Configuration Policy Scope target LDAP Group and users

rtarson
New Contributor II

Hello,

 

I am setting up configurations profiles that now I want to start adding in some scoping to using based on user logged in. I see when I go to exclusions it shows the options for LDAP Users, LDAP Groups.

 

However if I go to select specific scope targets (not exclusion) for tabs I don't see LDAP Users or LDAP groups. Is this by design or is there something I can do get that to work?

 

Thank You

2 ACCEPTED SOLUTIONS

DBrowning
Valued Contributor II

You'll want to scope to all Computer under targets and then use Limitations for Group/Users.

DBrowning_0-1676486155187.png

 

View solution in original post

AJPinto
Honored Contributor III

The only way to target an LDAP group, is to target all devices and all users then set that LDAP group as an exclusion. This will target all devices and users, but only if they are in that LDAP group. The wording on it is garbage but that is how it works. 

 

One thing to know, using LDAP groups in JAMF for scoping is not reliable. It goes off who JAMF thinks is using the Mac off of device assignment, or whoever logs in to selfservice. This may not be correctly identifying who is actually logged in to the device. You also must still target the device level, for user level configuration profiles the users need to MDM enabled user accounts which is a whole other can of worms.

 

View solution in original post

5 REPLIES 5

DBrowning
Valued Contributor II

You'll want to scope to all Computer under targets and then use Limitations for Group/Users.

DBrowning_0-1676486155187.png

 

AJPinto
Honored Contributor III

The only way to target an LDAP group, is to target all devices and all users then set that LDAP group as an exclusion. This will target all devices and users, but only if they are in that LDAP group. The wording on it is garbage but that is how it works. 

 

One thing to know, using LDAP groups in JAMF for scoping is not reliable. It goes off who JAMF thinks is using the Mac off of device assignment, or whoever logs in to selfservice. This may not be correctly identifying who is actually logged in to the device. You also must still target the device level, for user level configuration profiles the users need to MDM enabled user accounts which is a whole other can of worms.

 

rtarson
New Contributor II

Thank you for your reply and more in-depth explanation. I tried both. Both are very shot. Reason i say that is because when user logs in it doesn't check upon login until a reboot(Don't know if there command or script I can run on login to force check configs). Right now how i have it rolling is by Exclusions and targeting all computers. However, I left the Staff restrictions to only the staff machines and then Student applied to all macs and users but excluded admins and staff. Reason staff is not on all because I noticed sometimes jamf will apply both(or apply staff before removing students or vice versa) and then causes complete mayhem because "Restriction" payload with two different settings for Applications it causes everything to just break to stop checking for Policies and config and cant open single app lol

rasik
New Contributor

Hey AJPinto,

So you have been able to successfully set Target to All Computers and All Users, and then use Exclusions, not limitation and point to Azure AD groups and it then only deployed that config profile to those user's in those AD groups? I tested this and it didn't appear to work that way, so wondering if I am missing something.

Thanks!

metalfoot77
Contributor II

I'm having the same thoughts in my environment regarding LDAP connection.  Our config has a JIM server and LDAP connection.  We leverage this only to require authentication on enrollment to prefill the username etc for local accounts.  I'm exploring using LDAP groups to give access to certain apps in policies as this is how it is done on the Windows side of things in SCCM.

We DO have Okta and that is our primary IDP at this point so my question is why even keep the LDAP and JIM integration around when I can leverage Okta to pull user data.... especially if using LDAP groups is not recommended in Jamf.