exclusions and targeting all computers. However, I left the Staff restrictions to only the staff machines and then Student applied to all macs and users but excluded admins and staff. Reason staff is not on all because I noticed sometimes jamf will apply both(or apply staff before removing students or vice versa) and then causes complete mayhem because "Restriction" payload with two different settings for Applications it causes everything to just break to stop checking for Policies and config and cant open single app lol


Forum|alt.badge.img
  • New Contributor
  • 2 replies
  • August 26, 2023
AJPinto wrote:

The only way to target an LDAP group, is to target all devices and all users then set that LDAP group as an exclusion. This will target all devices and users, but only if they are in that LDAP group. The wording on it is garbage but that is how it works. 

 

One thing to know, using LDAP groups in JAMF for scoping is not reliable. It goes off who JAMF thinks is using the Mac off of device assignment, or whoever logs in to selfservice. This may not be correctly identifying who is actually logged in to the device. You also must still target the device level, for user level configuration profiles the users need to MDM enabled user accounts which is a whole other can of worms.

 


Hey AJPinto,

So you have been able to successfully set Target to All Computers and All Users, and then use Exclusions, not limitation and point to Azure AD groups and it then only deployed that config profile to those user's in those AD groups? I tested this and it didn't appear to work that way, so wondering if I am missing something.

Thanks!


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings