Applications not installing or deploying via AD group filter after JSS 9.9 update. WORKAROUND / SOLVED

New Contributor II

We have been struggling with this issue all day, but after talking to JAMF we have come to a work around and a future solution.

The majority of our applications were not installing or deploying to any device. We discovered that the applications that were not restricted in any way, that is to say they were available to everyone, were not having any issues. The applications that were being restricted based on Active Directory Groups were not being recognized or registering the current license counts. It was narrowed down to an issue caused by the JSS 9.9 update, which altered the way JAMF executed the filter for "Limitations" and "Exclusions" for AD groups.

There are two solutions on the table:
1. Uninstall and reinstall the JSS to revert back to 9.82. You would then have to revert the SQL database back to a previous version to get back to normal.
2. Add a blank group (an AD group containing no users) to the "Exclusions" group for every app in your system.

Either will fix the issue.

I was told that a Hotfix is to come in order to fix this issue, but from my point of view the blank group seemed the best option because there is no cleanup once completed. Because you are excluding no one, the group can stay in even after the hotfix.

Hopefully this saves someone time and effort!!!!!!



Did this apply to Self Service policies or standard policies or both?

New Contributor II

It really didn't impact any of our policies. There is a disconnect in 9.9 in how JAMF connects the available app licenses and the AD groups assigned to the apps. By adding in the empty exclusion group, it completes the query and allows the system to apply the licenses based on your original AD limitation groups.

Hopefully this answers your question.

New Contributor III

So we are currently using version 9.82 of the JSS and have discovered that apps limited by AD groups in Self Service will appear to install but won't.
They will however if users are required to log into self service which has been identified as defect D-008830 but also what JAMF calls a new "feature". Do you know if the workaround of the empty AD group works around this issue?

**Update - this did not work on 9.82. This really needs to be brought back. Worked fine in 9.62