Help

Configuration Policy Scope target LDAP Group and users

Go to solution
rtarson
New Contributor II

Posted on β€Ž02-15-2023 09:00 AM

Hello,

 

I am setting up configurations profiles that now I want to start adding in some scoping to using based on user logged in. I see when I go to exclusions it shows the options for LDAP Users, LDAP Groups.

 

However if I go to select specific scope targets (not exclusion) for tabs I don't see LDAP Users or LDAP groups. Is this by design or is there something I can do get that to work?

 

Thank You

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
DBrowning
Valued Contributor II

Posted on β€Ž02-15-2023 10:36 AM

You'll want to scope to all Computer under targets and then use Limitations for Group/Users.

DBrowning_0-1676486155187.png

 

View solution in original post

0 Kudos

Go to solution
AJPinto
Valued Contributor III

Posted on β€Ž02-15-2023 10:38 AM

The only way to target an LDAP group, is to target all devices and all users then set that LDAP group as an exclusion. This will target all devices and users, but only if they are in that LDAP group. The wording on it is garbage but that is how it works. 

 

One thing to know, using LDAP groups in JAMF for scoping is not reliable. It goes off who JAMF thinks is using the Mac off of device assignment, or whoever logs in to selfservice. This may not be correctly identifying who is actually logged in to the device. You also must still target the device level, for user level configuration profiles the users need to MDM enabled user accounts which is a whole other can of worms.

 

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
DBrowning
Valued Contributor II

Posted on β€Ž02-15-2023 10:36 AM

You'll want to scope to all Computer under targets and then use Limitations for Group/Users.

DBrowning_0-1676486155187.png

 

0 Kudos

Go to solution
AJPinto
Valued Contributor III

Posted on β€Ž02-15-2023 10:38 AM

The only way to target an LDAP group, is to target all devices and all users then set that LDAP group as an exclusion. This will target all devices and users, but only if they are in that LDAP group. The wording on it is garbage but that is how it works. 

 

One thing to know, using LDAP groups in JAMF for scoping is not reliable. It goes off who JAMF thinks is using the Mac off of device assignment, or whoever logs in to selfservice. This may not be correctly identifying who is actually logged in to the device. You also must still target the device level, for user level configuration profiles the users need to MDM enabled user accounts which is a whole other can of worms.

 

0 Kudos

Go to solution
rtarson
New Contributor II
In response to AJPinto

2 weeks ago - last edited 2 weeks ago

Thank you for your reply and more in-depth explanation. I tried both. Both are very shot. Reason i say that is because when user logs in it doesn't check upon login until a reboot(Don't know if there command or script I can run on login to force check configs). Right now how i have it rolling is by Exclusions and targeting all computers. However, I left the Staff restrictions to only the staff machines and then Student applied to all macs and users but excluded admins and staff. Reason staff is not on all because I noticed sometimes jamf will apply both(or apply staff before removing students or vice versa) and then causes complete mayhem because "Restriction" payload with two different settings for Applications it causes everything to just break to stop checking for Policies and config and cant open single app lol

0 Kudos

Go to solution
metalfoot77
Contributor II

3 weeks ago

I'm having the same thoughts in my environment regarding LDAP connection.  Our config has a JIM server and LDAP connection.  We leverage this only to require authentication on enrollment to prefill the username etc for local accounts.  I'm exploring using LDAP groups to give access to certain apps in policies as this is how it is done on the Windows side of things in SCCM.

We DO have Okta and that is our primary IDP at this point so my question is why even keep the LDAP and JIM integration around when I can leverage Okta to pull user data.... especially if using LDAP groups is not recommended in Jamf.

0 Kudos