Can't scope policies by LDAP group?

btaitt
Contributor

Hey all,

Currently we're on 9.21 and when creating new computer policies, we noticed we can't limit policies by our AD groups, only by our network segments. Previously created policies are still limited by groups but the option isn't available for new policies.

Any thoughts?

13 REPLIES 13

ClassyLee
New Contributor III

We just upgraded to 9.21 last night and we're seeing similar issues. All our AD groups show "N/A" for group membership. Can you check/test your LDAP connection(s) and see if you're seeing the same thing?

glutz
New Contributor III

This same thing happened a few times during the beta releases. Has anyone submitted a support ticket with JAMF?

ClassyLee
New Contributor III

Opened a case this morning. Waiting to hear back. Will keep you guys posted.

bloree
New Contributor II

I just heard back from JAMF and this is a bug in Casper 9.21. The workaround is to configure the User Mappings and the User Group Mappings to use the same search base. We are back in business. Stay Classy!

Louise
New Contributor II

Hey All,

I just chatted with Development on this issue. The trick here is going to be the trigger of the policy. The other options will show up if the policy is triggered by login or self service, as those are the only two times that credentials are passed to the JSS. In the 8.x series and early 9.x, those options were available with *any* trigger, but they didn't work.

We are now working on only showing options when they will work properly. I hope this helps. Let us know if you have additional questions!

Thanks and have a rad day!

Louise
JAMF Support

scottb
Honored Contributor

@Louise: I am on 9.32 and I can not see how to make the AD Groups show up in scoping a policy. What am I missing here?

iJake
Valued Contributor

Your triggers needs to include Login or Logout where a username can be captured to scope to.

scottb
Honored Contributor

@iJake][/url: Thanks for the reply. I selected "Logout" and I don't see any change - no options to scope to xx.ad group.

iJake
Valued Contributor

Do you have Login/Logout Hooks enabled under Computer Management->Check-In?

scottb
Honored Contributor

@iJake][/url: Yessir. All enabled.
Coming from 8.73, frustrating.

iJake
Valued Contributor

Are you looking at Targets for the AD scoping? It is shown under Limitations in Scope.

scottb
Honored Contributor

Ach! OK, it now shows under "Limitations". A green "Solved" for you, @iJake. Thank you sir.

spalmer
Contributor III

@Louise][/url I came across this thread as I was also having a hard time finding how to do this. This is even after reading the "Scope" section of the Casper Suite Administrator's guide. There is nothing in the documentation that tells you that you will only see the LDAP/Local Users or LDAP User Groups tabs ONLY if you first enable Self Service or are using Login/Logout triggers.

I understand why you want to prevent users from doing something that won't work properly, but a better way would be to leave the tabs in the interface and when selecting them without the necessary pre-requisites just show a notice/error that you first need to enable Self Service or Login/Logout triggers and don't show the "Add LDAP or Local Username" or "Search LDAP User Groups" field.

Regardless of how the interface is designed this should be better documented in the Administrator's Guide.