Active Directory Class Groups

sdecook
Contributor

We are a K-12 school system and are trying to put together active directory groups to assign iOS apps to. We are pulling data out of our student information system to put into AD but are coming across some hurdles. How are other school districts handling this type of processing and creation?

We would like to automate this but are quickly realizing it would take multiple days for the process to complete fully. This would go through each class and remove students who are not in the class and add students who are. We have roughly 13k students and 22 buildings. There is a lot of classes and students to move around.

7 REPLIES 7

jared_f
Valued Contributor

Who are you using for your SIS? I would highly recommend against putting class information into Active Directory. See if your SIS can sync the classes into Apple School Manager and then sync those classed in to Jamf Pro.

https://support.apple.com/en-us/HT207409

If that is not a possibility, could your SIS export a CSV of class enrollment? Then use SIS Imported to bring your classes into Jamf Pro.

https://www.jamf.com/jamf-nation/third-party-products/248/sis-importer
https://www.jamf.com/resources/product-documentation/sis-importer-user-guide/

sdecook
Contributor

@jared_f We are using PowerSchool as our SIS. Is there a reason you would recommend against creating groups in AD with the class information?

We are already automatically syncing data with ASM using the plugin and the built in integration. The problem is that you cannot scope an app to the built in classes in jamf.

jared_f
Valued Contributor

@sdecook I believe that is currently a Jamf feature request under review (scoping apps to ASM synced classes) and creating smart groups based on class enrollment. Could PowerSchool export a list of user,class? You could create static user groups of the exact class name and use this script to bring your users into classes on Jamf?

https://github.com/franton/Add-JSS-User-to-Group

As you stated in your first post, bringing classes into AD is cumbersome. Using this method, you only have to create the classes in Jamf once (and add new ones in the future), but using that PS export you can easily bring in your students class enrollment to scope to apps.

WhippsT
Contributor

FWIW, I was informed at ICE 2019 by the JAMF booth people that the "Scope apps to classes" is coming soon. "Coming soon" is as accurate as I could get out of them...

WhippsT
Contributor

Other than that, we utilize IAM by Tools4Ever to pull data from PowerSchool and import it into AD and then into Google Admin. In the process, we have IAM populate Security Groups with students according to the classes that they attend. Then we assign the apps to all users and utilize limitations in the scope to limit the app to specific "classes" (security groups) in LDAP.

It's a stupidly complex way to do such a simple task that should be baked in by now...

sdecook
Contributor

@WhippsT That sounds like what we are doing but we just pull information directly from the database ourselves. We just have 13000 students and the amount of records is around 170k. So its a huge task.

larry_barrett
Valued Contributor

Yikes,

Smart groups are your friends. Static groups fill in the gaps.

We differentiate each class based on their pre-stage enrollment (for example, each year we wipe the 8th graders, put them in the 5th graders prestage). The prestage enrollment is used to populate each grade level (and advance it from year to year). Every kid in 8th grade gets the 8th grade apps each year.

If you have specific elective needs (for example, a Photoshop class) we make static groups and scope to just those classes.