Jamf Nation Community

btaitt · ‎11-13-2013

Hey all,

Currently we're on 9.21 and when creating new computer policies, we noticed we can't limit policies by our AD groups, only by our network segments. Previously created policies are still limited by groups but the option isn't available for new policies.

Any thoughts?

ClassyLee · ‎11-14-2013

We just upgraded to 9.21 last night and we're seeing similar issues. All our AD groups show "N/A" for group membership. Can you check/test your LDAP connection(s) and see if you're seeing the same thing?

glutz · ‎11-14-2013

This same thing happened a few times during the beta releases. Has anyone submitted a support ticket with JAMF?

ClassyLee · ‎11-14-2013

Opened a case this morning. Waiting to hear back. Will keep you guys posted.

bloree · ‎11-14-2013

I just heard back from JAMF and this is a bug in Casper 9.21. The workaround is to configure the User Mappings and the User Group Mappings to use the same search base. We are back in business. Stay Classy!

Louise · ‎11-14-2013

Hey All,

I just chatted with Development on this issue. The trick here is going to be the trigger of the policy. The other options will show up if the policy is triggered by login or self service, as those are the only two times that credentials are passed to the JSS. In the 8.x series and early 9.x, those options were available with *any* trigger, but they didn't work.

We are now working on only showing options when they will work properly. I hope this helps. Let us know if you have additional questions!

Thanks and have a rad day!

Louise
JAMF Support

scottb · ‎07-31-2014

@Louise: I am on 9.32 and I can not see how to make the AD Groups show up in scoping a policy. What am I missing here?

iJake · ‎07-31-2014

Your triggers needs to include Login or Logout where a username can be captured to scope to.

scottb · ‎07-31-2014

@iJake][/url: Thanks for the reply. I selected "Logout" and I don't see any change - no options to scope to xx.ad group.

iJake · ‎07-31-2014

Do you have Login/Logout Hooks enabled under Computer Management->Check-In?

scottb · ‎07-31-2014

@iJake][/url: Yessir. All enabled.
Coming from 8.73, frustrating.

iJake · ‎07-31-2014

Are you looking at Targets for the AD scoping? It is shown under Limitations in Scope.

scottb · ‎07-31-2014

Ach! OK, it now shows under "Limitations". A green "Solved" for you, @iJake. Thank you sir.

spalmer · ‎11-14-2014

@Louise][/url I came across this thread as I was also having a hard time finding how to do this. This is even after reading the "Scope" section of the Casper Suite Administrator's guide. There is nothing in the documentation that tells you that you will only see the LDAP/Local Users or LDAP User Groups tabs ONLY if you first enable Self Service or are using Login/Logout triggers.

I understand why you want to prevent users from doing something that won't work properly, but a better way would be to leave the tabs in the interface and when selecting them without the necessary pre-requisites just show a notice/error that you first need to enable Self Service or Login/Logout triggers and don't show the "Add LDAP or Local Username" or "Search LDAP User Groups" field.

Regardless of how the interface is designed this should be better documented in the Administrator's Guide.

Jamf Nation Community

Can't scope policies by LDAP group?