Help

Can't scope policies by LDAP group?

btaitt
Contributor

Posted on ‎11-13-2013 08:00 AM

Hey all,

Currently we're on 9.21 and when creating new computer policies, we noticed we can't limit policies by our AD groups, only by our network segments. Previously created policies are still limited by groups but the option isn't available for new policies.

Any thoughts?

0 Kudos
13 REPLIES 13

ClassyLee
New Contributor III

Posted on ‎11-14-2013 05:58 AM

We just upgraded to 9.21 last night and we're seeing similar issues. All our AD groups show "N/A" for group membership. Can you check/test your LDAP connection(s) and see if you're seeing the same thing?

0 Kudos

glutz
New Contributor III

Posted on ‎11-14-2013 06:44 AM

This same thing happened a few times during the beta releases. Has anyone submitted a support ticket with JAMF?

0 Kudos

ClassyLee
New Contributor III

Posted on ‎11-14-2013 06:56 AM

Opened a case this morning. Waiting to hear back. Will keep you guys posted.

0 Kudos

bloree
New Contributor II

Posted on ‎11-14-2013 07:57 AM

I just heard back from JAMF and this is a bug in Casper 9.21. The workaround is to configure the User Mappings and the User Group Mappings to use the same search base. We are back in business. Stay Classy!

0 Kudos

Louise
New Contributor II

Posted on ‎11-14-2013 07:59 AM

Hey All,

I just chatted with Development on this issue. The trick here is going to be the trigger of the policy. The other options will show up if the policy is triggered by login or self service, as those are the only two times that credentials are passed to the JSS. In the 8.x series and early 9.x, those options were available with *any* trigger, but they didn't work.

We are now working on only showing options when they will work properly. I hope this helps. Let us know if you have additional questions!

Thanks and have a rad day!

Louise
JAMF Support

0 Kudos

scottb
Honored Contributor

Posted on ‎07-31-2014 08:10 AM

@Louise: I am on 9.32 and I can not see how to make the AD Groups show up in scoping a policy. What am I missing here?

0 Kudos

iJake
Valued Contributor

Posted on ‎07-31-2014 08:13 AM

Your triggers needs to include Login or Logout where a username can be captured to scope to.

0 Kudos

scottb
Honored Contributor

Posted on ‎07-31-2014 08:16 AM

@iJake][/url: Thanks for the reply. I selected "Logout" and I don't see any change - no options to scope to xx.ad group.

0 Kudos

iJake
Valued Contributor

Posted on ‎07-31-2014 08:19 AM

Do you have Login/Logout Hooks enabled under Computer Management->Check-In?

0 Kudos

scottb
Honored Contributor

Posted on ‎07-31-2014 08:23 AM

@iJake][/url: Yessir. All enabled.
Coming from 8.73, frustrating.

0 Kudos

iJake
Valued Contributor

Posted on ‎07-31-2014 08:26 AM

Are you looking at Targets for the AD scoping? It is shown under Limitations in Scope.

scottb
Honored Contributor

Posted on ‎07-31-2014 08:33 AM

Ach! OK, it now shows under "Limitations". A green "Solved" for you, @iJake. Thank you sir.

0 Kudos

spalmer
Contributor III

Posted on ‎11-14-2014 02:40 PM

@Louise][/url I came across this thread as I was also having a hard time finding how to do this. This is even after reading the "Scope" section of the Casper Suite Administrator's guide. There is nothing in the documentation that tells you that you will only see the LDAP/Local Users or LDAP User Groups tabs ONLY if you first enable Self Service or are using Login/Logout triggers.

I understand why you want to prevent users from doing something that won't work properly, but a better way would be to leave the tabs in the interface and when selecting them without the necessary pre-requisites just show a notice/error that you first need to enable Self Service or Login/Logout triggers and don't show the "Add LDAP or Local Username" or "Search LDAP User Groups" field.

Regardless of how the interface is designed this should be better documented in the Administrator's Guide.