Class enrollment as an app scoping criteria?

JKoopman
New Contributor III

Up to now, we've been scoping apps either to everyone or to grade level, building, or individual users where applicable. But lately we've been getting a lot more requests from our teachers wanting us to assign apps specifically to their classroom students, and we've been telling them that it just isn't possible currently. Most departments understandably don't want to pay for licenses they don't actually need in order to accommodate 1,400 students across two grade levels when they've only got 150 students taking their class.

 

It's frustrating that a smart device/user group has 200 criteria to filter by except something as useful as "Belongs to Class Name". We've got all our class rosters imported from our SIS into Jamf Pro, and it's unfortunate that nothing can really see them outside of specifically the Classes tab.

 

Am I just dumb? Is there a way to do this that I'm not seeing? If not, I'd love if this could be a feature added in a future update.

2 ACCEPTED SOLUTIONS

AJPinto
Honored Contributor III

Anything is possible. The best thing to do is to shift the responsibility of adding/removing students to/from the groups(classes) off on to the teachers.

 

  • If you guys use something like Active Directory. Configure LDAP, and have the users added to an AD group for each class. Then scope your policy to all users with a limitation of the given AD group for that class. 
    • When a student is added to a class a work flow (manual or automatic) would add the given AD group to the AD Object. JAMF would see this and target the user with the policy.
  • Write a tool that uses JAMF API to update the students account in JAMF. Make some Extension attributes for classes, and make the teachers add and remove students using the web portal. 
    • This is probably the best way for automation. Adding the API commands to whatever onboarding processes you have for students getting added to classes. Then have an end of semester workflow where they are moved using API.  

View solution in original post

JKoopman
New Contributor III

The answer was that I was just dumb and must have selective blindness. There's a "Roster Class Name" option in Smart User Groups under advanced criteria which does exactly what we wanted. It's not exactly scoping apps directly to courses, but we can at least make smart groups for whatever classes we want and assign apps to those.

View solution in original post

9 REPLIES 9

AJPinto
Honored Contributor III

Anything is possible. The best thing to do is to shift the responsibility of adding/removing students to/from the groups(classes) off on to the teachers.

 

  • If you guys use something like Active Directory. Configure LDAP, and have the users added to an AD group for each class. Then scope your policy to all users with a limitation of the given AD group for that class. 
    • When a student is added to a class a work flow (manual or automatic) would add the given AD group to the AD Object. JAMF would see this and target the user with the policy.
  • Write a tool that uses JAMF API to update the students account in JAMF. Make some Extension attributes for classes, and make the teachers add and remove students using the web portal. 
    • This is probably the best way for automation. Adding the API commands to whatever onboarding processes you have for students getting added to classes. Then have an end of semester workflow where they are moved using API.  

bfrench
Contributor III

Back in the day we could only deploy apps to Users, but then we switched to Devices.  I believe this method is still available for apps.  We still use it for books ( it's the only way to distribute books) and you can use Classes.

 

https://learn.jamf.com/bundle/jamf-pro-documentation-10.42.0/page/User-Assigned_Managed_Distribution...

AJPinto
Honored Contributor III

You can still Scope Apps to users. It’s just down to how the licensing is being handled as to what the device will do.

  • If you are not assigning a license to the user, then the user will need to “buy” the app themselves.
  • If you are assigning a license, it must be assigned to a Managed AppleID.
    • The Managed AppleID must accept a VPP invite to be able to receive the app assignment. There is no way to automate this which is really dumb as its a Managed AppleID. This is one of the reasons Managed AppleID’s are so useless.

bfrench
Contributor III

The invitation setup allows to automatically register for Managed Apple ID's.  And yes - you must assign the license AND the app.  

 

Screenshot 2023-02-07 at 12.04.19 PM.png

JKoopman
New Contributor III

The answer was that I was just dumb and must have selective blindness. There's a "Roster Class Name" option in Smart User Groups under advanced criteria which does exactly what we wanted. It's not exactly scoping apps directly to courses, but we can at least make smart groups for whatever classes we want and assign apps to those.

Keep in mind it is not as simple as just deploying the app.  When deploying apps to users you must deploy the license - after a VPP invite -  and then deploy the app itself. But this method does allow you to make use of the Classes that already exist in Jamf Pro from your SIS.

JKoopman
New Contributor III

@bfrench @AJPinto I'm not sure what you both mean. We've been using device-based managed app deployment for 8+ years now, and haven't had to send out VPP invites since we made that switch. When assigning an app from our Mobile Device Apps catalog, we have options when adding to the scope for both Device Groups and User Groups.

 

So the process for me was to just create a Smart User Group with criteria "has [Roster Class Name] like [class name]" and then select that Smart User Group when scoping the apps needed in our catalog. Any student in the roster for the specified class is automatically assigned a license for any device they have enrolled in Jamf Pro, and they're able to install it from Self Service.

 

Seems to be working as expected so far, and all the students have been able to install the assigned app.

bfrench
Contributor III

Per the info from Jamf:

To assign volume content to users, you must register the users with volume purchasing. 

https://learn.jamf.com/bundle/jamf-pro-documentation-10.42.0/page/User-Assigned_Volume_Purchasing_Re...

 

If you look at the user info in Users do you see VPP content assigned?

Screenshot 2023-02-09 at 10.28.53 AM.png

 Are the apps you are distributing Free? or Paid?

Emmert
Valued Contributor

Device based managed licenses do not require any kind of extra steps like that. The scoping determines which device gets the app, it never "belongs" to a user.